[RPKI] transcient differences between rpki-client and routinator

[Martin Hoffmann]

Hi Job!

Job Snijders wrote:
> 
> The rsync data was fetched around Thu 05 Dec 2019 13:30:12 UTC
> rpki-client (first) and routinator (second) were done at Thu 05 Dec
> 2019 13:34:54 UTC

[...]
> 
> a snapshot of the data of that run is available here
> http://instituut.net/~job/rpki-repository.6E17IG9pm.tar.gz

The snapshot seems to be from around 2019-12-05 22:30 UTC. There still
is a failure to decode one AFRINIC manifest but that doesn’t seem to be
time related. Seems to be a ROA for AS0 on, among other things,
196.10.140.0/24, if I translated the BIT STRING correctly.

> the script that runs tools one after the other and compares the output
> is available here:
> https://gist.github.com/job/ea11fc59b2411e042eaad1c1b0213c74
> 
> Now, what is very curious to me is that based on the same data input,
> rpki-client and routinator don't /always/ produce the same output. I'd
> say that it seems that 80% of the time they have the same output, and
> 20% of the time there are minute differences such as below:
> 
>     hanna:~ job$ diff rpki-repository.6E17IG9pm/export-routinator.cvs
> rpki-repository.6E17IG9pm/export-rpki-client.cvs 34792d34791
>     < AS207036,200.1.154.0/24,24,lacnic
> 
> Does any one have an idea what can explain these differences? Is there
> perhaps some timestamp difference in an intermediate certificate where
> routinator decides that the ROA for 200.1.154.0/24 is not valid, or is
> there some check that rpki-client is maybe skipping over? What made
> '200.1.154.0/24,24,AS207036' valid in the eyes of rpki-client, but not
> in the eyes of routinator?

Isn’t it the other way around? At least I thought the "<" points to the
side where the line actually is?

In any case, Routinator does accept it:

| m at glaurung:/tmp/foo$ faketime "2019-12-05 23:30" \
| > routinator --disable-rrdp -t ~/.rpki-cache/newtals/ -r /tmp/foo/ \
| > vrps -nf csv | grep 200.1.154.0
| AS207036,200.1.154.0/24,24,lacnic

Kind regards,
Martin