At Wed, 22 Oct 2008 09:38:07 +1000, Terry Manderson wrote: > > On 20/10/2008, at 8:22 PM, Andy Newton wrote: > > > Hmmm... This couldn't be too hard to test, now could it. Using > > curl or Apache libraries should be easy. If somebody could throw > > out what they consider to be a good size for the number of files > > in the repository and file size ranges, I'll cook something up. > > APNIC _had_ a test repository in place. I don't know if it is still > there. I'm not aware of any other organisation with a populated > repository of test objects.
APNIC did indeed have a mock-up of a full-scale RPKI repository at one point, based on available data from IANA and all five RIRs (ie, this was an attempt to simulate what the full database in an RPKI world would look like). This test repository was a great help when I was first writing validation code and we were all trying to figure out what the certificate profile should be, but it was somewhat high maintenance, and APNIC decommissioned it a while ago. George Michaelson might be able to supply more details, but as I recall it was on the order of 30,000 - 40,000 objects. Didn't include ROAs or manifests, just certificates and CRLs. I no longer recall whether it included EE certificates or only CA certificates. Most of RPKI objects are quite small. Disk space per se was never a problem during testing with the full ~40k objects. Inodes, on the other hand, were a problem -- your average unix filesystem is configured assuming a higher data/inode ratio. The test objects that I generate as part of my regression testing framework come in at about 2000 octets for a manifest, about 1250 octets for a certificate, and about 435 octets for an empty CRL. These are probably on the small side, CRLs and manifests grow with the number of entries and certificates grow with the number of discrete resources encoded as extensions, but we're still talking about tiny files in most cases. Manifests issued by RIRs are likely to be significantly larger, simply because the tree is so flat there. CRLs sizes depend on your assumptions, but it's probably safe to assume that anybody who issues a lot of certificates will need to revoke some of them. Hope this helps. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
