Hi all,
On 2019-04-10 12:10:22+02:00 Noah wrote: +1 and Ack @saul On Wed, 10 Apr 2019, 12:57 Saul Stein, <[email protected]<mailto:[email protected]>> wrote: Agreed. There is a bigger issue at stake here: I have yet to see any evidence that AFRINIC takes RPKI seriously. Until relatively recently, this attitude may have been understandable, since the RPKI was largely a curiosity with almost no impact on operations. This is no longer the case, and all of the RIRs have serious work to do to improve operations in this area. This is clearly the case in this region. The last issue I had, when no ROAs could be added, deleted etc, it was admitted that the issue was known about for over two weeks without anything on the announce list or being fixed! After escalation to the CEO and others it was fixed in a couple of hours! As an operator community, we need to have a serious conversation about what we expect from afrinic (and the other RIRs). 24x7 availability comes with a price tag, as everyone on this list should be all too aware. It is quite clear however, both from recent experience and from the postmortem below, that the current system is unfit for purpose. RPKI is serious and needs to be taken seriously. We can’t continuously be having issues with it. It is like customs at immigration being offline! Maybe we can move this to rpki-discuss, and have a proper conversation about a plan of action that the interested members of the community can help refine and comment on? That may prove more productive than waving our metaphors around. Cheers, Ben Cheers Saul From: Mark Tinka [mailto:[email protected]<mailto:[email protected]>] Sent: 10 April 2019 08:32 AM To: [email protected]<mailto:[email protected]> Subject: Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report Thanks, Cedrick. A question that is, perhaps, obvious... are you able to take the human component out of this? If 2 reminders were not enough to get the humans to act, I'm not sure the current methodology is sustainable. Mark. On 8/Apr/19 17:46, Cedrick Adrien Mbeyet wrote: Dear AFRINIC community, Find below postmortem report on the incident that happen on 06 April 2019. The AFRINIC RPKI engine has an offline part that has to be renewed on a monthly bases. The process is known, documented and automated reminders set. The system is set to send 2 reminders each month, one 15 days prior to the expiry date and the second one 7 days before expiry. On the 2nd half of March, the monitoring system sent a reminder to perform the offline refresh but this was not acted upon. On Saturday 06 April 2019, Certificate revocation List (CRL) and the manifest file of AFRINIC RPKI repository expired (around 07:24AM UTC). Our monitoring system picked this up. The immediate action was to generate new certificates and manifest file and upload them onto RPKI engine system. The failure was as a result of human error, no changes were made on the system but we have taken additional steps to the existing process to ensure that this does not happen again. We do acknowledge that it is unacceptable to have such a failure with critical infrastructure and necessary done in this regard. We do apologize for the inconvenience caused and thank you for your patience in this regard. -- _______________________________________________________________ Cedrick Adrien Mbeyet Infrastructure Unit Manager, AFRINIC Ltd. t: +230 403 5100 / 403 5115 | f: +230 466 6758 | tt: @afrinic | w: www.afrinic.net<http://www.afrinic.net> facebook.com/afrinic<http://facebook.com/afrinic> | flickr.com/afrinic<http://flickr.com/afrinic> | youtube.com/afrinicmedia<http://youtube.com/afrinicmedia> ______________________________________________________ _______________________________________________ Community-Discuss mailing list [email protected]<mailto:[email protected]> https://lists.afrinic.net/mailman/listinfo/community-discuss
_______________________________________________ Community-Discuss mailing list [email protected] https://lists.afrinic.net/mailman/listinfo/community-discuss
