[GTER] Registro.br RPKI issues?

Frederico A C Neves fneves at registro.br
Mon May 15 18:24:54 -03 2023


Job,

On Mon, May 15, 2023 at 08:23:45PM +0000, Job Snijders via gter wrote:
> Dear all,
> 
> I noticed on multiple RPKI validators that there was some kind of issue
> with the NIC.BR RPKI publication. Seems that PacketVis also noticed the
> problem: https://packetvis.com/bgp/event/162b37bf73b78d0cae60830ee73ea634-a707a5b4-c870-4b14-b069-fa5d63a3fc31/b03dfeda75472ffa75eab542a78d20946aafb92f
>
> The first hint of trouble was that validators were expecting SHA256
> 'GN5NeoONbJ1kTAmWGPzPgkiVNPT4M0k8MfHCPOghhUA=' for file
> '36EFA7014D84E8575931BE947541B85295240D78.cer' according to
> rpki-repo.registro.br/repo/nicbr_repo/0/EE917EBC7A158783B44BC6ED82217434F28ADEFB.mft
> with manifestNumber 929D.
>
...
> A RRDP snapshot is supposed to be an internally consistent atomic
> reflection of the state of the publication point.
> 
> RFC 8182 doesn't explicitly spell it out, but I cannot conceive of a
> situation in which multiple <publish/> elements for the same 'uri' with
> different base64 data is a recoverable situation. Chances are that such
> a problematic state confuses some validator implementations.
> 
> Any idea what happened?

We're investigating the CA and publication server but so far we've no
idea of any event that originated the issue.

> 
> Kind regards,
> 
> Job
>

Fred


More information about the gter mailing list