Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-11 Thread Amreesh Phokeer
On Thu, Apr 11, 2019 at 7:34 PM Owen DeLong wrote: > I believe the TALs are not mirrored, but I believe that the ROAs and such > are. > As it stands ROAs aren't mirrored by any other RIR as it is the case for IRR objects. ___ Community-Discuss mailing

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-11 Thread Owen DeLong
> On Apr 10, 2019, at 10:41 PM, Mark Tinka wrote: > > > > On 10/Apr/19 21:39, Owen DeLong wrote: > >> >> >> If I understand it correctly, however, ALL of the RIRs mirror all of >> the other RIRs data,... > > You mean of the TAL? I believe the TALs are not mirrored, but I believe that

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Mark Tinka
On 10/Apr/19 21:39, Owen DeLong wrote: > > > If I understand it correctly, however, ALL of the RIRs mirror all of > the other RIRs data,... You mean of the TAL? Mark. ___ Community-Discuss mailing list Community-Discuss@afrinic.net

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Owen DeLong
> On Apr 10, 2019, at 6:57 AM, Noah wrote: > > > > On Wed, Apr 10, 2019 at 4:04 PM Owen DeLong > wrote: > If you automate the process, you have to store the private key in a manner in > which it can be accessed automatically. > > The only process that needs

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Mark Tinka
On 10/Apr/19 14:59, Owen DeLong wrote: > > RPKI is operational. I’m not sure how serious it is, as I have trouble > taking seriously a system which, at best, tells you what you need to > prepend. It’s a nice protection from fat fingers, but, in its current > state, it provides little to no

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Ben Maddison via Community-Discuss
, Ben Owen From: Mark Tinka [mailto:mark.ti...@seacom.mu<mailto:mark.ti...@seacom.mu>] Sent: 10 April 2019 08:32 AM To: community-discuss@afrinic.net<mailto:community-discuss@afrinic.net> Subject: Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report Than

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Noah
On Wed, Apr 10, 2019 at 4:04 PM Owen DeLong wrote: > If you automate the process, you have to store the private key in a manner > in which it can be accessed automatically. > The only process that needs automation is the timing of when certificates expire next [1] so as to best inform the

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Saul Stein
...@delong.com] Sent: 10 April 2019 03:05 PM To: Noah Cc: Saul Stein ; General Discussions of AFRINIC Subject: Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report The last issue I had, when no ROAs could be added, deleted etc, it was admitted that the issue was known

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Daniel Shaw via Community-Discuss
Hi Mark, Saul, Sunday, all, I suppose that Cedrick or other staff may possibly reply in due course with more details as regards this specific implementation of a CA (aka the AFRINIC RPKI CA). However let me respond a bit generally about the reason to have an offline portion of a CA.

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Owen DeLong
> The last issue I had, when no ROAs could be added, deleted etc, it was > admitted that the issue was known about for over two weeks without anything > on the announce list or being fixed! After escalation to the CEO and others > it was fixed in a couple of hours! > I believe that is a

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Owen DeLong
If you automate the process, you have to store the private key in a manner in which it can be accessed automatically. This compromises the integrity of the key as it must be stored online (or be usable through an on-line process) rather than being kept offline and utilized via an HSM or other

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Owen DeLong
hey have already implemented. Owen > From: Mark Tinka [mailto:mark.ti...@seacom.mu <mailto:mark.ti...@seacom.mu>] > Sent: 10 April 2019 08:32 AM > To: community-discuss@afrinic.net <mailto:community-discuss@afrinic.net> > Subject: Re: [Community-Discuss] 06 April 2019

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Ben Maddison via Community-Discuss
ct: Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report Thanks, Cedrick. A question that is, perhaps, obvious... are you able to take the human component out of this? If 2 reminders were not enough to get the humans to act, I'm not sure the current methodology is sustainable. Ma

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Sunday Folayan
Hi Cedrick and the team, Can the certificate generation and update be automated and handled by a script? I guess alerts when such an update fails will be taken more seriously. Can the AfriNIC RPKI-WG be more involved in assuring stability rather than leave the community to discover and complain?

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Noah
> having issues with it. It is like customs at immigration being offline! > > > > Cheers > > Saul > > > > *From:* Mark Tinka [mailto:mark.ti...@seacom.mu] > *Sent:* 10 April 2019 08:32 AM > *To:* community-discuss@afrinic.net > *Subject:* Re: [Community-Discuss] 06

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Saul Stein
] Sent: 10 April 2019 08:32 AM To: community-discuss@afrinic.net Subject: Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report Thanks, Cedrick. A question that is, perhaps, obvious... are you able to take the human component out of this? If 2 reminders were not enough to get

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-10 Thread Mark Tinka
Thanks, Cedrick. A question that is, perhaps, obvious... are you able to take the human component out of this? If 2 reminders were not enough to get the humans to act, I'm not sure the current methodology is sustainable. Mark. On 8/Apr/19 17:46, Cedrick Adrien Mbeyet wrote: > > Dear AFRINIC

Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-08 Thread francis asiboh via Community-Discuss
Hello Thank you for the report. However, it does not look professional that a critical service of Afrinic is down for so long. Several times, the "whois" service of Afrinic was down without any postmortem reports. This is so ugly that only if someone complains over the mailing list only then

[Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

2019-04-08 Thread Cedrick Adrien Mbeyet
Dear AFRINIC community, Find below postmortem report on the incident that happen on 06 April 2019.   The AFRINIC RPKI engine has an offline part that has to be renewed on a monthly bases. The process is known, documented and automated reminders set. The system is set to send 2 reminders each