nanog mailing list archives
RE: Cloudflare OCTO RPKI Validator - LACNIC CAs issues
From: Colin McIntosh <nanog () colinmcintosh com>
Date: Thu, 22 Apr 2021 17:31:49 -0700
Does anybody else have problems with Cloudflare's RPKI Validator with
prefixes from LACNIC? We (Netflix) briefly saw Cloudflare's public instance of OctoRPKI missing some ~13,000 ROAs on 2021-03-24 at ~12:30pm PT while our internal instance of OctoRPKI had a complete list. Upon comparing the two lists Cloudflare's instance seemed to be missing ROAs from only LACNIC so I'm thinking we saw the same issue that you did. I haven't had a chance to really look into it and AFAIK we haven't noticed the issue since but my guess for what's happening is that OctoRPKI hits an error while downloading the ROAs from LACNIC but then continues to collect ROAs from the other RIRs resulting in an incomplete list. This seems to be the case from a quick glance at the code: https://github.com/cloudflare/cfrpki/blob/master/cmd/octorpki/octorpki.go#L544-L568 This could probably be changed to instead break out of that loop and propagate the error up to the main loop to let it continue without building an incomplete ROA list, but that's just a quick guess... it's possible that it's built this way for a reason or there may be a better way to handle that failure mode. -Colin
Current thread:
- Cloudflare OCTO RPKI Validator - LACNIC CAs issues Douglas Fischer (Apr 22)
- Re: Cloudflare OCTO RPKI Validator - LACNIC CAs issues Aftab Siddiqui (Apr 22)
- Re: Cloudflare OCTO RPKI Validator - LACNIC CAs issues Douglas Fischer (Apr 23)
- <Possible follow-ups>
- RE: Cloudflare OCTO RPKI Validator - LACNIC CAs issues Colin McIntosh (Apr 23)