IETF Logo Mail Archive

[Sidrops] Fwd: Upcoming LACNIC RPKI Migration

Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> Mon, 08 April 2024 20:24 UTC

Return-Path: <carlosm3011@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35CE3C1654FE for <sidrops@ietfa.amsl.com>; Mon, 8 Apr 2024 13:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.845
X-Spam-Level:
X-Spam-Status: No, score=-1.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L_996nwrzULC for <sidrops@ietfa.amsl.com>; Mon, 8 Apr 2024 13:24:11 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 220DBC15198D for <sidrops@ietf.org>; Mon, 8 Apr 2024 13:23:57 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-a51a1c8d931so415536966b.0 for <sidrops@ietf.org>; Mon, 08 Apr 2024 13:23:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712607835; x=1713212635; darn=ietf.org; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=K93+aFjNb2YDyu2PwNkrwslBTkpKBjnF9LovSH+3Idw=; b=DVDdI9gP7IKBrw2dA3cvKqlDpuSN9KHqKglpMaL4xtWjy9dLnekD9kOrDmok3o+ag8 wrwRLtAXlIL4R2z42ogeluNleM1GXZxiHS1NQxCKzIqfUU/SCp6TX486bSwOQFHho/Lg 3SO1iayqNKoFGVcw1f1IyE4GHD/XuE+2BwpZtLbEJFlSyqEWcXKjvSrHnbnGO50DxAW4 9icPxgMB1iG0eZZLsTK+GIiSTYMvpZlX2bCeaBdp29t0wGJjO+dFu/QVHhWD8etsEwIs YK0nXGgVtZvVyWl6CDOOmBHl4mEEUOP4IaD6Dsovtd6fuC1OYR2mdNIoNEqeWznf6OkI dArQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712607835; x=1713212635; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=K93+aFjNb2YDyu2PwNkrwslBTkpKBjnF9LovSH+3Idw=; b=HmnvtQndPnfpwx/X8SZE5s5QuJEow0+HV7gHx+2LBDkT6/aumiO5Y2nkPp95dZlmyx QLZH5Y1Eug0BeQJu7RUySrEoRmud3LVjP4c56CsxpQARHaRdHZp3MMER7TKL/XpGX5MV JTiXlzbEUQHYhErB/1zZszfzXlLIKZ3bOQInYdaMN1bH4/+lGAMcXwfC90HLA8k1OyS3 PQ6y7xa1a3p+ztwMw4aIYU0oQuYSR5zvzjnIOTHtfkjUaDDWKZS1n6hsYCWoTBfbxIFA bgE5p9dePgJ5Deq4WjALyLMdf+pXYLQ7YSNVkq3TGN+N720zuEmesM6b4QnMyuR4hggY YktQ==
X-Gm-Message-State: AOJu0Yw9zfpUnb4wyc9OMHD9vlvv5Ki79u34BJVx8aZqc6XJTUCqUBVW KyQL79I1gZ7hDfWsE4sNYOoq5FreiHKygzQS5/yV5YqmQS0obMgXUR8b3AiIZlA9esWSwb3RWg8 yzwVhVMxmDTmoNixaw4ddCfIkJcRMgOp+
X-Google-Smtp-Source: AGHT+IF2NGzGvENtpTwKWxVfthB9/q49ks5EZ4OWp3UMvpspHhlGX83sdAg2ozjlohWdcvODbe4AKr1GG7gMEY2PY5I=
X-Received: by 2002:a17:907:175d:b0:a51:99b8:9dc1 with SMTP id lf29-20020a170907175d00b00a5199b89dc1mr5871258ejc.51.1712607834701; Mon, 08 Apr 2024 13:23:54 -0700 (PDT)
MIME-Version: 1.0
References: <CA+z-_EUKEDnGaWquPA_WpwbaGZZtEheRsFntytrsn3+tvxa8xg@mail.gmail.com>
In-Reply-To: <CA+z-_EUKEDnGaWquPA_WpwbaGZZtEheRsFntytrsn3+tvxa8xg@mail.gmail.com>
From: Carlos Martinez-Cagnazzo <carlosm3011@gmail.com>
Date: Mon, 08 Apr 2024 17:23:43 -0300
Message-ID: <CA+z-_EXGUjAFE46PFSviRPazWvj1S4mQ=_R8Vj=KHC=NkBCZtQ@mail.gmail.com>
To: SIDR Operations WG <sidrops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/nxC1fegerKz4Y1POyxl1V8vYJAs>
Subject: [Sidrops] Fwd: Upcoming LACNIC RPKI Migration
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 20:24:15 -0000

FYI, as shared to NANOG and other relevant NOGs.

---------- Forwarded message ---------
From: Carlos Martinez-Cagnazzo <carlosm3011@gmail.com>
Date: Mon, Apr 8, 2024 at 5:18 PM
Subject: Upcoming LACNIC RPKI Migration
To: NANOG <nanog@nanog.org>


Hello all,

On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will
be migrating from our current legacy RPKI CA system to a new
Krill-based RPKI core.

In most cases no action will be required on your part (see below for
some special cases). What follows is a list of events that will take
place at the mentioned time and that may be of interest to you.

    * Our TAL file won't change at this time. There is no need to
change anything in your current RP configuration.

    * Our RTA certificate, while keeping the old key will point to a
new manifest.

>From the outside, what RPs will see is the following sequence of events:

   * At some time T0 all our current servers (both RRDP and rsync)
will be shut down, returning "connection refused '' for both http and
rsync.
   * New values for the DNS records will be published (same names,
different IPs).
   * At approximately T0+30min the servers listening on the new IPs
will be started and will start serving the repository as produced by
the new Krill-based system.
   * When they first connect, RPs will see a new RRDP session and will
take it from there.

We have tested this migration flow using a set of docker containers
plus a DNS server container using dnsmasq server that allows us to
modify records on the fly. In all the cases we tested this flow works
just fine.

We have tested this migration flow with the following RPs:

      * rpki-client from “latest” all the way back to 8.2.
      * routinator from “latest” all the way back to 0.8.
      * fort from “latest” all the way back to 1.5.0.

What we have not tested:

      * RIPE rpki validator: it’s been deprecated for three years. You
shouldn’t be running this and you know it :-) In any case, it should
work.
      * OctoRPKI: also recently deprecated.
      * Rpki-prover.
      * RIPSTR.

All of the above should work. However bear in mind the following: If
you are running any of the above and you notice issues, just clear the
local cache, launch a clean instance of your RP and you should be
fine.

We have set up a specific email inbox for this migration work:
rpki-migracion@lacnic.net. It will be closely monitored during April
15 and the following days. It will be phased out once we are confident
all issues that may arise have been addressed.

For those interested, the new servers are already online and can be
used to validate. These can be reached at:

      * lb-us-mia.rrdp.lacnic.net
      * lb-us-southeast.rrdp.lacnic.net
      * lb-br-gru.rrdp.lacnic.net

Don’t expect to see the exact same VRPs as you see now on our current
production server as minor differences are expected. Don’t hardcode
this either, as during the migration “rrdp.lacnic.net” will be made to
point to these servers and eventually these names may change and/or
new ones may be added.

Thank you all!

/Carlos


-- 
--
=========================
Carlos M. Martinez-Cagnazzo
http://cagnazzo.me
=========================

v2.23.0 | Report a Bug | By Email