Re: ROA Will Expire Soon - ARIN

2022-09-09 Thread Brad Gorman 
A message is sent to points of contact of an Org one month before expiration of 
a ROA in the ARIN repository.  At any time prior to the ROA expiry, a new 
(duplicate) ROA can be created for the same resources with a new expiry date in 
the future. The soon to expire ROA can be deleted once the new ROA has been 
published to the repository or you can simply wait for it to expire.


Brad

From: NANOG  on behalf of Ca By 

Date: Friday, September 9, 2022 at 10:12 AM
To: John Sweeting 
Cc: North American Network Operators' Group 
Subject: Re: ROA Will Expire Soon - ARIN



On Fri, Sep 9, 2022 at 5:21 AM John Sweeting 
mailto:jsweet...@arin.net>> wrote:
You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also be 
sending you an email off list.

John

Where is ARIN’s documented procedure for how hosted ROAs handle renewal prior 
to expiration ?



Sent from my iPhone

> On Sep 9, 2022, at 8:01 AM, Terrance Devor 
> mailto:ter.de...@gmail.com>> wrote:
>
>
> Can someone from ARIN please reach out to me. We don't want the ROA to 
> expire...
>
> Kind Regards,
> Terrance

Re: ROA Will Expire Soon - ARIN

2022-09-09 Thread Brad Gorman 
Peter,

ROAs created using ARIN’s Hosted RPKI service do not auto-renew.  A point of 
contact (admin,tech,routing) linked to the organization can create and delete 
ROAs.  This does not require contacting the ARIN Help Desk.

Best regards,

Brad Gorman
Sr Product Owner, Routing Security
American Registry for  Internet Numbers


From: NANOG  on behalf of Peter 
Potvin via NANOG 
Reply-To: Peter Potvin 
Date: Friday, September 9, 2022 at 10:19 AM
To: Ca By 
Cc: North American Network Operators' Group 
Subject: Re: ROA Will Expire Soon - ARIN

I have been wondering the same thing when it comes to how ARIN's hosted RPKI 
ROAs handle renewal. Do they automatically renew by default, do we need to 
delete and re-create the ROA or do we have to reach out to the helpdesk every 
time one is due to expire?

~ Peter

On Fri., Sep. 9, 2022, 10:12 a.m. Ca By, 
mailto:cb.li...@gmail.com>> wrote:


On Fri, Sep 9, 2022 at 5:21 AM John Sweeting 
mailto:jsweet...@arin.net>> wrote:
You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also be 
sending you an email off list.

John

Where is ARIN’s documented procedure for how hosted ROAs handle renewal prior 
to expiration ?



Sent from my iPhone

> On Sep 9, 2022, at 8:01 AM, Terrance Devor 
> mailto:ter.de...@gmail.com>> wrote:
>
>
> Can someone from ARIN please reach out to me. We don't want the ROA to 
> expire...
>
> Kind Regards,
> Terrance

The information contained in this message may be privileged, confidential and 
protected from disclosure. This message is intended only for the designated 
recipient(s). It is subject to access, review and disclosure by the sender's 
Email System Administrator. If you have received this message in error, please 
advise by return e-mail so that our address records can be corrected and please 
delete immediately without reading, copying or forwarding to others. Any 
unauthorized review, use, disclosure or distribution is prohibited.
Copyright © 2022 Accuris Technologies Ltd. All Rights Reserved.

L'information contenue dans ce message pourrait être de nature privilégiée, 
confidentielle et protégée contre toute divulgation. Ce message est destiné à 
l'usage exclusif du(des) destinataire(s) visé(s). Le gestionnaire de système du 
courrier électronique de l'expéditeur pourrait avoir accès à ce message, 
l'examiner et le divulguer. Si ce message vous est transmis par erreur, 
veuillez nous en aviser par courrier électronique à notre adresse, afin que 
l'on puisse corriger nos registres, puis veuillez le supprimer immédiatement, 
sans le lire, le copier ou le transmettre à des tiers. Tout examen, toute 
utilisation, divulgation ou distribution non autorisé de cette information est 
interdit.
Droit d'auteur ©  2022  Accuris Technologies Ltd. Tous droits réservés.

Re: ARIN RPKI Trust Anchor Issue

2025-01-30 Thread Brad Gorman 
We at ARIN have verified that all our systems are functioning optimally and 
there were no indications of any issues at the time of the PacketVis alerts.

Brad Gorman
Director, Customer Technical Services
American Registry for Internet Numbers

From: NANOG  on behalf of Job 
Snijders 
Date: Thursday, January 30, 2025 at 07:57
To: Christopher Hawker 
Cc: NANOG 
Subject: Re: ARIN RPKI Trust Anchor Issue
Dear all,

I analysed the alert, here is my assessment.

If I recall correctly, Packetvis uses multiple data sources (different
versions of validator implementations) and alerts on anomalies spotted
by more than a single data source.

Most RPKI Validator implementations limit the maximum allowable file
size of RPKI Signed Objects. It appears one particular Manifest in
ARIN's "Hosted CA" system exceeded a threshold known to exist in older
implementations, rendering all subordinate ROAs on that manifest invalid
for those instances.

Timeline (based on rpkiviews.org):

* On Tue 28 Jan 2025 14:02:07 +, one Large CA's keypair signed a
  Manifest with FileAndHash 50,157 entries. This manifest was nominally
  valid until Thu 30 Jan 2025 10:00:00 + and 3,964,618 bytes in
  size.  Note that this is very large compared to other Manifest
  objects: it is 174% larger than the second largest Manifest, and 456%
  larger than the third largest Manifest.

* On Tue 28 Jan 2025 17:54:07 + this Large CA's keypair signed a
  Manifest with FileAndHash 51,014 entries. That particular issuance was
  4,032,321 bytes in size and exceeded a threshold (4M bytes). Following
  the "Failed Fetch" mechanism described in RFC 9286 Section 6.6,
  affected instances continued to use the older "Tue 28 Jan 2025
  14:02:07" manifest, until it expired (which happened today at Thu 30
  Jan 2025 10:00:00).

It is interesting that the 'trigger event' happened two days ago, but it
is only just now that it became quite tangible! It seems this anomaly
could've been alerted for earlier on.

I noted in my "RPKI's 2024 Year In Review" report:

"""
"Efficiency" in this context arises from validators spending the
computational cost of validating a single EE certificate and
yielding more than 1 ROAIPAddress. Under the RIPE NCC TAL one
yields 6.5 prefixes per ROA, while in the ARIN region this is
number is 1.1 prefixes per ROA. As stewards of this technology,
we need to keep an eye on the overall efficiency of the RPKI to
ensure things don't get out of hand.
"""
source: 
https://mailman.nanog.org/pipermail/nanog/2025-January/227166.html

When a resource holder creates many ROAs (tens of thousands), it'll
result in many Manifest FileAndHash entries (again, tens of thousands),
which increases the file size of the Manifest (to the point that some
validators may consider such a Manifest object invalid). When this
happens, the validator marks ROAs as invalid, in turn BGP routers will
considered covered routes 'not-found'.

Another downside of systems signing over only a single prefix per ROA is
that each individual ROA object comes with 1500~2100 bytes 'overhead'
regardless of how many prefixes are encoded inside of it (due to the
embedded X.509 End-Entity certificate and signature). Expressed as a
percentage, this overhead is ~ 98% in the case of single prefixes. While
Manifests grow linearly, the per-ROA overhead makes for a somewhat steep
curve in turn directly impact size of RRDP snapshots (in which all
Manifests + ROAs are bundled together). Publication point operators
are recommended to keep in mind that RRDP snapshot size is another limit
that can be tripped.

Stakeholders operating certification services should keep in mind that
validator implementations might restrict the file size of individual
objects, and the number of objects, but also impose limits on the size
of the RRDP snapshot, the duration of the synchronization task, etc.

Kind regards,

Job


On Thu, Jan 30, 2025 at 10:43:52AM +, Christopher Hawker wrote:
> Hello folks,
>
> Has anyone received any similar event notifications (from PacketVis or 
> other)? Trying to work out if it's a false-positive.
>
> Regards,
> Christopher Hawker
> 
> From: PacketVis 
> Sent: Thursday, January 30, 2025 9:40 PM
> To: Christopher Hawker 
> Subject: bgp ta-malfunction - low severity - PacketVis
>
> Possible TA malfunction: 29.17% of the ROAs disappeared from ARIN.
>
> Type: ta-malfunction
> Severity: low
> Monitored: ASarin
> When: 2025-01-30 10:40 UTC
>
> See more details about the event:
> https://packetvis.com/bgp/event/554c1692012ae202467afe3a38ae5075-dca21ae6-ff6f-4133-9095-e421f8b27131/3bc5a1021e196af96fde22d1608cf073c09d9496/