Upcoming LACNIC RPKI Migration
Alex Band
alex at nlnetlabs.nl
Tue Apr 16 16:06:33 UTC 2024
Hi Carlos,
Congrats to you and the team for the smooth migration.
I can speak for all of us at NLnet Labs that we’re super proud that LACNIC is now running Krill.
Also, a special thanks to Tim Bruijnzeels (now back at the RIPE NCC) for the years of hard work on our open-source RPKI project – and for ironing out a small bump yesterday together with NIC.br after the switch-over.
Cheers,
Alex
> On 15 Apr 2024, at 16:24, Carlos Martinez-Cagnazzo <carlosm3011 at gmail.com> wrote:
>
> Hi all, it's me again.
>
> The switch is complete. Thank you all for your patience.
>
> /Carlos
>
> On Mon, Apr 15, 2024 at 9:21 AM Carlos Martinez-Cagnazzo
> <carlosm3011 at gmail.com> wrote:
>>
>> Hi all,
>>
>> We'll start in about 45 minutes.
>>
>> /Carlos
>>
>> On Mon, Apr 8, 2024 at 5:18 PM Carlos Martinez-Cagnazzo
>> <carlosm3011 at gmail.com> wrote:
>>>
>>> Hello all,
>>>
>>> On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will
>>> be migrating from our current legacy RPKI CA system to a new
>>> Krill-based RPKI core.
>>>
>>> In most cases no action will be required on your part (see below for
>>> some special cases). What follows is a list of events that will take
>>> place at the mentioned time and that may be of interest to you.
>>>
>>> * Our TAL file won't change at this time. There is no need to
>>> change anything in your current RP configuration.
>>>
>>> * Our RTA certificate, while keeping the old key will point to a
>>> new manifest.
>>>
>>> From the outside, what RPs will see is the following sequence of events:
>>>
>>> * At some time T0 all our current servers (both RRDP and rsync)
>>> will be shut down, returning "connection refused '' for both http and
>>> rsync.
>>> * New values for the DNS records will be published (same names,
>>> different IPs).
>>> * At approximately T0+30min the servers listening on the new IPs
>>> will be started and will start serving the repository as produced by
>>> the new Krill-based system.
>>> * When they first connect, RPs will see a new RRDP session and will
>>> take it from there.
>>>
>>> We have tested this migration flow using a set of docker containers
>>> plus a DNS server container using dnsmasq server that allows us to
>>> modify records on the fly. In all the cases we tested this flow works
>>> just fine.
>>>
>>> We have tested this migration flow with the following RPs:
>>>
>>> * rpki-client from “latest” all the way back to 8.2.
>>> * routinator from “latest” all the way back to 0.8.
>>> * fort from “latest” all the way back to 1.5.0.
>>>
>>> What we have not tested:
>>>
>>> * RIPE rpki validator: it’s been deprecated for three years. You
>>> shouldn’t be running this and you know it :-) In any case, it should
>>> work.
>>> * OctoRPKI: also recently deprecated.
>>> * Rpki-prover.
>>> * RIPSTR.
>>>
>>> All of the above should work. However bear in mind the following: If
>>> you are running any of the above and you notice issues, just clear the
>>> local cache, launch a clean instance of your RP and you should be
>>> fine.
>>>
>>> We have set up a specific email inbox for this migration work:
>>> rpki-migracion at lacnic.net. It will be closely monitored during April
>>> 15 and the following days. It will be phased out once we are confident
>>> all issues that may arise have been addressed.
>>>
>>> For those interested, the new servers are already online and can be
>>> used to validate. These can be reached at:
>>>
>>> * lb-us-mia.rrdp.lacnic.net
>>> * lb-us-southeast.rrdp.lacnic.net
>>> * lb-br-gru.rrdp.lacnic.net
>>>
>>> Don’t expect to see the exact same VRPs as you see now on our current
>>> production server as minor differences are expected. Don’t hardcode
>>> this either, as during the migration “rrdp.lacnic.net” will be made to
>>> point to these servers and eventually these names may change and/or
>>> new ones may be added.
>>>
>>> Thank you all!
>>>
>>> /Carlos
>>
>>
>>
>> --
>> --
>> =========================
>> Carlos M. Martinez-Cagnazzo
>> http://cagnazzo.me
>> =========================
>
>
>
> --
> --
> =========================
> Carlos M. Martinez-Cagnazzo
> http://cagnazzo.me
> =========================
More information about the NANOG
mailing list