Now that cron(8) was put on a quick steroids programme, we have new options available! Awesome work Todd, Theo.
On Mon, Apr 13, 2020 at 02:43:27PM +0000, Job Snijders wrote: > I'm reviewing some of the timers associated with the workings of the > end-to-end propagation from ROA to VRP. I think suggesting to run > rpki-client only once a day can make for needless brittleness. > > Running rpki-client just once a day also results in only making a rsync > fetch attempt once a day. If the connection can't be established because > of a transient network issue, the RP can easily end up going without > contact with the CA Publication Point for close to 48 hours. A lot of > CRLs appear to have expiration dates in the range of '24 hours'. > > I think attempting to contact a CA PP at least once an hour is more > appropriate for the various 24-48h sliding windows that are in play. In autonomous systems running bgpd(8) and rpki-client(8) on their edge routers, I believe it to be beneficial if out-of-the-box the routers don't all do rpki fetches & bgp loads at the same time. It is expected behavior for RPKI information to un-evenly percolate towards the BGP edge in a staggered way. From a network operational perspective should a support request come in to the ISP, responding "once an hour" will satisfy most situations. In cases where rpki-client for some reason ends up taking longer than an hour, the next execution attempt of the command will be skipped. Better to just try again an hour later, this helps avoid concurrent rpki-client processes crossing streams. I think 'once an hour' is a reasonable balance between the needs of internet users (the ROAs creators who may depend urgently on an expedient distribution of updated RPKI information); considerations for what the Internet's CA infrastructure realisticly can support; and what network operators are willing to tolerate in churn. We have to hold the throttle open at the right position. Anyway, I consider "once an hour" a big upgrade from the decades old "once every 24 hour"-mantra the IRR brought us. :-) Kind regards, Job Index: etc/crontab =================================================================== RCS file: /cvs/src/etc/crontab,v retrieving revision 1.26 diff -u -p -r1.26 crontab --- etc/crontab 15 Apr 2020 03:24:08 -0000 1.26 +++ etc/crontab 16 Apr 2020 22:29:16 -0000 @@ -19,4 +19,4 @@ HOME=/var/log 30 5 1 * * /bin/sh /etc/monthly #~ * * * * /usr/libexec/spamd-setup -#0~20 9 * * * -n rpki-client -v && bgpctl reload +#~ * * * * -s -n rpki-client -v && bgpctl reload
