12-13 August RPKI Outage: Update [Archived]

OUT OF DATE?

Here in the Vault, information is published in its final form and then not changed or updated. As a result, some content, specifically links to other pages and other references, may be out-of-date or no longer available.

Posted: Wednesday, 26 August 2020

12 August 2020 at 12:21 PM to 13 August at 11:36 AM

On 12 August at 12:21 PM, ARIN deployed a new version of its RPKI system. ARIN’s repository showed no errors in both RIPE’s Validator and NLNetLab’s Routinator systems. At 12:46 PM on that same day we received a service issue notice that ARIN’s repository was not working with rpki-client. ARIN Engineering worked closely with the OpenBSD software developers to pinpoint the error within the RPKI system. Both ARIN engineering and the OpenBSD developers independently found the error within ARIN’s repository. The fix was developed and deployed on 13 August at 11:36 AM.

Here is a detailed analysis of the error:

During RPKI repository generation, ARIN creates “manifests.” A manifest is cryptographic object specific to the RPKI which is used to help guarantee the integrity of the repository. One manifest is associated with each resource certificate in the repository. The manifest, flagged by the OpenSSL-based validators, had a subtle encoding issue. The manifest in question essentially contains two copies of an AlgorithmIdentifier variable in different locations (and used for different purposes). Per RFC 5280, Section 4.1.1.2, these two instances must match completely. In ARIN’s manifest, one contained an empty string (“”) as a parameter and the other contained a NULL (pointer to nothing). The empty string parameter was incorrect and the OpenSSL-based validators were flagging this because the two definitions of AlgorithmIdentifier did not match.

Planned Corrective actions:

As a corrective action, ARIN will be broadening its testing strategy. In future releases, we will be validating not only LibreSSL-based validators (RIPE’s Validator and NLNetlab’s Routinator) but also OpenSSL-based validators such as rpki-client and Fort. The list of validators we do test against the ARIN repository will be noted within the RPKI section of ARIN’s website.

ARIN apologizes for any inconvenience that this may have cause those who run OpenSSL-based validators. We take any incompatibility seriously and are working to better service the community on this emerging but yet very important service. We would like to thank Job Snijders and the OpenBSD rpki-client team for helping assist us in solving this issue quickly.

Regards,

Mark Kosters
Chief Technology Officer
American Registry for Internet Numbers (ARIN)

OUT OF DATE?

Here in the Vault, information is published in its final form and then not changed or updated. As a result, some content, specifically links to other pages and other references, may be out-of-date or no longer available.