[RPKI] Krill not publishing ROAs for RIPE prefixes

Tim Bruijnzeels tim at nlnetlabs.nl
Fri Jul 9 10:07:03 UTC 2021 

Hi Christopher, and list,


Thank you for reporting this issue. 

I have done quite a bit of additional testing myself and I have found a number of issues which can affect users in case the parent CA removes resource entitlements, or if the user decides to remove and re-add a parent. Both these scenarios happen fairly rarely so these issues were not so visible. In any case I plan to fix all of the following in the coming 0.9.1 release.

Christopher, see the work-around under issue #601 below. You probably need to make an extra temporary ROA to trigger that the ROA objects are republished after re-adding the RIPE NCC parent.

The following issues are related to *reporting* the status of parents. They do not impact the actual interaction with a parent but make things hard to debug:

#598 Parent statuses reports wrong URI

     The initial URI is correct, but on re-syncs it gets overwritten
     by the repo URI.

#599 Parent statuses does not remove parent

     If a parent is removed, then the status entry for it should
     also be removed.

#600 Parent statuses does not reflect added parent properly

     Even though a new certificate is requested and received within
     seconds the status still reflects 'success' and 'no resources'
     until a later re-sync happens.


The following issues are related to losing resources or a parent, and re-adding a parent:

#601 Parent addition should trigger ROA re-issuance

     This affects users who created ROA (configs) under a parent, then
     remove the parent, and add it again. Note that this issue does not
     happen when resources under an existing parent change.

     Temporary work-around: create an additional ROA and then remove it.
     This triggers republication of all ROAs.


#602 ROA configurations for lost resources should be recognisable

     When resources are lost Krill keeps the actual ROA config entries.
     This is by design, as the resources might come back.

     However, it is not visible to users that ROA *configs* for resources
     no longer held have no corresponding ROA *objects*.



Kind regards,

Tim






> On 8 Jul 2021, at 23:28, Christopher Munz-Michielin via RPKI <rpki at lists.nlnetlabs.nl> wrote:
> 
> I opened a ticket with RIPE to be on the safe side, however, now Krill is correctly reporting the entitlements, wonder if I just didn't wait long enough after restarting it.  here's the output from the CLI I am seeing now:
> 
> Parent: RIPE-FRC
> URI: https://localhost:3000/rfc8181/FRC-CA/
> Status: success
> Last contacted: 2021-07-08T21:20:07+00:00
> Next contact on or before: 2021-07-08T21:30:07+00:00
> Resource Entitlements: asn: AS59893, AS211591, v4: 45.148.76.0/22, v6: 2a0f:9400::/29
>   resource class: DEFAULT
>   issuing cert uri: rsync://rpki.ripe.net/repository/aca/KpSo3VVK5wEHIJnHC2QHVV3d5mk.cer
>   received certificate(s):
>     published at: rsync://rpki.ripe.net/repository/DEFAULT/fqUxbb2sAc0F0OqgWonATaPnOY8.cer
>     resources:    asn: AS59893, AS211591, v4: 45.148.76.0/22, v6: 2a0f:9400::/29
>     cert PEM:
> 
> -----BEGIN CERTIFICATE-----
> 
> ...
> 
> -----END CERTIFICATE-----
> 
> On 08/07/2021 14:23, Tim Bruijnzeels via RPKI wrote:
>> Right, so this indicates from Krill’s perspective that the dialogue is working but it gets an authoritative response saying it can’t have resources. I think you should talk to the ripe NCC then. It appears that this is not technical issue with krill, but I hope you will get it resolved soon  of course. And if you or the RIPE NCC do suspect there still is an issue in Krill please let me know.
>> 
>> 
>> 
>> Tim
>> 
>> 
>> On 2021-07-08 23:09, Christopher Munz-Michielin via RPKI wrote:
>> 
>>> And here is the CLI output:
>>> 
>>> Parent: RIPE-FRC
>>> URI: http://lirportal.ripe.net/certification/updown
>>> Status: success
>>> Last contacted: 2021-07-08T21:03:07+00:00
>>> Next contact on or before: 2021-07-08T21:13:07+00:00
>>> Resource Entitlements: asn: , v4: , v6:
>>>   resource class: DEFAULT
>>>   issuing cert uri: rsync://rpki.ripe.net/repository/aca/KpSo3VVK5wEHIJnHC2QHVV3d5mk.cer
>>>   received certificate(s):
>>> 
>>> Which is interesting because it does appear that RIPE is no longer issuing any of our entitlements.
>>> 
>>> 
>>> 
>>> On 08/07/2021 13:42, Christopher Munz-Michielin via RPKI wrote:
>>>> Hi Tim,
>>>> 
>>>> Thanks for the reply.  I have confirmed that the entitlements displayed in the UI are the same as before the issue, specifically:
>>>> 
>>>> ASN: AS59893, AS211591
>>>> IPv4: 45.148.76.0/22
>>>> IPv6: 2a0f:9400::/29
>>>> 
>>>> 
>>>> I'll try and get the CLI output as well.
>>>> 
>>>> Chris
>>>> 
>>>> On 08/07/2021 13:34, Tim Bruijnzeels wrote:
>>>>> Hi Christopher,
>>>>> 
>>>>> This is strange indeed. It sounds a bit like your resource entitlements under RIPE NCC may have changed.
>>>>> 
>>>>> Going with that assumption:
>>>>> 
>>>>> Krill will only allow you to create ROAs for prefixes that you hold on a certificate (or any certificate under any parent if you have multiple). However if you lose the resource on your certificate then it can no longer create the signed ROA objects. What is confusing - and I should prioritise this higher I now realise - is that the UI and API will list your previously configured "Authorisations" still. These are not actual ROAs but your intent to create ROAs if you see what I mean. If you get back the resources then the ROA objects will be re-created automatically. What is missing from the UI though is a clear indication which "Authorisation" configs would be for space you no longer hold on your certificates.
>>>>> 
>>>>> Can you check the status and resources under each parent?
>>>>> 
>>>>> You can look at the 'parents' tab in the UI, but if you have access to the CLI then please run:
>>>>> 
>>>>> krillc parents statuses --ca <your-ca>
>>>>> 
>>>>> This gives a little more info than the UI I think. You can also run this command with --format json to get even more info.
>>>>> 
>>>>> If you prefer you can share your results with 
>>>>> rpki-team at nlnetlabs.nl
>>>>>  instead of this list - of course we would be more than happy to report back when we get further.
>>>>> 
>>>>> 
>>>>> Kind regards,
>>>>> 
>>>>> Tim, on behalf of the NLnet Labs RPKI Team
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> On 8 Jul 2021, at 21:05, Christopher Munz-Michielin via RPKI <rpki at lists.nlnetlabs.nl>
>>>>>>  wrote:
>>>>>> 
>>>>>> Hi All,
>>>>>> 
>>>>>> Got a weird issue with Krill and publishing RIPE ROAs. Background:  We have been running Krill with 1 RIPE, 2 ARIN and 1 APNIC parents for the better part of a year without issue, but yesterday we started receiving reports that all our RIPE ROAs had been dropped, indeed when I look at 
>>>>>> https://jdr.nlnetlabs.nl/#/search/%2Frpki-repo%2Frsync%2Frpki.ripe.net%2Frepository%2FDEFAULT%2F3JsPwPrhyzvSi50Bqvw1Y_2pUdo.cer <https://jdr.nlnetlabs.nl/#/search/%2Frpki-repo%2Frsync%2Frpki.ripe.net%2Frepository%2FDEFAULT%2F3JsPwPrhyzvSi50Bqvw1Y_2pUdo.cer>
>>>>>>  this does appear to be the case.
>>>>>> 
>>>>>> I have verified all the ROA's exist via the Krill API as well as in the GUI.  So far I have tried restarting Krill, Deleting and re-adding some ROAs, as well as deleting the delegation from RIPE and re-creating it all to no avail.  I'm at the point where I'm getting ready to blow the whole setup away and rebuild from scratch, but figured I would reach out here first to see if anyone has a suggestion to recover from this weird situation.
>>>>>> 
>>>>>> Version of krill is 0.8.2 on ubuntu 20.04 installed from the package manager.  No other RIR's seem to be effected by this.
>>>>>> 
>>>>>> -- 
>>>>>> RPKI mailing list
>>>>>> 
>>>>>> RPKI at lists.nlnetlabs.nl
>>>>>> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
>>>> 
>>> 
>>> 
>>>  
>> 
>> 
>> 
> 
> -- 
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki

More information about the RPKI mailing list