nanog mailing list archives

Re: plea for comcast/sprint handoff debug help

From: Alex Band <alex () nlnetlabs nl>
Date: Fri, 30 Oct 2020 12:47:44 +0100

On 30 Oct 2020, at 01:10, Randy Bush <randy () psg com> wrote:

i'll see your blog post and raise you a peer reviewed academic paper and
two rfcs :)


For the readers wondering what is going on here: there is a reason there is only a vague mention to two RFCs instead of 
the specific paragraph where it says that Relying Party software must fall back to rsync immediately if RRDP is 
temporarily unavailable. That is because this section doesn’t exist. The point is that there is no bug and in fact, 
Routinator has a carefully thought out strategy to deal with transient outages. Moreover, we argue that our strategy is 
the better choice, both operationally and from a security standpoint.

The paper shows that Routinator is the most used RPKI relying party software, and we know many of you here rely on it 
for route origin validation in a production environment. We take this responsibility and therefore this matter very 
seriously, and would not want you to think we have been careless in our software design. Quite the opposite.

We have made several attempts within the IETF to have a discussion on technical merit, where aspects such as 
overwhelming an rsync server with traffic, or using aggressive fallback to rsync as an entry point to a downgrade 
attack have been brought forward. Our hope was that our arguments would be considered on technical merit, but that did 
not happen yet. Be that as it may, operators can rest assured that if consensus goes against our logic, we will change 
our design.

perhaps go over to your unbound siblings and discuss this analog.


The mention of Unbound DNS resolver in this context is interesting, because we have in fact discussed our strategy with 
the developers on this team as there is a lot to be learned from other standards and operational experiences. 

We feel very strongly about this matter because the claim that using our software negatively affects Internet routing 
robustness strikes at the core of NLnet Labs’ existence: our reputation and our mission to work for the good of the 
Internet. They are the core values that make it possible for a not-for-profit foundation like ours to make free, 
liberally licensed open source software. 

We’re proud of what we’ve been able to achieve and look forward to a continued open discussion with the community.

Respectfully,

Alex

Current thread:

plea for comcast/sprint handoff debug help Randy Bush (Oct 28)
- Re: plea for comcast/sprint handoff debug help Randy Bush (Oct 28)
  - Re: plea for comcast/sprint handoff debug help Lukas Tribus (Oct 28)
  - Re: plea for comcast/sprint handoff debug help Alex Band (Oct 29)
    - Re: plea for comcast/sprint handoff debug help Randy Bush (Oct 29)
    - Re: plea for comcast/sprint handoff debug help Randy Bush (Oct 29)
    - Re: plea for comcast/sprint handoff debug help Alex Band (Oct 30)
    - Re: plea for comcast/sprint handoff debug help Tom Beecher (Oct 30)
    - RPKI over RSYNC vs RRDP (Was: plea for comcast/sprint handoff debug help) Job Snijders (Oct 30)
    - Re: plea for comcast/sprint handoff debug help Job Snijders (Oct 30)
    - Re: plea for comcast/sprint handoff debug help Tim Bruijnzeels (Oct 30)
    - Re: plea for comcast/sprint handoff debug help Randy Bush (Oct 30)
    - Re: plea for comcast/sprint handoff debug help Tony Tauber (Oct 30)
    - Re: plea for comcast/sprint handoff debug help Randy Bush (Oct 31)
    - Re: plea for comcast/sprint handoff debug help Randy Bush (Oct 31)
    - Re: plea for comcast/sprint handoff debug help Alex Band (Oct 31)
    - Re: plea for comcast/sprint handoff debug help Randy Bush (Oct 31)