Adonis Stergiopoulos - 19-05-2021 13:00:16
Hi everyone, I’m Adonis from the RIPE NCC. This chat panel is meant for discussion ONLY. If you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon. Please note that all chat transcripts will be archived and made available to the public on https://ripe82.ripe.net/.
Brian Trammell - 19-05-2021 13:03:32
Brian Nisbet - 19-05-2021 13:04:11
There's no "i" in rpkteam!
Peter Hessler - 19-05-2021 13:04:56
I hope they also analyze the amount of distribution errors (expired certs, non-responding hosts, actually corrupted data, etc) on the RPKI servers
Blake Willis - 19-05-2021 13:04:57
"our peekin' eye..."
Peter Hessler - 19-05-2021 13:05:04
Wolfgang Tremmel - 19-05-2021 13:05:28
hmm, he knows about RFC3849 but not about RFC6996
Wolfgang Tremmel - 19-05-2021 13:06:27
RFC5398 that is (AS numbers for documentation purposes)
Alex Le Heux - 19-05-2021 13:06:31
"/bin/stty sane" is your friend ;)
Brian Trammell - 19-05-2021 13:06:45
peter: that's a good question if it doesn't come up before.
Peter Hessler - 19-05-2021 13:07:35
like, right now, I see "not yet valid" for a roa from afrinic
Job Snijders - 19-05-2021 13:07:49
seems fine to me, people preprovisioning ROAs?
Brian Trammell - 19-05-2021 13:07:54
certificates are indeed hard
Job Snijders - 19-05-2021 13:08:22
aligning business contracts with certificate notbefore/notafter is common practise
Brian Trammell - 19-05-2021 13:08:58
(so is cpython IIRC)
Peter Hessler - 19-05-2021 13:09:16
interpreted, like python. afterwards it's compiled (also like python)
Brian Trammell - 19-05-2021 13:09:17
very cool to see more julia stuff in the real world though
Brian Trammell - 19-05-2021 13:09:55
last i tried to use it, it was a hipster language (in the sense of nothing-works-yet in a charming sort of way)
George Michaelson - 19-05-2021 13:11:36
For maths/stats people, it's replacing R as a tool to do data analysis.
George Michaelson - 19-05-2021 13:11:50
(Prof Matt Roughan, Adelaide Uni maths dept told me)
Brian Trammell - 19-05-2021 13:11:53
python already did that if you were prepared to put up with it :)
George Michaelson - 19-05-2021 13:12:18
"Python codes it, but Julia allows reasoning about it" is how he put it
Brian Trammell - 19-05-2021 13:14:01
will have to give it another look
Brian Trammell - 19-05-2021 13:15:17
(...thereby sidestepping a philosophical argument about how the RPKI works in a single line of Julia :) )
Andreas Härpfer - 19-05-2021 13:15:24
@George: "… it's replacing R …" You mean like IPv6 is replacing v4 ;-) I guess it will also be > 20 years to actually replace R.
Stephen Strowes - 19-05-2021 13:16:36
it's easy to replace R if you've never truly gotten the hang of R :)
Brian Trammell - 19-05-2021 13:17:01
eh for linear alg stuff they're all frontends on top of fortran77 anyway, no?
George Michaelson - 19-05-2021 13:17:31
Yes. It will never replace R. having said that, there's now a dplyr for Python...
Andreas Härpfer - 19-05-2021 13:18:59
Job Snijders - 19-05-2021 13:19:09
to see manifest contents with openssl
Job Snijders - 19-05-2021 13:19:13
openssl cms -verify -noverify -in OOFPkv3HzPv8GCNhUjrifWl-lS8.mft -inform DER | openssl asn1parse -inform DER
Job Snijders - 19-05-2021 13:19:57
Brian Trammell - 19-05-2021 13:19:57
"-verify -noverify" ah the famous openssl user experience
Job Snijders - 19-05-2021 13:20:34
George Michaelson - 19-05-2021 13:20:41
I love openssl -noout -text
George Michaelson - 19-05-2021 13:20:54
what did -noout mean, that -text worked!
Job Snijders - 19-05-2021 13:21:03
Gordon Gidófalvy - 19-05-2021 13:21:13
I digress, I don't think there's anything uglier than ASN.1 on this planet
Remco van Zuijlen - 19-05-2021 13:21:18
George Michaelson - 19-05-2021 13:21:26
SEQUENCE OF UGLY [  .....]
George Michaelson - 19-05-2021 13:21:41
we're still waiting for ASN.2
Markus Zeilinger - 19-05-2021 13:21:44
@George: Same here, this -noout -text thing is completely weird!
Gert Doering - 19-05-2021 13:21:59
George: wasn't this "wrap ASN.1 in XML"?
Adonis Stergiopoulos - 19-05-2021 13:22:10
Just a reminder, if you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Patrick Tarpey - 19-05-2021 13:22:16
Is any having audio issues...
Patrick Tarpey - 19-05-2021 13:22:18
Gert Doering - 19-05-2021 13:22:27
audio is good here, if a bit quiet
Gordon Gidófalvy - 19-05-2021 13:22:34
that was the proposed beta. ASN.2 is ASN.1 wrapped in JSONx
Wolfgang Tremmel - 19-05-2021 13:22:43
I hear a "ding" from time to time
Robert Kisteleki - 19-05-2021 13:22:56
that's ASN.3. ASN.2 was in XML
Marco van Tol - 19-05-2021 13:23:28
If you suspect you have audio issues you can try to "reconnect audio" in the lower-right corner of the meetecho window
Blake Willis - 19-05-2021 13:23:38
so ASN.4 is wrapped in YAML?
Job Snijders - 19-05-2021 13:23:44
ASN.5 is YANG?
Brian Trammell - 19-05-2021 13:23:47
Gert Doering - 19-05-2021 13:24:10
YANG-wrapped-ASN.1 would certainly win a price for the doubly-worst protocol ever
Wolfgang Zenker - 19-05-2021 13:24:31
that occasional "ding" happens here as well. maybe only sent to wolfgangs?
Job Snijders - 19-05-2021 13:24:37
To be honest, I think ASN.1 is getting a lot of bad rep - the problem usually isn't ASN.1 but programmers wanting to take shortcuts
Gert Doering - 19-05-2021 13:25:02
Job: we can't have facts interfere with our ASN.1 bashing
Peter Hessler - 19-05-2021 13:25:03
I'm also getting the dings, I think it is coming from the presenter
Kurt Kayser - 19-05-2021 13:25:26
they are called "developer pings" :-)
George Michaelson - 19-05-2021 13:25:57
ASN1. because BER wasn't enough we have DER and PER and XER...
Blake Willis - 19-05-2021 13:28:29
need a clap track
George Michaelson - 19-05-2021 13:28:29
Fascinating! thank you
Wolfgang Tremmel - 19-05-2021 13:28:35
Martina de Mas - 19-05-2021 13:28:38
Kurt Kayser - 19-05-2021 13:28:39
Markus Zeilinger - 19-05-2021 13:29:32
@Luuk: How would you compare JDR.jl to the RPKI Explorer of Cloudflare? Of course your stuff looks more powerful to me, but there is overlapping functionality, isn't it?
George Michaelson - 19-05-2021 13:30:25
Another tool is RPKIVIZ which is by Declan Ma, modelled on DNSVIZ by Casey Deccio, Verisign
George Michaelson - 19-05-2021 13:30:54
any tool which shows the validation chain, validity, specific errors is going to have overlaps I guess
Markus Zeilinger - 19-05-2021 13:33:19
Of course right, maybe I missed it, but from the presentation it seemed to me that there is nothing available right now to interactively work with RPKI data.
Job Snijders - 19-05-2021 13:35:10
what do you mean with 'work with' ?
Job Snijders - 19-05-2021 13:35:20
the openssl example i gave is interactive
Job Snijders - 19-05-2021 13:35:27
the julia notebook is interactive
Markus Zeilinger - 19-05-2021 13:38:37
From my point of view, there are already tools available for interactively working with RPKI data (eg RPKI Explorer from Cloudflare). Luuk didn't mention that during his talk (or I just missed it) and I would be interested to here about differences/similarities ...
Robert Scheck - 19-05-2021 13:38:59
Ha, Job's cat.
Kurt Kayser - 19-05-2021 13:39:40
Luuk Hendriks - 19-05-2021 13:40:08
Hi Markus. There indeed is overlap, especially if you compare it to the web front-end (so jdr.nlnetlabs.nl).We do aim at diving as deep as possible into those X509 and CMS files (in an attempt to help out not only operators, but also developers), whereas most other (hosted) tools seem to focus on showing you what resources/ROAs are (validly) published in the RPKI.One example I did not get to mention because of time: we are now working on including files for which the manifest is missing. Anything under a missing manifest is clearly something you'd not want to use to feed to your routers, but we do want to make such (invalid) resources searchable.
Job Snijders - 19-05-2021 13:40:52
@luuk - how do you know things are 'under' a manifest, when the manifest is missing?
Luuk Hendriks - 19-05-2021 13:42:03
if we did get them via rsync/rrdp. There is indeed no way to say for sure that's what would have been on the manifest, true, but I'm hoping it would make for an educated guess that could help while troubleshooting
Markus Zeilinger - 19-05-2021 13:43:37
Thanks Luuk, great stuff anyway!
Peter Hessler - 19-05-2021 13:46:12
the new ripestat ui makes it clear that maxmind is incompetent, so that's nice
Carlos Martinez - 19-05-2021 13:46:14
Good morning from misty Montevideo, Uruguay
George Michaelson - 19-05-2021 13:46:28
Missing Manifest: there are two states: you are empty, the outcome is you cannot know what should be on the manifest which is missing. You have prior state, the manifest has gone missing: you can make an educated guess about the distinction between what was there, and what you see now. But, its a heuristic. The safe validation path in the specs requires you to cease processing anything under the arc of the tree, because you cannot know how the manifest would direct what to accept or reject, in what you see, and you can't know how to compute BGP validity for the arc, since ROA could knock out or allow arbitrary changes to the entire state of this arm of the tree.
Kurt Kayser - 19-05-2021 13:50:50
Great work, Christian!
Luuk Hendriks - 19-05-2021 13:50:52
Hi George! just to be sure: I agree that RP software should cease processing. The thing I'd like JDR to do, is help finding out the answer to the question 'my prefix/ROAs are not behaving as expected' -> 'could it be caused by missing.mft from some_specific.cer'
Kurt Kayser - 19-05-2021 13:51:04
Job Snijders - 19-05-2021 13:51:07
Thank you Christian for this update! A fun overview - you and the team should be proud!
Peter Magnusson - 19-05-2021 13:51:48
Robert Kisteleki - 19-05-2021 13:51:53
Joachim Ernst - 19-05-2021 13:51:57
Wolfgang Tremmel - 19-05-2021 13:52:04
Thank you for RIPEstat!
Markus Zeilinger - 19-05-2021 13:52:07
RIPEstats is definitly a great success story!!!
Mick Begley - 19-05-2021 13:52:07
Brian Trammell - 19-05-2021 13:52:26
Brian Nisbet - 19-05-2021 13:52:46
Lars Prehn - 19-05-2021 13:53:02
Oliver Payne - 19-05-2021 13:53:22
thanks for the ripeSTAT info!
Florian Streibelt - 19-05-2021 13:54:33
Gert Doering - 19-05-2021 13:56:47
Stephen Strowes - 19-05-2021 13:57:39
Stephen Strowes - 19-05-2021 13:57:41
just one stat
Ondřej Caletka - 19-05-2021 13:57:44
Oliver Payne - 19-05-2021 13:57:46
but which stat do we have?!
Christian Teuschel - 19-05-2021 13:57:48
Christian Teuschel - 19-05-2021 13:58:23
(not to the new suggestions for new spellings :)
Gert Doering - 19-05-2021 13:58:44
Oliver Payne - 19-05-2021 13:58:58
Christian I recommend you get an RIPE logo tattoo, and you can call it RIPE's Tat
Brian Nisbet - 19-05-2021 13:59:07
Christian Teuschel - 19-05-2021 13:59:15
I have that already
Florian Streibelt - 19-05-2021 14:00:24
Kurt Kayser - 19-05-2021 14:01:06
no questions, it just works!
Ondřej Caletka - 19-05-2021 14:01:14
Only negative questions can be asked.
Adonis Stergiopoulos - 19-05-2021 14:01:41
This session has now ended. The next session is the DNS Working Group and it will start at 14:30 UTC+2. More info on the RIPE 82 meeting plan: https://ripe82.ripe.net/programme/meeting-plan/