Re: afrinic rpki issue

[Cedrick Adrien Mbeyet <cmbeyet () gmail com>]

Hi Carlos,
We currently have a degradation on our RPKI services. We had to disable the
RRDP service request so it can fall back to RSYNC in the meantime that the
team works on ways to optimize the availability of the service. However,
this was prior to 1st of June. We will still investigate just to be on the
safe side though so far everything looks good on our side.
For reference of the mentioned degradation, you can check the below link
https://status.afrinic.net/notices/dkpzrtgqzftlclyg-rrdp-service-degradation
Best regards,

==============================
Cedrick Adrien MBEYET
Ebene Cybercity, Mauritius
+230 5851 7674

+++ Never give up, Keep moving forward +++


On Wed, Jun 14, 2023 at 5:15 PM Carlos Friaças <cfriacas () fccn pt> wrote:

> Hi All,
>
> Did this issue resurface some days ago...?
> I had nearly 6000 ROAs on June 1st.
> That went to ZERO on June 2nd.
>
> I'm using routinator. Should i have changed something in my config to
> accomodate for some change?
>
> Best Regards,
> Carlos
>
>
>
> On Sun, 20 Nov 2022, Cedrick Adrien Mbeyet wrote:
>
> > Hi Job,
> >
> > Thank you for this good analysis and for sharing your findings.
> > The issue has since been fixed and the team will publish a post-mortem
> accordingly once we are done with making sure the issue will not
> > reappear.
> > Your recommendation is well noted and I cc my colleague so that they can
> take that into consideration in our improvement roadmap.
> > Best regards,
> >
> > ==============================
> > Cedrick Adrien MBEYET
> > Ebene Cybercity, Mauritius
> > +230 5851 7674
> >
> > +++ Never give up, Keep moving forward +++
> >
> >
> > On Sun, Nov 20, 2022 at 3:49 PM Job Snijders via NANOG <nanog () nanog org>
> wrote:
> >       Hi all,
> >
> >       It appears PacketVis correctly identified an issue.
> >
> >       AFRINIC's self-signed root AfriNIC.cer [1] points via its SIA to
> >       'afrinic-ca.cer' [2] which in turn references a RPKI Manifest named
> >       'K1eJenypZMPIt_e92qek2jSpj4A.mft'.
> >
> >       The K1eJenypZMPIt_e92qek2jSpj4A Manifest lists 499 Certificate
> >       Authorities. This Manifest represents the demarcation point between
> >       "Afrinic as root CA operator" and "Afrinic hosting rpki on behalf
> of its
> >       members". In other words; this is an important top-level Manifest
> in the
> >       critical path towards the ROAs of the Afrinic members.
> >
> >       There was a ~ 7 hour gap in the validity window of this Manifest
> and its
> >       companion CRL (from 20221120T000311Z until 20221120T071514Z). The
> >       serials 1E19 and 1E1A (respectively 12B2 and 12B3) are successive.
> rpki.afrinic.net/repository/afrinic/K1eJenypZMPIt_e92qek2jSpj4A.crl
> >           CRL Serial Number:        1E19
> >           CRL valid since:          Nov 18 00:03:11 2022 GMT
> >           CRL valid until:          Nov 20 00:03:11 2022 GMT
> >
> >           CRL Serial Number:        1E1A
> >           CRL valid since:          Nov 20 07:15:12 2022 GMT
> >           CRL valid until:          Nov 22 07:15:12 2022 GMT
> rpki.afrinic.net/repository/afrinic/K1eJenypZMPIt_e92qek2jSpj4A.mft
> >           Manifest Number:          12B2
> >           Manifest valid since:     Nov 18 00:03:13 2022 GMT
> >           Manifest valid until:     Nov 20 00:03:13 2022 GMT
> >
> >           Manifest Number:          12B3
> >           Manifest valid since:     Nov 20 07:15:14 2022 GMT
> >           Manifest valid until:     Nov 22 07:15:14 2022 GMT
> >
> >       (The above can be reconstructed using archives from
> http://www.rpkiviews.org)
> >       The rcynic validator hosted at Afrinic also noticed a gap in
> objects:
> >
> https://validator.afrinic.net/rpki/rcynic/rpki.afrinic.net_week_svg.html
> >       A possible recommendation might be to increase the validity window
> of
> >       these two objects from a sliding 48-hour window to a 1 or 2 week
> window.
> >       This way any stalling in the issuance process wouldn't case
> operational
> >       issues on the weekend.
> >
> >       Kind regards,
> >
> >       Job
> >
> >       [1]: SKI
> EB:68:0F:38:F5:D6:C7:1B:B4:B1:06:B8:BD:06:58:50:12:DA:31:B6
> >       [2]: SKI
> 2B:57:89:7A:7C:A9:64:C3:C8:B7:F7:BD:DA:A7:A4:DA:34:A9:8F:80
> >       On Sat, Nov 19, 2022 at 08:36:23PM -0800, Randy Bush wrote:
> >       > From: PacketVis <notifications () packetvis com>
> >       > Date: Sun, 20 Nov 2022 04:30:44 +0000
> >       >
> >       > Possible TA malfunction or incomplete VRP file: 73.95% of the
> ROAs disappeared from afrinic
> >       >
> >       > See more details about the event:
> >       >
> https://packetvis.com/#/bgp/event/905ec8b7d37e89a2d7b547bca99fd57e-372b0bf3-9056-407e-9e8d-e986567155fc/4f309cb51ba9314fafa64da53d007e342fac
> >       a613