[RPKI-Deployers] How many active sessions to RPKI validators?

Tony Tauber ttauber at 1-4-5.net
Tue Jul 28 19:30:33 EDT 2020 

Hi Rich,

Our design is to run 4 VCs (Validating Caches):
Two different SW packages (RIPE Validator, Routinator) in each of two
different data centers ("east", "west").
My idea was to have both:

   - geographic diversity in case of problem in or reaching a given
   datacenter
   - code diversity in case of some issue with one package we could just
   disable w/o reconfiguring every router

So far using Cisco IOS-XR

   - 6.5.2 on NCS 5500 platform
   - 6.1.4 on ASR 9000 platform

All four came up no problem.  However,  I saw the connections were all
resetting about every 11 min (1 min data, 10 min idle?)
(Wasn't seen from lab Juniper running 16.1R4-S9.2.)
I found out that the FW in front of the validating caches (not my choice)
has a 10 minute idle timeout before flushing the state entry.
Adjusting the refresh value to 5 min (300 seconds) worked around that
problem just fine.
One note is that this also showed different behavior between the two IOS
versions.
The older one would refresh all the entries.  The newer code hit CSCvp82287
<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp82287> which was
mentioned here earlier I think.
The behavior was that only new ROAs would come over the RTR connections to
the routers.
Issuing a "clear...." command would force a refresh, but now we're fine
since the connections aren't resetting all the time.
I'm thinking I need a script to keep an eye on the status from the router
side. (Maybe you're thinking the same.)

On the validator side, there are skads of metrics from each VC package, but
they're not all the same.
This one is somewhat useful from server side (visible on port 9126 by
default)

# HELP routinator_rtr_current_connections currently open RTR connections
# TYPE routinator_rtr_current_connections gauge
routinator_rtr_current_connections 11

But there's nothing similar for RIPE Validator.  Even so, it doesn't really
tell you enough of the picture I think.
Still need to capture the router-side POV.

Hopefully this info is helpful to you and feel free to hit me with more
comments or questions (same for anyone else).
Let's keep the conversation going.

Tony

On Tue, Jul 28, 2020 at 3:49 PM Compton, Rich A <Rich.Compton at charter.com>
wrote:

> Hello all,
>
> Junos by default will maintain 2 active connections to RPKI validators
> even if there are more than 2 validator IPs configured.  If there is an
> issue with a connection to one of the active validators,  Junos will pick
> one of the other inactive validators to connect to.  Also, it is possible
> to increase the “max-sessions” variable in the validator group config to
> something greater than the default of 2 so that the router will maintain
> active connections to more validators.
>
> My question is, out of these two options, which option do you think is
> preferable and why?
>
> Thanks!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/mailman/private/rpki-deployers/attachments/20200728/ce9da5ba/attachment.htm>

More information about the RPKI-Deployers mailing list