<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi all, <div class=""><br class=""></div><div class="">We have just released fixed versions of our Validator 3.</div><div class=""><br class=""></div><div class="">You can find them here: </div><div class=""><br class=""></div><div class=""><div class="">Centos7 - <a href="https://ftp.ripe.net/tools/rpki/validator3/prod/centos7/repo/rpki-validator-3.1-2019.12.16.15.18.18.noarch.rpm" class="">https://ftp.ripe.net/tools/rpki/validator3/prod/centos7/repo/rpki-validator-3.1-2019.12.16.15.18.18.noarch.rpm</a></div><div class="">Debian - <a href="https://ftp.ripe.net/tools/rpki/validator3/prod/deb/rpki-validator-3.1-2019.12.16.15.18.18.deb" class="">https://ftp.ripe.net/tools/rpki/validator3/prod/deb/rpki-validator-3.1-2019.12.16.15.18.18.deb</a></div><div class="">Generic build - <a href="https://ftp.ripe.net/tools/rpki/validator3/prod/generic/rpki-validator-3.1-2019.12.16.15.18.18-dist.tar.gz" class="">https://ftp.ripe.net/tools/rpki/validator3/prod/generic/rpki-validator-3.1-2019.12.16.15.18.18-dist.tar.gz</a></div></div><div class=""><br class=""></div><div class="">If you have yum repository configured, "yum install rpki-validator" will do the job.</div><div class=""><br class=""></div><div class="">This was an interesting bug - We always relied on the idea that serial numbers of manifest objects increase --- apparently all the Trust Anchors so far (except for some of the sub-repositories under APNIC) generated increasing serial numbers and it always worked. It looks like Krill doesn't do it, that's why Validator 3 doesn't always pick up the latest manifest and can use stale data. According to the RFC serial numbers don't have to increase, they just need to be different (the Krill implementation follows that RFC), so it was a bug on our side that is now fixed. </div><div class=""><br class=""></div><div class="">Thanks for bringing this up.</div><div class=""><br class=""></div><div class="">Nathalie Trenaman</div><div class="">RIPE NCC</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">Op 16 dec. 2019, om 15:22 heeft Nathalie Trenaman <<a href="mailto:nathalie@ripe.net" class="">nathalie@ripe.net</a>> het volgende geschreven:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi all,<div class=""><br class=""></div><div class="">It seems that Validator 3.x (the one you see on <a href="https://rpki-validator.ripe.net/bgp-preview" class="">https://rpki-validator.ripe.net/bgp-preview</a>) has been hanging and not fetching new information from the repositories. All the other Validators (2.x, Routinator, OctoRPKI, RPKIclient, FORT) don’t have this problem, so it depends on what validator you are running, which result you see. Our RPKI team is currently looking into this. Meanwhile, if you are running Validator 3.x and you see 170.79.184.0/22 appearing as “unknown”, a reboot will help. </div><div class="">We have just rebooted <a href="https://rpki-validator.ripe.net/" class="">https://rpki-validator.ripe.net/</a> and as you can see, 170.79.184.0/22 now appears as “valid”. </div><div class="">Stay tuned, as soon as we have more information, I will report back.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Nathalie Trenaman</div><div class="">RIPE NCC</div><div class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">Op 16 dec. 2019, om 13:36 heeft Gondim via routing-wg <<a href="mailto:routing-wg@ripe.net" class="">routing-wg@ripe.net</a>> het volgende geschreven:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class=""><p class="">Hi Marco,<br class="">
</p>
<div class="moz-cite-prefix">Em 16/12/2019 10:28, Marco Paesani
escreveu:<br class="">
</div>
<blockquote type="cite" cite="mid:CANiyn-0xyvsAWetQ-StAFoG+odTsx_biZUAfjE9BgefyFZ4AOQ@mail.gmail.com" class="">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" class="">
<div dir="ltr" class="">Marcelo,
<div class="">the route
<a href="http://170.79.184.0/22" rel="noreferrer" target="_blank" moz-do-not-send="true" class="">170.79.184.0/22</a> is
not present on validator.</div>
<div class=""><font face="monospace" class=""><br class="">
</font></div>
<font face="monospace" class="">m.paesani@MX960-MIX-RE0# run show route <a href="http://170.79.184.0/22" moz-do-not-send="true" class="">170.79.184.0/22</a>
exact active-path<br class="">
<br class="">
inet.0: 782165 destinations, 5177202 routes (777291 active, 0
holddown, 20504 hidden)<br class="">
+ = Active Route, - = Last Active, * = Both<br class="">
<br class="">
<a href="http://170.79.184.0/22" moz-do-not-send="true" class="">170.79.184.0/22</a>
*[BGP/170] 3d 14:13:33, MED 500, localpref 100<br class="">
AS path: 6762 53181 53135 I,
validation-state: <b class=""><font color="#ff0000" class="">unknown</font></b><br class="">
> to 93.186.128.48 via xe-8/0/3.100</font><br class="">
</div>
</blockquote><p class="">The strange thing is that it is being validated elsewhere. What I
do not understand is why in some it appears as valid and others as
unknown when everyone should be seeing the same information. Or am
I mistaken?</p><p class=""># whois -h <a href="http://whois.bgpmon.net/" class="">whois.bgpmon.net</a> " --roa 53135 170.79.184.0/22"<br class="">
0 - Valid<br class="">
------------------------<br class="">
ROA Details<br class="">
------------------------<br class="">
Origin ASN: AS53135<br class="">
Not valid Before: 2019-12-13 19:24:16<br class="">
Not valid After: 2020-12-13 19:29:16 Expires in 363d6h55m11s<br class="">
Trust Anchor: <a href="http://rpki-repo.registro.br/" class="">rpki-repo.registro.br</a><br class="">
Prefixes: 170.79.184.0/22 (max length /24)</p><p class="">====================================================<br class="">
</p><p class=""># whois -h <a href="http://whois.bgpmon.net/" class="">whois.bgpmon.net</a> 170.79.184.0/22<br class="">
% This is the <a href="http://bgpmon.net/" class="">BGPmon.net</a> whois Service<br class="">
% You can use this whois gateway to retrieve information <br class="">
% about an IP adress or prefix<br class="">
% We support both IPv4 and IPv6 address.<br class="">
%<br class="">
% For more information visit:<br class="">
% <a class="moz-txt-link-freetext" href="https://portal.bgpmon.net/bgpmonapi.php">https://portal.bgpmon.net/bgpmonapi.php</a><br class="">
<br class="">
Prefix: 170.79.184.0/22<br class="">
Prefix description: Nettel Telecomunicacoes Ltda<br class="">
Country code: BR<br class="">
Origin AS: 53135<br class="">
Origin AS Name: Nettel Telecomunica��es Ltda., BR<br class="">
RPKI status: ROA validation successful<br class="">
First seen: 2017-03-02<br class="">
Last seen: 2019-12-14<br class="">
Seen by #peers: 65<br class="">
</p><p class=""><br class="">
</p>
<blockquote type="cite" cite="mid:CANiyn-0xyvsAWetQ-StAFoG+odTsx_biZUAfjE9BgefyFZ4AOQ@mail.gmail.com" class="">
<div dir="ltr" class="">
<div class=""><br class="">
</div>
<div class="">
<div class="">
<div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class=""><font face="arial,
helvetica, sans-serif" class="">Marco
Paesani</font></div>
<div class=""><br class="">
</div>
<div class=""><img src="https://docs.google.com/a/paesani.it/uc?id=0B8Pjoo-dtmQtd1h1S3d4aHdRM1E&export=download" style="font-size:12.8px" moz-do-not-send="true" width="96" height="86" class=""><br class="">
</div>
<div dir="ltr" class=""><font style="font-size:small" class=""><font face="arial,
helvetica, sans-serif" class=""><font size="2" class="">Skype: mpaesani<br class="">
Mobile: +39 348 6019349<br class="">
Success depends on the right
choice !<br class="">
Email: <a href="mailto:marco@paesani.it" style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true" class="">marco@paesani.it</a></font><br class="">
</font><br class="">
</font></div>
<div dir="ltr" class=""><font style="font-size:small" class=""><br class="">
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
</div>
</div>
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Il giorno lun 16 dic 2019 alle
ore 12:54 Gondim via routing-wg <<a href="mailto:routing-wg@ripe.net" moz-do-not-send="true" class="">routing-wg@ripe.net</a>>
ha scritto:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi
Matthias,<br class="">
<br class="">
Em 16/12/2019 08:43, Matthias Waehlisch escreveu:<br class="">
> [1] and [2] use different Trust Anchors.<br class="">
><br class="">
> which prefix do you check?<br class="">
<br class="">
For example <a href="http://170.79.184.0/22" rel="noreferrer" target="_blank" moz-do-not-send="true" class="">170.79.184.0/22</a><br class="">
<br class="">
Other Autonomous Systems that I consulted also experienced
this problem.<br class="">
<br class="">
><br class="">
> Cheers<br class="">
> matthias<br class="">
><br class="">
> On Mon, 16 Dec 2019, Gondim via routing-wg wrote:<br class="">
><br class="">
>> Dear all,<br class="">
>><br class="">
>> Friday, here in Brazil, the RPKI was enabled. We have
published our ROAs<br class="">
>> and are being validated in several places but we
found a divergence.<br class="">
>> When we query our AS on this link [1] it appears to
be valid but when we<br class="">
>> query our AS on this link [2], it appears as unknown.<br class="">
>><br class="">
>> Is there any difference between the tools that might
be causing this?<br class="">
>><br class="">
>> [1] <a href="http://localcert.ripe.net:8088/bgp-preview" rel="noreferrer" target="_blank" moz-do-not-send="true" class="">http://localcert.ripe.net:8088/bgp-preview</a><br class="">
>><br class="">
>> [2] <a href="https://rpki-validator.ripe.net/bgp-preview" rel="noreferrer" target="_blank" moz-do-not-send="true" class="">https://rpki-validator.ripe.net/bgp-preview</a><br class="">
<br class="">
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
⢀⣴⠾⠻⢶⣦⠀ Marcelo Gondim
⣾⠁⢠⠒⠀⣿⡁ Sysadmin - <a class="moz-txt-link-freetext" href="https://www.linuxinfo.com.br/">https://www.linuxinfo.com.br</a>
⢿⡄⠘⠷⠚⠋ DA04 922E 78B3 44A5 3C8D 23D0 8DB5 571E E151 4E19
⠈⠳⣄⠀⠀⠀⠀ Logic will get you from A to B. Imagination will take you everywhere. (Albert Einstein)</pre>
</div>
</div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></body></html>