How to work with max prefix length

[fendemann]

Using the GUI to create a roa I can provide a prefix and a "Max len". Using it results in a roa (listed in the GUI) with the values

Prefix Max Length AS 49.20.0.0/19-24 24 4920

BUT also in an error in rpkid.log _2017-01-10 21:25:39 rpkid[1362]: <rpki.rpkidtasks.UpdateROAsTask {LAB-DTAG}>: Could not update <ROA: LAB-DTAG 4920 49.20.0.0/19-24>, skipping: BadIPResource: Bad IP resource "49.20.0.0/19-24"

Using the rpkic roa import with my old roa.csv 49.10.0.0/19-24 4910 DTAG 49.20.0.0/19-24 4920 DTAG 49.20.100.0/24 4920 DTAG ...

it results in the same error message _2017-01-10 21:38:33 rpkid[1362]: <rpki.rpkidtasks.UpdateROAsTask {LAB-DTAG}>: Could not update <ROA: LAB-DTAG 4920 49.20.0.0/19-24>, skipping: BadIPResource: Bad IP resource "49.20.0.0/19-24"

Ive looked in my old installation documentation for my lab szenario and found that roa.csv that Ive used in the past to create the roas for my testbed. This file worked fine with the old version of your software but not with the actual one.

[sraustein]

I suspect that the prefix/len-maxlen syntax doesn't work in the GUI, and that the error you're seeing in the second test is really left over from the first (GUI) test.

The exception BadIPResource is raised when parsing a prefix, not when parsing a ROA request per se, which says that something is passing a string that is not really a prefix to the prefix parser. Presumably this should have been caught somewhere earlier in the call chain, like when you pressed the submit button on the form. I don't see a code path by which the ROA request parser (rpki.resource_set.roa_prefix.parse_str()) can raise this error (it would raise BadROAPrefix if it were unhappy), so I don't see a path by which the rpkic code would do this.

Assuming that something managed to stuff a bad ROA request into the IRDB, I would expect that to persist until something else removed that request. Which is a little puzzling if you ran rpkic load_roa_requests after getting into trouble with the GUI, because I would expect the rpkic command to delete all ROA requests then recreate the ones it wants to keep.

[fendemann]

I´ve tried the procedure once again. First I´ve loaded a roa.csv file with only one Class C Prefix to delete all other entries related to LAB-DTAG. After the import a roa was created and published, it was also shown in the GUI. After waiting a while I´ve imported a roa.csv with prefix range and get the result below. There were entries in the log file and no roa was published. The imported prefix was shown in the GUI.

———————— CASE 1: Import a Class C prefix to delete other entries

fen@rpki-dtag-01:~$ date --utc Mi 11. Jan 07:18:38 UTC 2017

fen@rpki-dtag-01:~$ more roas_play.csv 49.10.0.0/24 4930 DTAG

fen@rpki-dtag-01:~$ sudo rpkic load_roa_requests roas_play.csv

fen@rpki-dtag-01:~$ sudo rpkic show_published_objects rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.crl 2017-01-11T07:18:50Z 4E69515A68539E6CC062F847AAD0A0699393A175 rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.mft 2017-01-11T07:18:50Z 80DC0DBFE59B702EF159AEF1A2279B993DB42A40 rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/S7iEwdcoQ0DaG15eLlJw7VUWZ-s.roa 2017-01-11T07:18:50Z AB3945E3467F2092A672461881139A18C7540978 4930 49.10.0.0/24

2017-01-11 07:18:50 rpkid[1362]: Sending <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0fffd1b48> hash = None uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/S7iEwdcoQ0DaG15eLlJw7VUWZ-s.roa to pubd 2017-01-11 07:18:50 rpkid[1362]: Sending <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffef60e0> hash = 5b0e4dc0783121a4b46ad55b2719d688e7d5bbabc2c5e2b9a4836955728b00ac uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.crl to pubd 2017-01-11 07:18:50 rpkid[1362]: Sending <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffef6368> hash = d88e9294a1279a1b80c27a8f336ddd44f91a4e7949a8838939eeb243aebf2a65 uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.mft to pubd 2017-01-11 07:18:50 rpkid[1362]: Received <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0fffd1200> hash = None uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/S7iEwdcoQ0DaG15eLlJw7VUWZ-s.roa from pubd 2017-01-11 07:18:50 rpkid[1362]: Received <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffe928c0> hash = None uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.crl from pubd 2017-01-11 07:18:50 rpkid[1362]: Received <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0fffd1098> hash = None uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.mft from pubd 2017-01-11 07:18:51 rpkid[1362]: 200 POST /left-right (172.20.0.52) 624.57ms 2017-01-11 07:18:56 rpkid[1362]: 200 POST /left-right (172.20.0.52) 20.21ms

2017-01-11 08:24:00 rpkid[1362]: Sending <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffef6098> hash = e0b6d9f7d4ae948eeffca1d997faccb7373d0159acbe834379357d33f7559e8b uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/sBabYTbJtSqE7ctuQmhESyZC8zQ.crl to pubd 2017-01-11 08:24:00 rpkid[1362]: Sending <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffef6a28> hash = a04bc8f47412279f8cf90d7b7d6d27906d40ac73cd4d9c2404c2d82d97acc780 uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/sBabYTbJtSqE7ctuQmhESyZC8zQ.mft to pubd 2017-01-11 08:24:00 rpkid[1362]: Received <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffef6bd8> hash = None uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/sBabYTbJtSqE7ctuQmhESyZC8zQ.crl from pubd 2017-01-11 08:24:00 rpkid[1362]: Received <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffef6a70> hash = None uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/sBabYTbJtSqE7ctuQmhESyZC8zQ.mft from pubd 2017-01-11 09:54:55 rpkid[1362]: 200 POST /left-right (172.20.0.52) 21.63ms

———————— CASE 2: Import a prefix range

fen@rpki-dtag-01:~$ date --utc Mi 11. Jan 09:59:52 UTC 2017

fen@rpki-dtag-01:~$ sudo rpkic show_published_objects rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.crl 2017-01-11T07:18:50Z 4E69515A68539E6CC062F847AAD0A0699393A175 rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.mft 2017-01-11T07:18:50Z 80DC0DBFE59B702EF159AEF1A2279B993DB42A40 rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/S7iEwdcoQ0DaG15eLlJw7VUWZ-s.roa 2017-01-11T07:18:50Z AB3945E3467F2092A672461881139A18C7540978 4930 49.10.0.0/24

fen@rpki-dtag-01:~$ vi roas_play.csv 49.80.0.0/19-24 4980 DTAG

fen@rpki-dtag-01:~$ sudo rpkic load_roa_requests roas_play.csv

fen@rpki-dtag-01:~$ sudo rpkic show_published_objects rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.crl 2017-01-11T10:00:05Z 0ACDCB91487E28D712B2252638AFC871DB166CD4 rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.mft 2017-01-11T10:00:05Z 5498ABCD995EF2DCF4737D7E76821CD96F0FF4DF fen@rpki-dtag-01:~$

2017-01-11 09:59:59 rpkid[1362]: 200 POST /left-right (172.20.0.52) 21.04ms 2017-01-11 10:00:05 rpkid[1362]: <rpki.rpkid_tasks.UpdateROAsTask {LAB-DTAG}>: Could not update <ROA: LAB-DTAG 4980 49.80.0.0/19-24>, skipping: BadIPResource: Bad IP resource "49.80.0.0/19-24" 2017-01-11 10:00:05 rpkid[1362]: Sending <Element {http://www.hactrn.net/uris/rpki/publication-spec/}withdraw at 0x7fe0ffff1f80> hash = 2cfe93a3871a292f66ca31d52ab4f7d09929e1bf0cedd003c7837947bd378199 uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/S7iEwdcoQ0DaG15eLlJw7VUWZ-s.roa to pubd 2017-01-11 10:00:05 rpkid[1362]: Sending <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0fffd1c20> hash = 19831b47ccd7790ff74964415b5c01d6e42e563156db10a2cb2806cc643e3bc9 uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.crl to pubd 2017-01-11 10:00:05 rpkid[1362]: Sending <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffef6200> hash = c1d81bb12685c59b3981edfb1a6e32c56502a37914ee9f9ca59fac4bb05407a4 uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.mft to pubd 2017-01-11 10:00:05 rpkid[1362]: Received <Element {http://www.hactrn.net/uris/rpki/publication-spec/}withdraw at 0x7fe0fff97e60> hash = None uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/S7iEwdcoQ0DaG15eLlJw7VUWZ-s.roa from pubd 2017-01-11 10:00:05 rpkid[1362]: Received <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffef6830> hash = None uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.crl from pubd 2017-01-11 10:00:05 rpkid[1362]: Received <Element {http://www.hactrn.net/uris/rpki/publication-spec/}publish at 0x7fe0ffef6050> hash = None uri = rsync://rpki-root-01.lab.dtag.de/rpki/LAB-DTAG/aL43YCvA_Ke0cKim-Hqx_O-Cbp0.mft from pubd 2017-01-11 10:00:06 rpkid[1362]: 200 POST /left-right (172.20.0.52) 498.28ms 2017-01-11 10:00:11 rpkid[1362]: 200 POST /left-right (172.20.0.52) 18.48ms

If you mention that this is a problem of the GUI error, what can I do to reset my servers??