[RPKI] transcient differences between rpki-client and routinator

Job Snijders job at ntt.net
Tue Dec 10 16:21:52 UTC 2019

On Tue, Dec 10, 2019 at 10:07:28AM -0500, Jay Borkenhagen wrote:
> Tim Bruijnzeels writes:
>  > > I thought Martin said "Change Routinator first, start SIDROPS
>  > > discussion later."  I was just arguing for "Start SIDROPS discussion,
>  > > hope for speedy consensus, and then depending on the outcome possibly
>  > > change Routinator."
>  > 
>  > Oh right, I misunderstood then.
>  > 
>  > But I do not have high hopes of quick consensus, and even if then
>  > it would take time for RP software to be updated.
>  > 
>  > Updating routinator first is probably the quickest path to
>  > consistency.
> I want consistency, too, but among Routinator, rpki-validator-3, and
> rpki-client at least, and possibly other currently-supported RP
> implementations, too.  Maybe there will be an impasse in SIDROPS and
> that consistency will not be achievable, but I think we should see
> first. 

It might be worthwhile to provide SIDROPS with a summary of our
observations on transient issues, and a summary of how we resolved
things in the validator space - ultimately the very phenomenon we are
observing is due to a synchronicity issue on the RIR level - and I do
believe that the validators don't need to be 'forgiving' to such issues.

The issues appears to resolve themselves in a matter of hours, so
applying 'stricter' validation doesn't ultimately impact the
implications to production networks, because eventually the ROAs do
become valid for transformation into VRPs anyhow.

I think we've now exposing a bug or inefficiency on the RIR publication
side of the house, and I believe the root cause must be addressed there.

Kind regards,


More information about the RPKI mailing list