Skip to content
This repository has been archived by the owner on Jul 15, 2021. It is now read-only.

Recurring issue for APNIC RPKI Root and RIPE NCC RPKI Root #241

Open
marzdgzmn opened this issue Jul 27, 2020 · 5 comments
Open

Recurring issue for APNIC RPKI Root and RIPE NCC RPKI Root #241

marzdgzmn opened this issue Jul 27, 2020 · 5 comments

Comments

@marzdgzmn
Copy link

We're getting recurring issues for APNIC RPKI Root and RIPE NCC RPKI Root.

APNIC RPKI ROOT:

Manifest rsync://rpki.cnnic.cn/rpki/A9162E3D0000/73/CfUv1bVUg5EXd8PcpEpl08lfhYA.mft for this certificate is not available at repository https://rpki.cnnic.cn/rrdp/notify.xml.

RIPE NCC RPKI Root

Manifest rsync://rpkica.mckay.com/rpki/MCnet/UEh2SAvdIgPsUFdv92RSSaNqBnY.mft for this certificate is not available at repository https://rpkica.mckay.com/rrdp/notify.xml.

What seems to be causing these issues and how do we resolve them?

@lolepezy
Copy link
Contributor

Hi,

These issues are indeed recurrent and they both are related to the hosting authorities, in this case Chinese NIR (it can be very slow or unavailable sometimes) and the CA created by mckay.com (it has broken SSL certificate from time to time). We don't have control over these repositories, we only can poke mckay.com to renew their certificates more regularly.

The consequence for you, as a validator user, is that sometimes BGP announcements originating from China and mckay network will change their RPKI status to UNKNOWN, but nothing will become INVALID, so from the routing viewpoint there shouldn't be any impact.

@lolepezy
Copy link
Contributor

Also, the validator caches the objects, so unless these problems persist for too long, the impact should be exactly zero.

@marzdgzmn
Copy link
Author

Also, the validator caches the objects, so unless these problems persist for too long, the impact should be exactly zero.

Thank you for the clarification.
We were just concern that ours are not consistent in regards to the Processed Items as shown below:

https://rpki-validator.ripe.net/trust-anchors
2020-07-27-190815_1156x444_scrot

While ours shows errors:
2020-07-27-190826_1221x485_scrot

@lolepezy
Copy link
Contributor

I believe the difference can be explained by
a) caching -- our instance is working for many weeks and cached a lot of objects.
b) you have enabled the rpki.validator.strict-validation = true in the config that interprets many warnings as errors and drops the broken objects.

Also, if you click on APNIC RPKI Root, you'll see the list of repositories and their statuses at the bottom of the page, so you can see if https://rpki.cnnic.cn/rrdp/notify.xml was successfully updated (for us it seems to be ok at the moment, https://rpki-validator.ripe.net/trust-anchors/monitor/2).

There's also one thing that needs to be mentioned: in the future release(s) we are going to change the default to rpki.validator.strict-validation = true, this is caused by the change of consensus in SIDROPS and the upcoming change of RFCs. So the errors you see will actually be there for both instances when we release it.

@pmawsonau
Copy link

Hi,

I am having the same issue, even with "rpki.validator.strict-validation=false".

Screen Shot 2020-07-30 at 2 22 20 pm
Screen Shot 2020-07-30 at 2 22 27 pm

Is there a fix? We are seeing different values between this valuator and another one we run, so curious if that is the cause.
Thanks

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants