Re: Upcoming LACNIC RPKI Migration

[Alex Band]

Hi Carlos,

Congrats to you and the team for the smooth migration. 

I can speak for all of us at NLnet Labs that we’re super proud that LACNIC is 
now running Krill. 

Also, a special thanks to Tim Bruijnzeels (now back at the RIPE NCC) for the 
years of hard work on our open-source RPKI project – and for ironing out a 
small bump yesterday together with NIC.br after the switch-over. 

Cheers,

Alex


> On 15 Apr 2024, at 16:24, Carlos Martinez-Cagnazzo  
> wrote:
> 
> Hi all, it's me again.
> 
> The switch is complete. Thank you all for your patience.
> 
> /Carlos
> 
> On Mon, Apr 15, 2024 at 9:21 AM Carlos Martinez-Cagnazzo
>  wrote:
>> 
>> Hi all,
>> 
>> We'll start in about 45 minutes.
>> 
>> /Carlos
>> 
>> On Mon, Apr 8, 2024 at 5:18 PM Carlos Martinez-Cagnazzo
>>  wrote:
>>> 
>>> Hello all,
>>> 
>>> On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will
>>> be migrating from our current legacy RPKI CA system to a new
>>> Krill-based RPKI core.
>>> 
>>> In most cases no action will be required on your part (see below for
>>> some special cases). What follows is a list of events that will take
>>> place at the mentioned time and that may be of interest to you.
>>> 
>>>* Our TAL file won't change at this time. There is no need to
>>> change anything in your current RP configuration.
>>> 
>>>* Our RTA certificate, while keeping the old key will point to a
>>> new manifest.
>>> 
>>> From the outside, what RPs will see is the following sequence of events:
>>> 
>>>   * At some time T0 all our current servers (both RRDP and rsync)
>>> will be shut down, returning "connection refused '' for both http and
>>> rsync.
>>>   * New values for the DNS records will be published (same names,
>>> different IPs).
>>>   * At approximately T0+30min the servers listening on the new IPs
>>> will be started and will start serving the repository as produced by
>>> the new Krill-based system.
>>>   * When they first connect, RPs will see a new RRDP session and will
>>> take it from there.
>>> 
>>> We have tested this migration flow using a set of docker containers
>>> plus a DNS server container using dnsmasq server that allows us to
>>> modify records on the fly. In all the cases we tested this flow works
>>> just fine.
>>> 
>>> We have tested this migration flow with the following RPs:
>>> 
>>>  * rpki-client from “latest” all the way back to 8.2.
>>>  * routinator from “latest” all the way back to 0.8.
>>>  * fort from “latest” all the way back to 1.5.0.
>>> 
>>> What we have not tested:
>>> 
>>>  * RIPE rpki validator: it’s been deprecated for three years. You
>>> shouldn’t be running this and you know it :-) In any case, it should
>>> work.
>>>  * OctoRPKI: also recently deprecated.
>>>  * Rpki-prover.
>>>  * RIPSTR.
>>> 
>>> All of the above should work. However bear in mind the following: If
>>> you are running any of the above and you notice issues, just clear the
>>> local cache, launch a clean instance of your RP and you should be
>>> fine.
>>> 
>>> We have set up a specific email inbox for this migration work:
>>> rpki-migrac...@lacnic.net. It will be closely monitored during April
>>> 15 and the following days. It will be phased out once we are confident
>>> all issues that may arise have been addressed.
>>> 
>>> For those interested, the new servers are already online and can be
>>> used to validate. These can be reached at:
>>> 
>>>  * lb-us-mia.rrdp.lacnic.net
>>>  * lb-us-southeast.rrdp.lacnic.net
>>>  * lb-br-gru.rrdp.lacnic.net
>>> 
>>> Don’t expect to see the exact same VRPs as you see now on our current
>>> production server as minor differences are expected. Don’t hardcode
>>> this either, as during the migration “rrdp.lacnic.net” will be made to
>>> point to these servers and eventually these names may change and/or
>>> new ones may be added.
>>> 
>>> Thank you all!
>>> 
>>> /Carlos
>> 
>> 
>> 
>> --
>> --
>> =
>> Carlos M. Martinez-Cagnazzo
>> http://cagnazzo.me
>> =
> 
> 
> 
> -- 
> --
> =
> Carlos M. Martinez-Cagnazzo
> http://cagnazzo.me
> =

MTA-STS operational practice survey

[Chung, Tijay]

Greetings,

Together with researchers from Virginia Tech and Max-Planck-Institut für 
Informatik, we would like to understand the general trends, operational 
practices, and challenges of MTA-STS protocol from the mail operators' point of 
view.

It takes around 5-6 minutes and you can stop participating in the study at any 
time; we would truly appreciate your participation.

We do not collect any personal information and all answers except the first 
couple of consent questions are optional. If you do not want to answer any 
questions, please just leave the field blank.

https://www.surveymonkey.com/r/JKWNDSN

Please do not hesitate to email me if you have questions or comments. Also, 
please excuse us if you have received this email from different mailing lists.

Thank you.
Thanks,
Taejoong "Tijay" Chung, Assistant Professor
Virginia Tech  |  Computer Science
220 Gilbert Street, RM 4303
Blacksburg, VA 24060
(540) 231-0667| ti...@vt.edu