diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2024-11-02 12:30:29 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2024-11-02 12:30:29 +0000 |
| commit | 0c520c81346145e61f1c829de458bdc31a383fb5 (patch) | |
| tree | d7b0aa0631e20abcd5952de121adefecfac5e03a /usr.sbin/rpki-client/main.c | |
| parent | 3ef9fe8a9a1f9530b4fea9e825fcea703d2b02c4 (diff) | |
Improve detection of gaps in Manifestissuance
It is helpful for network operators, publication point operators, and CA
operators to have more insight into whether the RP noticed an issuance
gap between two versions of a given manifest.
* high number of gaps all the time might be an indication the RP is not
refreshing often enough
* the CA is trying to issue manifests more than once a second
* the RFC 8181 publication server's ingress API endpoint has issues
* the RFC 8181 publication client has trouble reaching the server
* the CA's private keys (RPKI + BPKI) are used on a second (cloned) system
* the CA's issuance database is broken
Correlation opportunity: detection of a gap means some of the CA's
intermediate states were occluded from the RP; the RP operator might
want to correlate this to traffic shifts in BGP or publication point
reachability issues.
Going forward, emit a warning per manifest, adds metrics to the
openmetrics output, and displays a summary at the end of the run about
issuance gaps.
OK tb@
Diffstat (limited to 'usr.sbin/rpki-client/main.c')
| -rw-r--r-- | usr.sbin/rpki-client/main.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c index 3e34c33c947..05683d16f00 100644 --- a/usr.sbin/rpki-client/main.c +++ b/usr.sbin/rpki-client/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.268 2024/10/23 12:09:14 claudio Exp $ */ +/* $OpenBSD: main.c,v 1.269 2024/11/02 12:30:28 job Exp $ */ /* * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -639,6 +639,8 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, break; } mft = mft_read(b); + if (mft->seqnum_gap) + repo_stat_inc(rp, talid, type, STYPE_SEQNUM_GAP); queue_add_from_mft(mft); mft_free(mft); break; @@ -764,6 +766,7 @@ sum_stats(const struct repo *rp, const struct repotalstats *in, void *arg) out->mfts += in->mfts; out->mfts_fail += in->mfts_fail; + out->mfts_gap += in->mfts_gap; out->certs += in->certs; out->certs_fail += in->certs_fail; out->roas += in->roas; @@ -1500,8 +1503,9 @@ main(int argc, char *argv[]) stats.repo_tal_stats.certs, stats.repo_tal_stats.certs_fail); printf("Trust Anchor Locators: %u (%u invalid)\n", stats.tals, talsz - stats.tals); - printf("Manifests: %u (%u failed parse)\n", - stats.repo_tal_stats.mfts, stats.repo_tal_stats.mfts_fail); + printf("Manifests: %u (%u failed parse, %u seqnum gaps)\n", + stats.repo_tal_stats.mfts, stats.repo_tal_stats.mfts_fail, + stats.repo_tal_stats.mfts_gap); printf("Certificate revocation lists: %u\n", stats.repo_tal_stats.crls); printf("Ghostbuster records: %u\n", stats.repo_tal_stats.gbrs); printf("Trust Anchor Keys: %u\n", stats.repo_tal_stats.taks); |