[afnog] RPKI

Nishal Goburdhan nishal at controlfreak.co.za
Tue Jul 28 11:34:16 UTC 2015 

On 28 Jul 2015, at 11:09, Saul wrote:

> Hi Mark,
> thanks
> On further investigation, it appears that the old ROA engine is/was  
> "off
> the air" (I say was, at the time of writing this email, it appears 
> back -
> I have been in contact with Afrinic, so.but waiting to hear anything)

eh?   i didn’t see a mail to afrinic-announce indicating any outage?


> The challenge that I am finding is that there seems to be no way to 
> verify
> real time.
>
> Using http://validator.afrinic.net:8080/trust-anchors, I have revoked 
> an
> offending prefix 154.72.108.0/22 yet despite the update timer saying 
> it
> was updated 5 minutes ago (10:50) and I revoked the certificate at 
> 10:16,
> it still shows at axtive.

erm.  i don’t think that you can actually revoke something from there.
that’s simply a copy of the RIPE-NCC validator.  same as the one i run 
on www.rpki.co.za

i would be really, really, worried, if you could use this to do 
revocations ;-)


> The prefix has one originating AS in the old engine and another in the 
> new
> engine (I am migrating networks)
> Another prefix 41.77.156.0/23 which had a ROA in the old engine, when
> querying at bgmon, show no ROA - same for all my other prefixes in the 
> old
> engine.
>
> [saul at linux1 ~]$ whois -h whois.bgpmon.net " --roa 32653 
> 41.77.156.0/23"
> [Querying whois.bgpmon.net]
> [whois.bgpmon.net]
> That said, a few hours later and I am now, correctly getting:
> [saul at linux1 ~]$ whois -h whois.bgpmon.net " --roa 32653 
> 41.77.156.0/23"

> [Querying whois.bgpmon.net]
> [whois.bgpmon.net]
> 0 - Valid
> ------------------------
> ROA Details
> ------------------------
>
> Origin ASN:       AS32653
> Not valid Before: 2014-02-06 13:27:59
> Not valid After:  2018-02-01 13:27:59  Expires in
> 2y188d16h52m24.2000000029802s
>
> Trust Anchor:     rpki.afrinic.net
> Prefixes:         41.77.156.0/23 (max length /23)
>
> Maybe BGMon had an issue.. (with us and others)
>
> So my question is more how to get accurate realtime verification of 
> what
> is in the DB and what others are seeing.
> http://validator.afrinic.net:8080/trust-anchors isn't current (or even
> vaguely, despite their timers)

what you see in the “bgp preview” is a view of what the RIPE NCC 
route collector information has.  that might be delayed (and most likely 
is, since lots of random people who run their software, like me, 
querying their collector constantly is suboptimal)

that part about realtime verification is probably better answered by an 
authoritative source from afrinic.

—n.

More information about the afnog mailing list