[afnog] RPKI

Saul saul at enetworks.co.za
Tue Jul 28 09:09:19 UTC 2015

Hi Mark, 



On further investigation, it appears that the old ROA engine is/was  "off
the air" (I say was, at the time of writing this email, it appears back -
I have been in contact with Afrinic, so.but waiting to hear anything)


The challenge that I am finding is that there seems to be no way to verify
real time.


Using http://validator.afrinic.net:8080/trust-anchors, I have revoked an
offending prefix yet despite the update timer saying it
was updated 5 minutes ago (10:50) and I revoked the certificate at 10:16,
it still shows at axtive.


The prefix has one originating AS in the old engine and another in the new
engine (I am migrating networks)


Another prefix which had a ROA in the old engine, when
querying at bgmon, show no ROA - same for all my other prefixes in the old

[saul at linux1 ~]$ whois -h whois.bgpmon.net " --roa 32653"

[Querying whois.bgpmon.net]



That said, a few hours later and I am now, correctly getting:

[saul at linux1 ~]$ whois -h whois.bgpmon.net " --roa 32653"

[Querying whois.bgpmon.net]


0 - Valid


ROA Details


Origin ASN:       AS32653

Not valid Before: 2014-02-06 13:27:59

Not valid After:  2018-02-01 13:27:59  Expires in

Trust Anchor:     rpki.afrinic.net

Prefixes: (max length /23)


Maybe BGMon had an issue.. (with us and others)

So my question is more how to get accurate realtime verification of what
is in the DB and what others are seeing.
http://validator.afrinic.net:8080/trust-anchors isn't current (or even
vaguely, despite their timers)









From: Mark Tinka [mailto:mark.tinka at seacom.mu] 
Sent: 28 July 2015 09:55 AM
To: Saul <saul at enetworks.co.za>; afnog at afnog.org
Subject: Re: [afnog] RPKI



On 28/Jul/15 09:34, Saul wrote:


Sorry for not giving to much info here, but I still trying to pinpoint
what the issue is. 


I am suddenly getting alerts from BGPmon about RPKI validation failing on
some of my prefixes and I have made no changes.


I am seeing different data on http://www.rpki.co.za/roas verses what I am
seeing at HE.net - both what is valid and what I have ROAs for.


I know of at least one other entity having issues as well and was
wondering if it is not perhaps a bigger issue?

Can you send your prefixes through so we can check what the actual
validation state is vs. what HE are reporting?

There was a time when HE had an issue obtaining RPKI data from AFRINIC.
This was some kind of issue AFRINIC were having, I suppose when changing
over to the new PKI engine. That was fixed, but that was a couple of
months ago. 

For my network (AS37100), both HE and www.rpki.co.za
<http://www.rpki.co.za>  are showing the correct data.

Also, note that AFRINIC have been encouraging operators to upgrade to the
new engine (which now supports max-length). I'm not sure whether this
could be affecting the old engine.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20150728/18d4ea3c/attachment.html>

More information about the afnog mailing list