Re: ARIN RPKI Trust Anchor Issue

[Job Snijders <job () sobornost net>]

On Thu, Jan 30, 2025 at 04:03:58PM +0100, Simon Leinen wrote:
> > It is interesting that the 'trigger event' happened two days ago,
> > but it is only just now that it became quite tangible! It seems this
> > anomaly could've been alerted for earlier on.
>
> Can you elaborate how? (Looking for overly-large or otherwise
> suspicious manifests signed by CAs?)

One could develop simple monitoring utility which checks for 'overly'
long filesizes of signed objects in the Relying Party's cache. I don't
recommend the below for production monitoring, but merely as
illustration. 

For example, using rpki-client on Debian Linux, the following displays
the top 10 largest objects:

        $ cd /var/lib/rpki-client/cache
        $ find * -type f | xargs du -ka | sort -nr | head

Another example, one could monitor the RRDP snapshot size simply by
fetching it:

        $ curl -s https://rrdp.arin.net/notification.xml | grep snapshot
        <snapshot uri="https://rrdp.arin.net/4a394319-7460-4141-a416-1addb69284ff/99127/snapshot.xml"; 
hash="3f2acde605e9aa4b2370e41299d445b5c01a47f78d5ac8df4c8cdc69cf837a98"/>
        $ wget --no-verbose  --compression=gzip 
https://rrdp.arin.net/4a394319-7460-4141-a416-1addb69284ff/99127/snapshot.xml
        2025-01-30 15:22:52 URL:https://rrdp.arin.net/4a394319-7460-4141-a416-1addb69284ff/99127/snapshot.xml 
[532342274] -> "snapshot.xml" [1]

In a similar way, the notification.xml can be used to find RRDP deltas
and monitor those for size and trends in size.

There also are all kinds of metrics available in OpenMetrics format in
/var/lib/rpki-client/metrics

All in all - there are hundreds of metrics to look at! :-)

Kind regards,

Job