Hi Carlos, Congrats to you and the team for the smooth migration.
I can speak for all of us at NLnet Labs that we’re super proud that LACNIC is now running Krill. Also, a special thanks to Tim Bruijnzeels (now back at the RIPE NCC) for the years of hard work on our open-source RPKI project – and for ironing out a small bump yesterday together with NIC.br after the switch-over. Cheers, Alex > On 15 Apr 2024, at 16:24, Carlos Martinez-Cagnazzo <carlosm3...@gmail.com> > wrote: > > Hi all, it's me again. > > The switch is complete. Thank you all for your patience. > > /Carlos > > On Mon, Apr 15, 2024 at 9:21 AM Carlos Martinez-Cagnazzo > <carlosm3...@gmail.com> wrote: >> >> Hi all, >> >> We'll start in about 45 minutes. >> >> /Carlos >> >> On Mon, Apr 8, 2024 at 5:18 PM Carlos Martinez-Cagnazzo >> <carlosm3...@gmail.com> wrote: >>> >>> Hello all, >>> >>> On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will >>> be migrating from our current legacy RPKI CA system to a new >>> Krill-based RPKI core. >>> >>> In most cases no action will be required on your part (see below for >>> some special cases). What follows is a list of events that will take >>> place at the mentioned time and that may be of interest to you. >>> >>> * Our TAL file won't change at this time. There is no need to >>> change anything in your current RP configuration. >>> >>> * Our RTA certificate, while keeping the old key will point to a >>> new manifest. >>> >>> From the outside, what RPs will see is the following sequence of events: >>> >>> * At some time T0 all our current servers (both RRDP and rsync) >>> will be shut down, returning "connection refused '' for both http and >>> rsync. >>> * New values for the DNS records will be published (same names, >>> different IPs). >>> * At approximately T0+30min the servers listening on the new IPs >>> will be started and will start serving the repository as produced by >>> the new Krill-based system. >>> * When they first connect, RPs will see a new RRDP session and will >>> take it from there. >>> >>> We have tested this migration flow using a set of docker containers >>> plus a DNS server container using dnsmasq server that allows us to >>> modify records on the fly. In all the cases we tested this flow works >>> just fine. >>> >>> We have tested this migration flow with the following RPs: >>> >>> * rpki-client from “latest” all the way back to 8.2. >>> * routinator from “latest” all the way back to 0.8. >>> * fort from “latest” all the way back to 1.5.0. >>> >>> What we have not tested: >>> >>> * RIPE rpki validator: it’s been deprecated for three years. You >>> shouldn’t be running this and you know it :-) In any case, it should >>> work. >>> * OctoRPKI: also recently deprecated. >>> * Rpki-prover. >>> * RIPSTR. >>> >>> All of the above should work. However bear in mind the following: If >>> you are running any of the above and you notice issues, just clear the >>> local cache, launch a clean instance of your RP and you should be >>> fine. >>> >>> We have set up a specific email inbox for this migration work: >>> rpki-migrac...@lacnic.net. It will be closely monitored during April >>> 15 and the following days. It will be phased out once we are confident >>> all issues that may arise have been addressed. >>> >>> For those interested, the new servers are already online and can be >>> used to validate. These can be reached at: >>> >>> * lb-us-mia.rrdp.lacnic.net >>> * lb-us-southeast.rrdp.lacnic.net >>> * lb-br-gru.rrdp.lacnic.net >>> >>> Don’t expect to see the exact same VRPs as you see now on our current >>> production server as minor differences are expected. Don’t hardcode >>> this either, as during the migration “rrdp.lacnic.net” will be made to >>> point to these servers and eventually these names may change and/or >>> new ones may be added. >>> >>> Thank you all! >>> >>> /Carlos >> >> >> >> -- >> -- >> ========================= >> Carlos M. Martinez-Cagnazzo >> http://cagnazzo.me >> ========================= > > > > -- > -- > ========================= > Carlos M. Martinez-Cagnazzo > http://cagnazzo.me > =========================
