A Few Months In The Life Of An RPKI Introduction Validator - PowerPoint PPT Presentation

A Few Months In The Life Of An RPKI Validator http://rpki.net/ A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts Connection Counts Objects/Connection Seconds/Object Rob Austein <sra@hactrn.net> Average Connection Duration Randy Bush <randy@psg.com> Failure Rate Rate Limiting Michael Elkins <Michael.Elkins@sparta.com> Repository . . . and a lot of help from our friends Summaries Conclusion IETF 83 Paris March 2012

A Few Months In The World As Seen By One RPKI Validator The Life Of An RPKI Validator http://rpki.net/ Introduction Performance Graphs Object Counts Connection Counts Objects/Connection ◮ Data as logged by one validator in Seattle. Seconds/Object Average Connection Duration ◮ Data collection started late October 2011. Failure Rate Rate Limiting ◮ Guilty parties are good people, all friends here. Repository Summaries ◮ Expect updated report(s) at later date(s). Conclusion

A Few Months In A Brief Overview of RPKI Validation The Life Of An RPKI Validator http://rpki.net/ Introduction Performance Graphs ◮ Distributed global database of X.509 certificates and Object Counts Connection Counts dependent objects. Objects/Connection Seconds/Object Average Connection ◮ The X.509 certificates contain rsync:// URIs. Duration Failure Rate ◮ Validation starts at trust anchor(s). Rate Limiting Repository ◮ Validator walks certificate tree, following URIs. Summaries Conclusion ◮ rcynic is one such validator. ◮ rcynic is session-oriented (cron job).

A Few Months In Object Counts (Linear) The Life Of An RPKI Validator http://rpki.net/ Introduction 3500 Objects In Repository (Distinct URIs Per Session) rpki.apnic.net Performance rpki.ripe.net Graphs 3000 repository.lacnic.net Object Counts rpki.afrinic.net Connection Counts rpki-pilot.arin.net Objects/Connection 2500 arin.rpki.net Seconds/Object rgnet.rpki.net Average Connection Duration 2000 Failure Rate Rate Limiting Repository 1500 Summaries Conclusion 1000 500 0 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04

A Few Months In Object Counts (Logarithmic) The Life Of An RPKI Validator http://rpki.net/ Introduction 10000 Objects In Repository (Distinct URIs Per Session) rpki.apnic.net Performance rpki.ripe.net Graphs repository.lacnic.net Object Counts rpki.afrinic.net Connection Counts rpki-pilot.arin.net 1000 Objects/Connection arin.rpki.net Seconds/Object rgnet.rpki.net Average Connection Duration Failure Rate Rate Limiting 100 Repository Summaries Conclusion 10 1 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04

A Few Months In Object Counts: Observations The Life Of An RPKI Validator http://rpki.net/ Introduction Performance Graphs Object Counts Connection Counts Objects/Connection ◮ Large downward spikes are either genuine mass Seconds/Object Average Connection extinction events or, more likely, validation failure of a Duration Failure Rate high-level certificate causing a large subtree to go Rate Limiting invalid. Either way, these usually indicate Something Repository Summaries Very Bad. Conclusion

A Few Months In Connection Counts (Linear) The Life Of An RPKI Validator http://rpki.net/ Introduction 1000 rpki.apnic.net Performance Connections To Repository (Per Session) rpki.ripe.net 900 Graphs repository.lacnic.net Object Counts rpki.afrinic.net 800 Connection Counts rpki-pilot.arin.net Objects/Connection arin.rpki.net 700 Seconds/Object rgnet.rpki.net Average Connection Duration 600 Failure Rate Rate Limiting 500 Repository 400 Summaries Conclusion 300 200 100 0 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04

A Few Months In Connection Counts (Logarithmic) The Life Of An RPKI Validator http://rpki.net/ Introduction 1000 rpki.apnic.net Performance Connections To Repository (Per Session) rpki.ripe.net Graphs repository.lacnic.net Object Counts rpki.afrinic.net Connection Counts rpki-pilot.arin.net Objects/Connection arin.rpki.net Seconds/Object 100 rgnet.rpki.net Average Connection Duration Failure Rate Rate Limiting Repository Summaries 10 Conclusion 1 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04

A Few Months In Connection Counts: Observations The Life Of An RPKI Validator http://rpki.net/ Introduction Performance ◮ Downward spikes are connection failures, because Graphs Object Counts once we decide a repository server is down, we give Connection Counts Objects/Connection up on it until the next session. Seconds/Object Average Connection ◮ Are those repositories really that flaky? Perhaps, but Duration Failure Rate Rate Limiting at least one of them does their own monitoring and Repository says not. Problem only seems to occur for Summaries repositories with AAAA RRs. Uh oh. As far as we Conclusion can tell this is an IPv6 problem: IPv6 from Seattle to Amsterdam appears to be much flakier than IPv4 from Seattle to Brisbane.

A Few Months In Objects/Connection (Linear) The Life Of An RPKI Validator http://rpki.net/ Objects In Repository / Connections To Repository 22 rpki.apnic.net Introduction 20 rpki.ripe.net repository.lacnic.net Performance 18 rpki.afrinic.net Graphs rpki-pilot.arin.net Object Counts 16 arin.rpki.net Connection Counts rgnet.rpki.net 14 Objects/Connection Seconds/Object 12 Average Connection Duration Failure Rate 10 Rate Limiting 8 Repository Summaries 6 Conclusion 4 2 0 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04 (Sessions with connection failures not shown)

A Few Months In Objects/Connection (Logarithmic) The Life Of An RPKI Validator http://rpki.net/ Objects In Repository / Connections To Repository 100 rpki.apnic.net Introduction rpki.ripe.net repository.lacnic.net Performance rpki.afrinic.net Graphs rpki-pilot.arin.net Object Counts arin.rpki.net Connection Counts rgnet.rpki.net Objects/Connection Seconds/Object Average Connection Duration 10 Failure Rate Rate Limiting Repository Summaries Conclusion 1 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04 (Sessions with connection failures not shown)

A Few Months In Seconds/Object (Linear) The Life Of An RPKI Validator http://rpki.net/ Seconds To Transfer / Object (Average Per Session) 70 rpki.apnic.net Introduction rpki.ripe.net 60 repository.lacnic.net Performance rpki.afrinic.net Graphs rpki-pilot.arin.net Object Counts 50 arin.rpki.net Connection Counts rgnet.rpki.net Objects/Connection Seconds/Object 40 Average Connection Duration Failure Rate 30 Rate Limiting Repository 20 Summaries Conclusion 10 0 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04 (Sessions with connection failures not shown)

A Few Months In Seconds/Object (Logarithmic) The Life Of An RPKI Validator http://rpki.net/ Seconds To Transfer / Object (Average Per Session) 100 rpki.apnic.net Introduction rpki.ripe.net repository.lacnic.net Performance rpki.afrinic.net Graphs rpki-pilot.arin.net 10 Object Counts arin.rpki.net Connection Counts rgnet.rpki.net Objects/Connection Seconds/Object Average Connection Duration 1 Failure Rate Rate Limiting Repository Summaries 0.1 Conclusion 0.01 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04 (Sessions with connection failures not shown)

A Few Months In Seconds/Object: Observations The Life Of An RPKI Validator http://rpki.net/ Introduction Performance ◮ “Elapsed time” is sum of parallel connection Graphs Object Counts times—five parallel connections of four minutes each Connection Counts Objects/Connection counts as twenty minutes. Seconds/Object Average Connection ◮ We can speed up in terms of wall time by running Duration Failure Rate more connections in parallel, but that puts more load Rate Limiting Repository on the repository servers and risks rate limiting Summaries (more on this later). Conclusion ◮ Spikes here are slow repository servers; whether it’s the network path or the server itself that’s slow, we don’t know.

A Few Months In Average Connection Duration (Linear) The Life Of An RPKI Validator http://rpki.net/ Introduction 300 rpki.apnic.net Seconds / Connection (Average Per Session) Performance rpki.ripe.net Graphs repository.lacnic.net Object Counts 250 rpki.afrinic.net Connection Counts rpki-pilot.arin.net Objects/Connection arin.rpki.net Seconds/Object 200 rgnet.rpki.net Average Connection Duration Failure Rate Rate Limiting 150 Repository Summaries 100 Conclusion 50 0 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04

A Few Months In Average Connection Duration (Logarithmic) The Life Of An RPKI Validator http://rpki.net/ Introduction 1000 rpki.apnic.net Seconds / Connection (Average Per Session) Performance rpki.ripe.net Graphs repository.lacnic.net Object Counts rpki.afrinic.net Connection Counts rpki-pilot.arin.net 100 Objects/Connection arin.rpki.net Seconds/Object rgnet.rpki.net Average Connection Duration Failure Rate Rate Limiting 10 Repository Summaries Conclusion 1 0.1 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2012-04