[RPKI] transcient differences between rpki-client and routinator
job at ntt.net
Mon Dec 9 12:42:23 UTC 2019
On Mon, 9 Dec 2019 at 12:07, Martin Hoffmann <martin at nlnetlabs.nl> wrote:
> > Now, what is very curious to me is that based on the same data input,
> > rpki-client and routinator don't /always/ produce the same output. I'd
> > say that it seems that 80% of the time they have the same output, and
> > 20% of the time there are minute differences such as below:
> > hanna:~ job$ diff rpki-repository.6E17IG9pm/export-routinator.cvs
> > rpki-repository.6E17IG9pm/export-rpki-client.cvs 34792d34791
> > < AS207036,188.8.131.52/24,24,lacnic
> > Does any one have an idea what can explain these differences? Is there
> > perhaps some timestamp difference in an intermediate certificate where
> > routinator decides that the ROA for 184.108.40.206/24 is not valid, or is
> > there some check that rpki-client is maybe skipping over? What made
> > '220.127.116.11/24,24,AS207036' valid in the eyes of rpki-client, but not
> > in the eyes of routinator?
> Isn’t it the other way around? At least I thought the "<" points to the
> side where the line actually is?
Yes, routinator has produced a VRP for 18.104.22.168/24 - while rpki-client
did not produce a VRP covering that prefix. The “<“ means that the line is
present in the routinator output, but not the rpki-client output.
In any case, Routinator does accept it:
> | m at glaurung:/tmp/foo$ faketime "2019-12-05 23:30" \
> | > routinator --disable-rrdp -t ~/.rpki-cache/newtals/ -r /tmp/foo/ \
> | > vrps -nf csv | grep 22.214.171.124
> | AS207036,126.96.36.199/24,24,lacnic
Yeah - see Claudio’s email. It appears that there is a difference in the
validation process between routinator and rpki-client, we need to
understand what the correct (and safe) way of handling this particular
input data is.
Ps. I wasn’t aware of “faketime” as a utility! Thanks - that is very useful
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the RPKI