Upcoming LACNIC RPKI Migration
Hello all, On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will be migrating from our current legacy RPKI CA system to a new Krill-based RPKI core. In most cases no action will be required on your part (see below for some special cases). What follows is a list of events that will take place at the mentioned time and that may be of interest to you. * Our TAL file won't change at this time. There is no need to change anything in your current RP configuration. * Our RTA certificate, while keeping the old key will point to a new manifest.
From the outside, what RPs will see is the following sequence of events:
* At some time T0 all our current servers (both RRDP and rsync) will be shut down, returning "connection refused '' for both http and rsync. * New values for the DNS records will be published (same names, different IPs). * At approximately T0+30min the servers listening on the new IPs will be started and will start serving the repository as produced by the new Krill-based system. * When they first connect, RPs will see a new RRDP session and will take it from there. We have tested this migration flow using a set of docker containers plus a DNS server container using dnsmasq server that allows us to modify records on the fly. In all the cases we tested this flow works just fine. We have tested this migration flow with the following RPs: * rpki-client from “latest” all the way back to 8.2. * routinator from “latest” all the way back to 0.8. * fort from “latest” all the way back to 1.5.0. What we have not tested: * RIPE rpki validator: it’s been deprecated for three years. You shouldn’t be running this and you know it :-) In any case, it should work. * OctoRPKI: also recently deprecated. * Rpki-prover. * RIPSTR. All of the above should work. However bear in mind the following: If you are running any of the above and you notice issues, just clear the local cache, launch a clean instance of your RP and you should be fine. We have set up a specific email inbox for this migration work: rpki-migracion@lacnic.net. It will be closely monitored during April 15 and the following days. It will be phased out once we are confident all issues that may arise have been addressed. For those interested, the new servers are already online and can be used to validate. These can be reached at: * lb-us-mia.rrdp.lacnic.net * lb-us-southeast.rrdp.lacnic.net * lb-br-gru.rrdp.lacnic.net Don’t expect to see the exact same VRPs as you see now on our current production server as minor differences are expected. Don’t hardcode this either, as during the migration “rrdp.lacnic.net” will be made to point to these servers and eventually these names may change and/or new ones may be added. Thank you all! /Carlos
From what I can see, LACNIC pro-actively and properly tested their
Dear Carlos, LACNIC, and wider community, I very much appreciate how LACNIC worked with various stakeholders before publicly commiting to the schedule outlined in Carlos' email. purported post-migration environment with very broad set of old and new versions of a myriad of RPKI cache implementations. Then they also reached out to anyone they could think of, in a timely manner - to accommodate the opportunity for feedback and confirm compliance with IETF RPKI standards pre/during/post the upcoming migration. LACNIC - your plan seems solid; thank you for sharing it with us. Kind regards, Job
Thanks Job! Much appreciated! On Mon, Apr 8, 2024 at 7:30 PM Job Snijders <job@fastly.com> wrote:
Dear Carlos, LACNIC, and wider community,
I very much appreciate how LACNIC worked with various stakeholders before publicly commiting to the schedule outlined in Carlos' email.
From what I can see, LACNIC pro-actively and properly tested their purported post-migration environment with very broad set of old and new versions of a myriad of RPKI cache implementations. Then they also reached out to anyone they could think of, in a timely manner - to accommodate the opportunity for feedback and confirm compliance with IETF RPKI standards pre/during/post the upcoming migration.
LACNIC - your plan seems solid; thank you for sharing it with us.
Kind regards,
Job
-- -- ========================= Carlos M. Martinez-Cagnazzo http://cagnazzo.me =========================
Hi all, We'll start in about 45 minutes. /Carlos On Mon, Apr 8, 2024 at 5:18 PM Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
Hello all,
On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will be migrating from our current legacy RPKI CA system to a new Krill-based RPKI core.
In most cases no action will be required on your part (see below for some special cases). What follows is a list of events that will take place at the mentioned time and that may be of interest to you.
* Our TAL file won't change at this time. There is no need to change anything in your current RP configuration.
* Our RTA certificate, while keeping the old key will point to a new manifest.
From the outside, what RPs will see is the following sequence of events:
* At some time T0 all our current servers (both RRDP and rsync) will be shut down, returning "connection refused '' for both http and rsync. * New values for the DNS records will be published (same names, different IPs). * At approximately T0+30min the servers listening on the new IPs will be started and will start serving the repository as produced by the new Krill-based system. * When they first connect, RPs will see a new RRDP session and will take it from there.
We have tested this migration flow using a set of docker containers plus a DNS server container using dnsmasq server that allows us to modify records on the fly. In all the cases we tested this flow works just fine.
We have tested this migration flow with the following RPs:
* rpki-client from “latest” all the way back to 8.2. * routinator from “latest” all the way back to 0.8. * fort from “latest” all the way back to 1.5.0.
What we have not tested:
* RIPE rpki validator: it’s been deprecated for three years. You shouldn’t be running this and you know it :-) In any case, it should work. * OctoRPKI: also recently deprecated. * Rpki-prover. * RIPSTR.
All of the above should work. However bear in mind the following: If you are running any of the above and you notice issues, just clear the local cache, launch a clean instance of your RP and you should be fine.
We have set up a specific email inbox for this migration work: rpki-migracion@lacnic.net. It will be closely monitored during April 15 and the following days. It will be phased out once we are confident all issues that may arise have been addressed.
For those interested, the new servers are already online and can be used to validate. These can be reached at:
* lb-us-mia.rrdp.lacnic.net * lb-us-southeast.rrdp.lacnic.net * lb-br-gru.rrdp.lacnic.net
Don’t expect to see the exact same VRPs as you see now on our current production server as minor differences are expected. Don’t hardcode this either, as during the migration “rrdp.lacnic.net” will be made to point to these servers and eventually these names may change and/or new ones may be added.
Thank you all!
/Carlos
-- -- ========================= Carlos M. Martinez-Cagnazzo http://cagnazzo.me =========================
Hi all, it's me again. The switch is complete. Thank you all for your patience. /Carlos On Mon, Apr 15, 2024 at 9:21 AM Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
Hi all,
We'll start in about 45 minutes.
/Carlos
On Mon, Apr 8, 2024 at 5:18 PM Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
Hello all,
On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will be migrating from our current legacy RPKI CA system to a new Krill-based RPKI core.
In most cases no action will be required on your part (see below for some special cases). What follows is a list of events that will take place at the mentioned time and that may be of interest to you.
* Our TAL file won't change at this time. There is no need to change anything in your current RP configuration.
* Our RTA certificate, while keeping the old key will point to a new manifest.
From the outside, what RPs will see is the following sequence of events:
* At some time T0 all our current servers (both RRDP and rsync) will be shut down, returning "connection refused '' for both http and rsync. * New values for the DNS records will be published (same names, different IPs). * At approximately T0+30min the servers listening on the new IPs will be started and will start serving the repository as produced by the new Krill-based system. * When they first connect, RPs will see a new RRDP session and will take it from there.
We have tested this migration flow using a set of docker containers plus a DNS server container using dnsmasq server that allows us to modify records on the fly. In all the cases we tested this flow works just fine.
We have tested this migration flow with the following RPs:
* rpki-client from “latest” all the way back to 8.2. * routinator from “latest” all the way back to 0.8. * fort from “latest” all the way back to 1.5.0.
What we have not tested:
* RIPE rpki validator: it’s been deprecated for three years. You shouldn’t be running this and you know it :-) In any case, it should work. * OctoRPKI: also recently deprecated. * Rpki-prover. * RIPSTR.
All of the above should work. However bear in mind the following: If you are running any of the above and you notice issues, just clear the local cache, launch a clean instance of your RP and you should be fine.
We have set up a specific email inbox for this migration work: rpki-migracion@lacnic.net. It will be closely monitored during April 15 and the following days. It will be phased out once we are confident all issues that may arise have been addressed.
For those interested, the new servers are already online and can be used to validate. These can be reached at:
* lb-us-mia.rrdp.lacnic.net * lb-us-southeast.rrdp.lacnic.net * lb-br-gru.rrdp.lacnic.net
Don’t expect to see the exact same VRPs as you see now on our current production server as minor differences are expected. Don’t hardcode this either, as during the migration “rrdp.lacnic.net” will be made to point to these servers and eventually these names may change and/or new ones may be added.
Thank you all!
/Carlos
-- -- ========================= Carlos M. Martinez-Cagnazzo http://cagnazzo.me =========================
-- -- ========================= Carlos M. Martinez-Cagnazzo http://cagnazzo.me =========================
Hi Carlos, Congrats to you and the team for the smooth migration. I can speak for all of us at NLnet Labs that we’re super proud that LACNIC is now running Krill. Also, a special thanks to Tim Bruijnzeels (now back at the RIPE NCC) for the years of hard work on our open-source RPKI project – and for ironing out a small bump yesterday together with NIC.br after the switch-over. Cheers, Alex
On 15 Apr 2024, at 16:24, Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
Hi all, it's me again.
The switch is complete. Thank you all for your patience.
/Carlos
On Mon, Apr 15, 2024 at 9:21 AM Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
Hi all,
We'll start in about 45 minutes.
/Carlos
On Mon, Apr 8, 2024 at 5:18 PM Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
Hello all,
On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will be migrating from our current legacy RPKI CA system to a new Krill-based RPKI core.
In most cases no action will be required on your part (see below for some special cases). What follows is a list of events that will take place at the mentioned time and that may be of interest to you.
* Our TAL file won't change at this time. There is no need to change anything in your current RP configuration.
* Our RTA certificate, while keeping the old key will point to a new manifest.
From the outside, what RPs will see is the following sequence of events:
* At some time T0 all our current servers (both RRDP and rsync) will be shut down, returning "connection refused '' for both http and rsync. * New values for the DNS records will be published (same names, different IPs). * At approximately T0+30min the servers listening on the new IPs will be started and will start serving the repository as produced by the new Krill-based system. * When they first connect, RPs will see a new RRDP session and will take it from there.
We have tested this migration flow using a set of docker containers plus a DNS server container using dnsmasq server that allows us to modify records on the fly. In all the cases we tested this flow works just fine.
We have tested this migration flow with the following RPs:
* rpki-client from “latest” all the way back to 8.2. * routinator from “latest” all the way back to 0.8. * fort from “latest” all the way back to 1.5.0.
What we have not tested:
* RIPE rpki validator: it’s been deprecated for three years. You shouldn’t be running this and you know it :-) In any case, it should work. * OctoRPKI: also recently deprecated. * Rpki-prover. * RIPSTR.
All of the above should work. However bear in mind the following: If you are running any of the above and you notice issues, just clear the local cache, launch a clean instance of your RP and you should be fine.
We have set up a specific email inbox for this migration work: rpki-migracion@lacnic.net. It will be closely monitored during April 15 and the following days. It will be phased out once we are confident all issues that may arise have been addressed.
For those interested, the new servers are already online and can be used to validate. These can be reached at:
* lb-us-mia.rrdp.lacnic.net * lb-us-southeast.rrdp.lacnic.net * lb-br-gru.rrdp.lacnic.net
Don’t expect to see the exact same VRPs as you see now on our current production server as minor differences are expected. Don’t hardcode this either, as during the migration “rrdp.lacnic.net” will be made to point to these servers and eventually these names may change and/or new ones may be added.
Thank you all!
/Carlos
-- -- ========================= Carlos M. Martinez-Cagnazzo http://cagnazzo.me =========================
-- -- ========================= Carlos M. Martinez-Cagnazzo http://cagnazzo.me =========================
participants (3)
-
Alex Band -
Carlos Martinez-Cagnazzo -
Job Snijders