Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024

Tim Bruijnzeels <tbruijnzeels@ripe.net> Tue, 06 February 2024 16:20 UTC

Return-Path: <tbruijnzeels@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 237F4C14CE4D; Tue, 6 Feb 2024 08:20:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GY7zxZiUuQx8; Tue, 6 Feb 2024 08:19:58 -0800 (PST)
Received: from mail-mx-2.ripe.net (mail-mx-2.ripe.net [IPv6:2001:67c:2e8:11::c100:1312]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E298AC151062; Tue, 6 Feb 2024 08:19:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Message-Id:Cc:Date:From:Subject:Mime-Version:Content-Type ; bh=Zbhp8hOnEV9cka8MdZXowEYNEuF7sI92S0mkNxHy+1I=; b=IDIqfivdbARRWHEVY8Ulwveb /f6DWcN7wx8T7CU3DPgCHh1TOiFnR/4v3vuTzc9LrrNraCrVboucT+VwjdMPvTs1rHEtGXqrPM6P9 OSIg1cZZbllQDP240yt6lX2zaAuQP/LGd9BVP5h4zh+P2wcbln1APKbuAhdAottqYy7LuA8wzueh5 edEkCKj2Tjvt52Gc7HzrfM00L77krDIfq/SWmI0xU1zPr8dDotyx0EJndy8JDyYH3Wo9w1PI5Hndg fU6nXAYQf0Z+MKJQuEP+6avBZMq0U1oIyHFnlVude871lVlH0S3c4hNWGi2Rr8MrrqgU43HB3/sbb w8BNqqEB0g==;
Received: from imap-01.ripe.net ([2001:67c:2e8:23::c100:170e]:49392) by mail-mx-2.ripe.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <tbruijnzeels@ripe.net>) id 1rXOAL-00Ambo-1p; Tue, 06 Feb 2024 16:19:21 +0000
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by imap-01.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <tbruijnzeels@ripe.net>) id 1rXOAL-00BPur-1V; Tue, 06 Feb 2024 16:19:21 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
From: Tim Bruijnzeels <tbruijnzeels@ripe.net>
In-Reply-To: <ZcIuI7lS1OtOW_xT@snel>
Date: Tue, 06 Feb 2024 17:19:11 +0100
Cc: Ties de Kock <tdekock@ripe.net>, Russ Housley <housley@vigilsec.com>, IETF SIDRops <sidrops@ietf.org>, IETF SIDRops Chairs <sidrops-chairs@ietf.org>, sidrops-ads@ietf.org, Keyur Patel <keyur@arrcus.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EFFA95AA-F07D-490B-BEC3-0446ED2D3AA2@ripe.net>
References: <87h6j1kug1.wl-morrowc@ops-netman.net> <B60D7B39-FA81-45AF-BCBD-2784F91B43C3@vigilsec.com> <ZcFNNfrkMFxKf5hN@snel> <BBE2320C-4525-4713-B4AF-3F00ECD4228A@ripe.net> <ZcIuI7lS1OtOW_xT@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
X-RIPE-Signature: 7105a661eeefe5d5c9c241e9d0d5d890c354be507503697545fff69cd242510a
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/dJ_x50JBSseGDYr8y4e28jlYSKM>
Subject: Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 16:20:02 -0000

Hi,

> On Feb 6, 2024, at 14:03, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> On Tue, Feb 06, 2024 at 08:57:59AM +0100, Ties de Kock wrote:
>>> On 5 Feb 2024, at 22:03, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
>>> Some suggestions for draft-timbru-sidrops-publication-server-bcp-02:
>>> 
>>> - Make a recommendation to Publishers to not regenerate RRDP content for
>>> every request, nor regenerate previous RRDP deltas when creating a new
>>> snapshot. This might help implementers of RRDP publication software
>>> perceive and treat older RRDP content as immutable. See
>>> https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rrdp-desynchronization/
>>> for more details about mutations in previously published RRDP content.
>> 
>> I think that it is clear to all that the content of a delta should not
>> change after being written for the first time. I think specifying the
>> "how" for that process is too prescriptive. For example, your proposed
>> method would rule out symlink pivoting for RRDP while you still need
>> an atomic mechanism to prevent partial reads of some files - e.g.
>> notification.xml.
> 
> The notification file (by specification) indeed is mutable.
> 
> I think it is helpful to point out that the RRDP deltas really only need
> to be generated once, as some implementers seem to have gotten this
> wrong in the past.

To the best of my knowledge no RRDP implementation has intentionally
regenerated deltas. There have been issues where a server was restored
from backup to an earlier state and it was unaware of the state changes
since the backup.

So, I would like to include text in this BCP that instructs the Publication
Server to perform a full RRDP session reset in case they restored from
backup.

>> In practice, RRDP distribution uses multiple layers of caching
>> (generating software -> origin servers -> CDN internal caching nodes
>> -> edge). Effectively all write a copy. All can corrupt it. I think
>> the hashes in RRDP are the perfect machanism for detecting corruption.
>> Personally, I have found a memory corruption issue due to those
>> hashes...
> 
> Hah, memtest86+ implemented in RRDP ;-)
> 
>>> - Perhaps a note could be added about temporarily disabling RRDP
>>> being a viable option to conserve bandwidth in (rare) scenarios
>>> where the Publication Point operator's network is congested. In
>>> low-bandwidth scenarios rsync performs far better than RRDP (a
>>> particular race condition in RRDP is avoided, rsync synchronization
>>> trivially is resumed). Notwithstanding that both PP and RP side of
>>> the house would do well to implement bandwidth conservation
>>> strategies such as implementation of HTTP content encoding
>>> compression. I do think it is helpful to remind interested readers
>>> that ultimately the objective is to /somehow/ serve RPKI data (be it
>>> via RRDP or RSYNC) in a timely fashion.
>> 
>> That is a recommendation that comes with big caveats. While the
>> behaviour of RRDP degrades badly (we describe the negative feedback
>> loop in the document), in a steady-state situation, rsync uses
>> significantly more bandwidth (and IO).
> 
> Right, which is why it might be counter-intuitive for Publication Point
> operators to realize that temporarily disabling RRDP can help when
> bandwidth is scarce, and as such perhaps worth documenting.
> 
>> I wonder what the success rate of rsync clients is during fallback in
>> a bandwidth-limited scenario. More data on this would help make a
>> recommendation.  The fixed cost of transferring file names is high
>> (e.g. 640KB for rpki.afrinic.net, 263KB+1.6MB for rpki.apnic.net,
>> 5.2MB for rpki.arin.net, 1.2MB for rpki.lacnic.net, 5.5MB for
>> rpki.ripe.net) Based on that I would expect many rsync clients to hit
>> timeouts as well.
> 
> The situation I had in mind was an example from last year, when for one
> of the regional internet registries all my alerts cleared within 2 hours
> after RRDP was disabled.
> 
> You are right to point out that the RRDP notification file usually is
> smaller than the rsync filename transfer list, but in turn, the rsync
> transfer list is way smaller than the RRDP snapshot.

I am in two minds about this.

I think the BCP should not recommend disabling rsync, it should
recommend that enough bandwidth is available and/or a CDN is
used.

The problem happens when this cannot be done. In that case RRDP
degrades badly, as described in the document, because all RPs
fall back to full snapshots. This makes the bandwidth load worse.

In the case of your example there were higher layer (non-technical)
reasons why the bandwidth capacity could not be increased and
a CDN could not be used at the time.

In this specific case disabling RRDP helped because even though
there could still be bandwidth issues affecting RPs this allowed
enough of them to perform a sync so that subsequent data usage
was reduced.

So, yes disabling RRDP helped here, but no, I don’t think it should
be recommended best practice. I want to think about wording that
captures this...

Kind regards,
Tim

> 
> Kind regards,
> 
> Job
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
>