Cloudflare OCTO RPKI Validator - LACNIC CAs issues

• Previous message (by thread): Cloudflare OCTO RPKI Validator - LACNIC CAs issues
• Next message (by thread): Cloudflare OCTO RPKI Validator - LACNIC CAs issues
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Does anybody else have problems with Cloudflare's RPKI Validator with
prefixes from LACNIC?

We (Netflix) briefly saw Cloudflare's public instance of OctoRPKI missing
some ~13,000 ROAs on 2021-03-24 at ~12:30pm PT while our internal instance
of OctoRPKI had a complete list. Upon comparing the two lists Cloudflare's
instance seemed to be missing ROAs from only LACNIC so I'm thinking we saw
the same issue that you did.

I haven't had a chance to really look into it and AFAIK we haven't noticed
the issue since but my guess for what's happening is that OctoRPKI hits an
error while downloading the ROAs from LACNIC but then continues to collect
ROAs from the other RIRs resulting in an incomplete list. This seems to be
the case from a quick glance at the code:

https://github.com/cloudflare/cfrpki/blob/master/cmd/octorpki/octorpki.go#L544-L568

This could probably be changed to instead break out of that loop and
propagate the error up to the main loop to let it continue without building
an incomplete ROA list, but that's just a quick guess... it's possible that
it's built this way for a reason or there may be a better way to handle
that failure mode.

-Colin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210422/6f620346/attachment.html>

• Previous message (by thread): Cloudflare OCTO RPKI Validator - LACNIC CAs issues
• Next message (by thread): Cloudflare OCTO RPKI Validator - LACNIC CAs issues
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]