From: Theo Buehler <tb@theobuehler.org>
Subject: Re: rpki-client: expose Manifest sequence number gaps in log & telemetry
To: Job Snijders <job@openbsd.org>
Cc: tech@openbsd.org
Date: Sat, 2 Nov 2024 13:07:20 +0100

On Sat, Nov 02, 2024 at 11:56:00AM +0000, Job Snijders wrote:
> Alloah,
> 
> I think it is helpful for network operators, publication point
> operators, and CA operators to have more insight into whether the RP
> noticed an issuance gap between two versions of a given manifest.
> 
> Detection of Manifest issuance gaps can be useful in a number of ways:
> 
> * high number of gaps all the time might be an indication the RP is not
>   refreshing often enough
> * the RFC 8181 publication server's ingress API endpoint has issues
> * the RFC 8181 publication client has trouble reaching the server
> * the CA is trying to issue manifests more than once a second
> * the CA's private keys (RPKI + BPKI) are in use on a (cloned) system
> * the CA's issuance database is broken
> 
> Correlation opportunities
> -------------------------
> 
> Detection of a gap means some of the CA's intermediate states were
> occluded from the RP; the RP operator might want to correlate this to
> traffic shifts in BGP, and repository reachability issues.
> 
> The below patch emits a warning per manifest, adds metrics to the
> openmetrics output, and displays a summary at the end of the run.

I do wonder if we don't want to hide the warning under -v. But as you
say, perhaps that encourages continuous frequent running of rpki-client.
We can reconsider this after seeing how it works in practice.

ok tb