Hi Nick,
On 2019-04-10 08:40:22+02:00 Mark Tinka wrote: +Ben. On 9/Apr/19 15:45, Nick Hilliard wrote: Hi Mark, Ben, Afrinic's rpki manifest signature expired on april 6th and wasn't fixed for several hours. This may have caused validation failure during that period. Couple of things: 1. Did you see any operational impact from this, or are you monitoring for this sort of failure on your networks? On my side, I did not see any operational issues. It was 1 day into our final implementation of dropping Invalids, so perhaps Ben might have a better perspective as his deployment had been up since the 1st of this month. We didn't see any *unexpected* impact. Everything covered by a ROA issued under the afrinic TAL fell back to Not Found as designed, and we had no reported issues. I had been concerned that we would see some transient loops form as things moved from Valid to Not Found (this is an issue because of ios-xe's behaviour of preferring Valid to Not Found regardless of configured policy - please go shout at your Cisco SE about this!). The fact that this doesn't seem to have been an issue suggests that the refresh-interval we chose (10 mins) is about right. We have relatively little in the way of automated monitoring at the moment, for two reasons: 1. We don't yet have enough experience to know quite what we should be alerting on, and I prefer not to swamp the NOC with tons of non-actionable alerts just for the sake of it 2. We are probably going to kick out the RIPE validator in favour of some combination of routinator/octorpki/rpki-client fairly soon - thus we're holding off on writing too much stuff against that API which might not port well. So, for the time being, we're actively and regularly looking for anomalies "by hand" - which was how we saw the afrinic repo disappear. 2. the trust anchor has an expiry date some time in 2027. Does the afrinic community have an opinion about trust anchor with extended lifetimes like this? I have not seen it discussed on any of the AFRINIC mailing lists, nor in the few face-to-face AFRINIC meetings I've attended. That said, I see that LACNIC and RIPE have theirs valid for another 93 and 98 years, respectively. In the absence of an automated mechanism for TA key rollovers, I don't think 10 years is an unreasonable validity period. I haven't gone over it in any great detail, but https://datatracker.ietf.org/doc/draft-ietf-sidrops-signed-tal/ appears to propose a solution to this, although I see that draft expires in a week or so. If Tim or one of the other authors is on here, maybe they'd like to comment? My bigger issue with the current set of TALs is that they all claim 0/0, which greatly increases the blast radius if any one is compromised. I'd love to see a larger selection of the RIR membership base applying pressure to get this changed! Mark. Cheers, Ben
