This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] Delay in publishing RPKI objects
- Previous message (by thread): [routing-wg] Delay in publishing RPKI objects
- Next message (by thread): [routing-wg] Delay in publishing RPKI objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at fastly.com
Tue Feb 16 19:22:46 CET 2021
Dear RIPE NCC, On Tue, Feb 16, 2021 at 04:56:31PM +0100, Nathalie Trenaman wrote: > On Monday, 15 February we encountered an issue with our RPKI software. > This issue prevented us from publishing RPKI object updates from > 08:07-18:06 (UTC). > > During this period, Certificate Authority activation and Route Origin > Authorization configuration updates were delayed and therefore not > visible in the RPKI repository. It appears Certificate Authority revocation was also delayed. > The updates were published after we restarted the system at 17:45 > (UTC), with full recovery completed by 18:06 (UTC). Since this > non-publishing period is shorter than our default RPKI object validity > period, set to 8 hours, existing objects that are not updated were > still valid. No data was lost during this period. Can the following phrase "default RPKI object validty period, set to 8 hours" please be clarified? For objects produced in the RIPE-hosted RPKI environment I observe the following validity periods are commonly used: Object type | validity duration after issuance -------------------+--------------------------------- CRLs | 24 hours ROA EE certs | 18 months Manifest eContent | 24 hours Manifest EE certs | 7 days CAs | 18 months I'm just guessing, is the '8 hour' period a reference to RIPE-751 section 2.3? "A certificate will be published within eight hours of being issued (or deleted)." The RIPE-751 CPS also states in section 4.9.8 ("Maximum latency for CRLs"): CRLs will be published to the repository system within one hour of their generation. As the outage appears to have exceeded both the 1 hour revocation window and 8 hour object publication window, RIPE NCC was not compliant with its own CPS. The multitude of RPKI service impacting events as a result from maloperation of the RIPE NCC trust anchor are starting to give me me cause for concern. Kind regards, Job
- Previous message (by thread): [routing-wg] Delay in publishing RPKI objects
- Next message (by thread): [routing-wg] Delay in publishing RPKI objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]