[RPKI] transcient differences between rpki-client and routinator

Job Snijders job at ntt.net
Mon Dec 9 12:42:23 UTC 2019

On Mon, 9 Dec 2019 at 12:07, Martin Hoffmann <martin at nlnetlabs.nl> wrote:

> > Now, what is very curious to me is that based on the same data input,
> > rpki-client and routinator don't /always/ produce the same output. I'd
> > say that it seems that 80% of the time they have the same output, and
> > 20% of the time there are minute differences such as below:
> >
> >     hanna:~ job$ diff rpki-repository.6E17IG9pm/export-routinator.cvs
> > rpki-repository.6E17IG9pm/export-rpki-client.cvs 34792d34791
> >     < AS207036,,24,lacnic
> >
> > Does any one have an idea what can explain these differences? Is there
> > perhaps some timestamp difference in an intermediate certificate where
> > routinator decides that the ROA for is not valid, or is
> > there some check that rpki-client is maybe skipping over? What made
> > ',24,AS207036' valid in the eyes of rpki-client, but not
> > in the eyes of routinator?
> Isn’t it the other way around? At least I thought the "<" points to the
> side where the line actually is?

Yes, routinator has produced a VRP for - while rpki-client
did not produce a VRP covering that prefix. The “<“ means that the line is
present in the routinator output, but not the rpki-client output.

In any case, Routinator does accept it:
> | m at glaurung:/tmp/foo$ faketime "2019-12-05 23:30" \
> | > routinator --disable-rrdp -t ~/.rpki-cache/newtals/ -r /tmp/foo/ \
> | > vrps -nf csv | grep
> | AS207036,,24,lacnic

Yeah - see Claudio’s email. It appears that there is a difference in the
validation process between routinator and rpki-client, we need to
understand what the correct (and safe) way of handling this particular
input data is.

Kind regards,


Ps. I wasn’t aware of “faketime” as a utility! Thanks - that is very useful
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20191209/621d73a7/attachment.htm>

More information about the RPKI mailing list