search

cloudflare / cfrpki

Cloudflare's RPKI Toolbox
https://rpki.cloudflare.com
BSD 3-Clause "New" or "Revised" License
177 stars 44 forks source link

Can't run octorpki validator with rrdp switched off #41

Open dadepo opened 4 years ago

dadepo commented 4 years ago

For testing purposes I will like to run the octorpki validator with only rsync and have rrdp disabled. To also minimize the testing I am doing I removed all tal except the one from ripe.

When I start the validaor with rrdp false, I get the following output

./octorpki -rrdp=false -refresh=10s
INFO[0000] Validator started                            
INFO[0000] Serving HTTP on :8080/output.json            
INFO[0000] Got open tals/afrinic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/apnic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/arin.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/lacnic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open cache/rpki.ripe.net/repository/ripe-ncc-ta.mft: no such file or directory but repository not yet synchronized 
INFO[0000] Still exploring. Revalidating now            
INFO[0000] Rsync sync rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer 
INFO[0000] Got open tals/afrinic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/apnic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/arin.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/lacnic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open cache/rpki.ripe.net/repository/ripe-ncc-ta.mft: no such file or directory but repository not yet synchronized 
INFO[0000] Stable state. Revalidating in 10s

If I do not turn rrdp off, lot more processing get's done, and I get a cache of the ripe repository...but now it just states Stable state and nothing happens...no cache is downloaded...

What may I be doing wrong?

dadepo commented 4 years ago

To confirm if it is possible to run the validation only with rsync, I attempted with another validator...specifically routinator. 

cargo run --bin routinator -- --disable-rrdp=true vrps

That is the corresponding command that fetches from the repository and validates with rrdp disabled. This worked as expected.

Pointers on how to achieve the same with octorpki will be appreciated

dadepo commented 4 years ago

Playing around a bit more...and from what I can see, it seems when rrdp is switched off, octorpki can't sync the current state of the repository, since the current implementation only does this via RRDP...I noticed if I run once with RRDP, and have the snapshot create the cache, I can switch RRDP off, and validator will run with the cache created...

Just that I think in this case, with RRDP turned off in future runs, the snapshot/cache will never get updated

ties commented 4 years ago

This would be a good feature to have. Running with rsync and rrdp only is one of the methods I would consider to use to validate the availability and consistency of a repository.