Re: [Sidrops] trying to limit RP processing variability

Martin Hoffmann <> Thu, 09 April 2020 12:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D0683A09C7 for <>; Thu, 9 Apr 2020 05:06:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2hJUoGIIEvYJ for <>; Thu, 9 Apr 2020 05:06:57 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4988B3A09AE for <>; Thu, 9 Apr 2020 05:06:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPSA id 9004012E83; Thu, 9 Apr 2020 14:06:54 +0200 (CEST)
Authentication-Results:; dmarc=none (p=none dis=none)
Authentication-Results:; spf=none
Date: Thu, 09 Apr 2020 14:06:54 +0200
From: Martin Hoffmann <>
To: Robert Kisteleki <>
Cc: Stephen Kent <>, "" <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Sidrops] trying to limit RP processing variability
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Apr 2020 12:07:00 -0000

Robert Kisteleki wrote:
> IMO an "RP has no obvious way to acquire missing objects" is not
> entirely true.
> If, at the previous run, the RP fetched the relevant (now missing)
> object, then I see no reason to not use it again. Think of the
> previous run as an object a cache if you will: if you're looking for
> an object mentioned in the manifest, and you have it already (hash /
> name / etc. matches) then you can reuse it.

That is theoretical possible, but in practice you treat synchronising
and validation of repository content as two separate steps. I.e, before
you even start looking at a CA’s repository, you synchronize its
content. This is enshrined in the way both rsync and RRDP work: They
don’t update single files but entire directory trees all at once. This
step includes deleting objects that have been deleted on the server.

Since the complete RPKI repository has a hierarchical structure
following the rsync URIs of objects, many RP implementations keep the
objects in the file system only. This is in particular useful for
rsync: Just let rsync update the directory in place. An additional
bonus of this strategy is that you don’t need a fancy database.

You could, of course, concoct a mechanism that marks files for deletion
and only deletes them if they aren’t actually used in the next
validation run. But, considering that this thread is actually
subjected “trying to limit RP processing variability,” I am not sure
this is a good idea. There is a strong likelihood that different
strategies will behave slightly differently. If we really want to
come to a point where every RP implementation produces the same output
from given input, we need to defined simple rules that are easy to
implement in a wide range of circumstances.

Another consequence of doing this is that validation on a newly
deployed RP software differs from one that has been running for a
while. As a consequence, the datasets from two different caches
configured in routers differ. So now you even have difference between
caches running the same software.[0]

Kind regards,

[0] Yes, with broken RRDP servers where snapshots differ from a
    sequence of deltas, this can happen too. We should perhaps also
    look into improving the robustness of RRDP.