25 Feb
2020
25 Feb
'20
3:23 p.m.
If you're not on the routing-wg mailing list, there's something you
should know
-------- Forwarded Message --------
Subject: [routing-wg] RPKI Outage Post-Mortem
Date: Tue, 25 Feb 2020 15:12:15 +0100
From: Nathalie Trenaman <nathalie(a)ripe.net>
To: routing-wg(a)ripe.net
Dear colleagues,
From Saturday 22 February at 08:24 (CET), any newly created, modified,
or deleted ROAs (176 in total) could not be added to our publication
server due to a disk problem. From that moment on, all the data was
stored on the database, but the publication did not happen. The disk did
not report any problems and, therefore, no engineer was alerted of this
incident.
Due to the disk problem, starting from Sunday 23 February at 09:10
(CET), our CRL expired and our repository could not be properly updated.
This was reported to us on Monday 24 February at 11:44 (CET).
Immediately, our engineers fixed the disk problem, however, since the
CRL expired, all underlying objects also expired. Depending on the
Relying Party software an operator used, this abnormal behaviour
appeared differently.
Initially, our engineers tried to do a full re-population of the RPKI
repository, but unfortunately, this did not update the CRL in the
validation tree. At 15:03 (CET), we performed a full CA key-roll, which
was completed at 21:02 (CET) and resolved the problem. At 19:58 (CET),
all objects in the backlog were published.
We apologise for any inconvenience this may have caused and we are
taking all the necessary steps to ensure this incident does not appear
again in the future.
Kind regards,
Nathalie Trenaman
Routing Security Programme Manager
RIPE NCC
25 Feb
25 Feb
3:45 p.m.
Hi Massimiliano,
It would be nice to clarify which CA was rolled-over. Was it the root key
that is present in the TAR files or the root RIPE CA or the hosted-CA keys?
Regards,
Roque
On Tue, Feb 25, 2020 at 3:31 PM Massimiliano Stucchi <max(a)stucchi.ch> wrote:
If you're not on the routing-wg mailing list, there's something you
should know
-------- Forwarded Message --------
Subject: [routing-wg] RPKI Outage Post-Mortem
Date: Tue, 25 Feb 2020 15:12:15 +0100
From: Nathalie Trenaman <nathalie(a)ripe.net>
To: routing-wg(a)ripe.net
Dear colleagues,
From Saturday 22 February at 08:24 (CET), any newly created, modified,
or deleted ROAs (176 in total) could not be added to our publication
server due to a disk problem. From that moment on, all the data was
stored on the database, but the publication did not happen. The disk did
not report any problems and, therefore, no engineer was alerted of this
incident.
Due to the disk problem, starting from Sunday 23 February at 09:10
(CET), our CRL expired and our repository could not be properly updated.
This was reported to us on Monday 24 February at 11:44 (CET).
Immediately, our engineers fixed the disk problem, however, since the
CRL expired, all underlying objects also expired. Depending on the
Relying Party software an operator used, this abnormal behaviour
appeared differently.
Initially, our engineers tried to do a full re-population of the RPKI
repository, but unfortunately, this did not update the CRL in the
validation tree. At 15:03 (CET), we performed a full CA key-roll, which
was completed at 21:02 (CET) and resolved the problem. At 19:58 (CET),
all objects in the backlog were published.
We apologise for any inconvenience this may have caused and we are
taking all the necessary steps to ensure this incident does not appear
again in the future.
Kind regards,
Nathalie Trenaman
Routing Security Programme Manager
RIPE NCC
_______________________________________________
swinog mailing list
swinog(a)lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
--
At least I did something
Don Draper - Mad Men
4:04 p.m.
Hi Roque,
On 25/02/2020 15:45, Roque Gagliano wrote:
Hi Massimiliano,
It would be nice to clarify which CA was rolled-over. Was it the root
key that is present in the TAR files or the root RIPE CA or the
hosted-CA keys?
I have no idea. I don't work at RIPE NCC anymore, but I would say you
can get directly in contact with Nathalie and I'm pretty sure she'll be
happy to follow up.
Ciao!
--
Massimiliano Stucchi
MS16801-RIPE
Twitter/Telegram: @stucchimax
4:41 p.m.
On Tue, Feb 25, 2020 at 04:04:33PM +0100, Massimiliano Stucchi wrote:
Hi Roque,
On 25/02/2020 15:45, Roque Gagliano wrote:
The CA for RIPE in the ripe repository was changed, the RIPE TAL is still
the same. The validators will refetch all affected files and after that
will be fine.
--
:wq Claudio
Hi Massimiliano,
It would be nice to clarify which CA was rolled-over. Was it the root
key that is present in the TAR files or the root RIPE CA or the
hosted-CA keys?
I have no idea. I don't work at RIPE NCC anymore, but I would say you
can get directly in contact with Nathalie and I'm pretty sure she'll be
happy to follow up.
1195
days inactive
1195
days old
3 comments
3 participants
participants (3)
-
Claudio Jeker -
Massimiliano Stucchi -
Roque Gagliano