[GTER] Registro.br RPKI issues?

Job Snijders job at sobornost.net
Tue May 16 10:57:16 -03 2023 

Dear Fred,

> > A RRDP snapshot is supposed to be an internally consistent atomic
> > reflection of the state of the publication point.
> > 
> > RFC 8182 doesn't explicitly spell it out, but I cannot conceive of a
> > situation in which multiple <publish/> elements for the same 'uri'
> > with different base64 data is a recoverable situation. Chances are
> > that such a problematic state confuses some validator
> > implementations.
> > 
> > Any idea what happened?
> 
> We're investigating the CA and publication server but so far we've no
> idea of any event that originated the issue.

There appears to be an ongoing issue with the current RRDP snapshot
(session 68119c8e-f8e2-4a51-bdda-78459f9884e3 serial 65)

The file 'B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.mft' appears 6 (!) times:

$ curl -s https://rpki-repo.registro.br/rrdp/68119c8e-f8e2-4a51-bdda-78459f9884e3/65/1b21d85893d023a3/snapshot.xml | grep B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.mft
  <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/1/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.mft">
  <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/1/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.mft">
  <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/1/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.mft">
  <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/1/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.mft">
  <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/1/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.mft">
  <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/1/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.mft">

I've decoded the Base64/DER and extracted the following details for your
convenience:

    SHA256						manifestNumber	Signing Time
    0pJ++a+5NwIuRtl2VLrRe9kjXmHZUaDS6J5M7pu6H4=		16		Mon 30 Jan 2023 13:43:01 +0000
    0LR+5SSw0bGo0Gi7+vL8Kqw2LBBt65ujPPIL5sgFM7M=	17		Tue 31 Jan 2023 06:07:32 +0000
    m+t1stiXb/1xBkMVySvpRJKB8C4i+cOcl0fXBaZVoUI=	18		Wed 01 Feb 2023 01:51:02 +0000
    bsuO1pTDY76Fyw256ZoPVf03xLyeB5taf8f9UeA/wNA=	1D		Sat 04 Feb 2023 19:53:45 +0000
    3khtUp8G8MAguRczgK8Og2EpbOVw7Vge2icFo6S/dsI=	26		Sat 04 Feb 2023 23:59:21 +0000
    1x6LHD8DmpeGCgEAmGLvSOzT4+dwu4APSjg3+Yf08uI=	27		Sun 05 Feb 2023 17:50:56 +0000

Instead of 6 (or even 1) times, this file should appear zero times in
the snapshot, because the issuing CA
(CN=B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2, which according to the
AuthorityInfoAccess should located at rsync://rpki-repo.registro.br/repo/nicbr_repo/0/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.cer)
does not exist:

    $ rsync -v rsync://rpki-repo.registro.br/repo/nicbr_repo/0/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.cer
    receiving file list ...
    rsync: link_stat "/nicbr_repo/0/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.cer" (in repo) failed: No such file or directory (2)
    done

Kind regards,

Job

ps. An easy way to see duplicate files is like so:

$ curl -s https://rpki-repo.registro.br/rrdp/68119c8e-f8e2-4a51-bdda-78459f9884e3/65/1b21d85893d023a3/snapshot.xml | fgrep '<publish ' | sort | uniq -c | sort -rn | head
   6   <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/1/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.mft">
   6   <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/1/B9C4BADDF4C8E202FEED5467E9D0654570EBB9B2.crl">
   4   <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/0/70F328D45D107EED518BF45C7006F09DC10AF7BD.mft">
   4   <publish uri="rsync://rpki-repo.registro.br/repo/2mQiFhihjTBEpZq3ELoY5nxwhdNBcLZBXRSnhZkAmWSi/0/70F328D45D107EED518BF45C7006F09DC10AF7BD.crl">
   2   <publish uri="rsync://rpki-repo.registro.br/repo/EszSqXU6su93trtn878XarKoRMGuTgTSwkRxVzm8xiu2/0/3137392e3130362e37322e302f32312d3234203d3e20323633343135.roa">
   2   <publish uri="rsync://rpki-repo.registro.br/repo/DhhacJFgWs9wK9CuEPTXeQC1XDwjhgMNJs3zTh9w9tBU/0/323830343a343863303a3a2f33322d3438203d3e20323637313432.roa">

More information about the gter mailing list