Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024

Job Snijders <job@fastly.com> Tue, 06 February 2024 13:03 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD33CC14F712 for <sidrops@ietfa.amsl.com>; Tue, 6 Feb 2024 05:03:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNrcdusH38jJ for <sidrops@ietfa.amsl.com>; Tue, 6 Feb 2024 05:03:35 -0800 (PST)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09CC7C14F6FE for <sidrops@ietf.org>; Tue, 6 Feb 2024 05:03:34 -0800 (PST)
Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a372a3773a5so366489666b.3 for <sidrops@ietf.org>; Tue, 06 Feb 2024 05:03:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1707224613; x=1707829413; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=nEe4PU40wal1f5a9MlKvKOHOZP5Pzr22BEwsi9MA+YA=; b=YltdUnEZOTg0Wx8ind9HxS/UPbT+4njmbJ5AxQcvu9igARcTQmaoOTrvb9WYL5n5Q0 2V2wzgFVjiX2dJQFmqAdSXhE1fHhx8Ojs84PiSdP28qx1O+F9TNZk7nFUh34i9mSbmxQ F6YlS8HCzE2ncUb9d0Zloupk0w0HugHaYSCL0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707224613; x=1707829413; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=nEe4PU40wal1f5a9MlKvKOHOZP5Pzr22BEwsi9MA+YA=; b=MDn64WqrloXfGlVOPG0/ayg24ApPtrXbaoi49tAN3tXYBGJm1lQkaHDq86i8l19sO3 U6GvxXkfJyLWsKe7xK0ZdDVKFnCXr6jvjXDXXBeRmrjql8vDlCljkbI4/8Vn2hLHeTy9 5zJGgAZEW7cJu5Apr+8elmBgdOKaH5sJzCzE9sV/HTB/ezFqOGyuYJLiq3QeIIBjQRTB XEX5nycnhPE4jAB+oCCEBfx22ZCQCKOAUVP/QyTBWRYaUc4FYAYl3lQ+imdmJPeJr2W/ 0TTF7wrAJ56oNqzJ4uxpvraGlCTkxIJb0a7OQvisZsvE4CDOf8s68XILoIQZ4iiYGLdQ QEsQ==
X-Gm-Message-State: AOJu0Yx2tKo4zYOL88tjnyeDxsnsu/uljUpOdQOK2ys8b5flQYb0XK53 8Fq98WV7zBJ/v9eN2JawzgILVxAvXZa9rae7y/UnwbH355xkOWA1sU8JCs9Rb8k=
X-Google-Smtp-Source: AGHT+IGNXlv8k4s3eu2KmYJIUcjaqsMvN9WdyaOdHIjGGyWcWnTpBcBGHBR0gGCSScnPNxelFXJxAg==
X-Received: by 2002:a17:906:3b89:b0:a38:2f94:eec4 with SMTP id u9-20020a1709063b8900b00a382f94eec4mr956005ejf.23.1707224613331; Tue, 06 Feb 2024 05:03:33 -0800 (PST)
X-Forwarded-Encrypted: i=0; AJvYcCWcQAt9RQlKrTrqspweNPVFmSUIoFHvC/uGA0nYmADOaqN0IA/W/K1aI4BQn9cnPiT7CXHddI8Zn7Fybpd/+XySubGoz17bGe1uLDe1CfTouLZ1HplWgFvD2bzD/T42ohzxz2lZplzUOvCR97i9Ysfah6/88P45beQDYSIpiHJpuPsgjTySXQbXtzXAsx4i9CY7
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id vg11-20020a170907d30b00b00a3702ab71f6sm1124020ejc.206.2024.02.06.05.03.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Feb 2024 05:03:32 -0800 (PST)
Date: Tue, 06 Feb 2024 14:03:31 +0100
From: Job Snijders <job@fastly.com>
To: Ties de Kock <tdekock@ripe.net>
Cc: Russ Housley <housley@vigilsec.com>, IETF SIDRops <sidrops@ietf.org>, IETF SIDRops Chairs <sidrops-chairs@ietf.org>, sidrops-ads@ietf.org, Keyur Patel <keyur@arrcus.com>
Message-ID: <ZcIuI7lS1OtOW_xT@snel>
References: <87h6j1kug1.wl-morrowc@ops-netman.net> <B60D7B39-FA81-45AF-BCBD-2784F91B43C3@vigilsec.com> <ZcFNNfrkMFxKf5hN@snel> <BBE2320C-4525-4713-B4AF-3F00ECD4228A@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BBE2320C-4525-4713-B4AF-3F00ECD4228A@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/pizIIL7nnfduk57bsnMOgJ8YQ1Y>
Subject: Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 13:03:39 -0000

On Tue, Feb 06, 2024 at 08:57:59AM +0100, Ties de Kock wrote:
> > On 5 Feb 2024, at 22:03, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> > Some suggestions for draft-timbru-sidrops-publication-server-bcp-02:
> > 
> > - Make a recommendation to Publishers to not regenerate RRDP content for
> >  every request, nor regenerate previous RRDP deltas when creating a new
> >  snapshot. This might help implementers of RRDP publication software
> >  perceive and treat older RRDP content as immutable. See
> >  https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rrdp-desynchronization/
> >  for more details about mutations in previously published RRDP content.
> 
> I think that it is clear to all that the content of a delta should not
> change after being written for the first time. I think specifying the
> "how" for that process is too prescriptive. For example, your proposed
> method would rule out symlink pivoting for RRDP while you still need
> an atomic mechanism to prevent partial reads of some files - e.g.
> notification.xml.

The notification file (by specification) indeed is mutable.

I think it is helpful to point out that the RRDP deltas really only need
to be generated once, as some implementers seem to have gotten this
wrong in the past.

> In practice, RRDP distribution uses multiple layers of caching
> (generating software -> origin servers -> CDN internal caching nodes
> -> edge). Effectively all write a copy. All can corrupt it. I think
> the hashes in RRDP are the perfect machanism for detecting corruption.
> Personally, I have found a memory corruption issue due to those
> hashes...

Hah, memtest86+ implemented in RRDP ;-)

> > - Perhaps a note could be added about temporarily disabling RRDP
> > being a viable option to conserve bandwidth in (rare) scenarios
> > where the Publication Point operator's network is congested. In
> > low-bandwidth scenarios rsync performs far better than RRDP (a
> > particular race condition in RRDP is avoided, rsync synchronization
> > trivially is resumed). Notwithstanding that both PP and RP side of
> > the house would do well to implement bandwidth conservation
> > strategies such as implementation of HTTP content encoding
> > compression. I do think it is helpful to remind interested readers
> > that ultimately the objective is to /somehow/ serve RPKI data (be it
> > via RRDP or RSYNC) in a timely fashion.
> 
> That is a recommendation that comes with big caveats. While the
> behaviour of RRDP degrades badly (we describe the negative feedback
> loop in the document), in a steady-state situation, rsync uses
> significantly more bandwidth (and IO).

Right, which is why it might be counter-intuitive for Publication Point
operators to realize that temporarily disabling RRDP can help when
bandwidth is scarce, and as such perhaps worth documenting.

> I wonder what the success rate of rsync clients is during fallback in
> a bandwidth-limited scenario. More data on this would help make a
> recommendation.  The fixed cost of transferring file names is high
> (e.g. 640KB for rpki.afrinic.net, 263KB+1.6MB for rpki.apnic.net,
> 5.2MB for rpki.arin.net, 1.2MB for rpki.lacnic.net, 5.5MB for
> rpki.ripe.net) Based on that I would expect many rsync clients to hit
> timeouts as well.

The situation I had in mind was an example from last year, when for one
of the regional internet registries all my alerts cleared within 2 hours
after RRDP was disabled.

You are right to point out that the RRDP notification file usually is
smaller than the rsync filename transfer list, but in turn, the rsync
transfer list is way smaller than the RRDP snapshot.

Kind regards,

Job