RPKI performance metrics; your help requested
As the global RPKI data set and system load grows, we want to ensure that the system is performing well. This is why we have added measurement functionality to the RIPE NCC RPKI Validator toolset: https://www.ripe.net/certification/rpki-validator-metrics When enabled, it will gather the following data and send it to the RIPE NCC for analysis: - Connection success rate to the configured repositories - Whether IPv4 or IPv6 is used to connect - Repository inconsistencies - Time taken to validate all retrieved objects There is a detailed post on the sidr mailing list with more information: http://www.ietf.org/mail-archive/web/sidr/current/msg04595.html We would really appreciate it if as many people from across the globe send us performance data. If you would like to participate, please install the latest RPKI Validator and leave it running as a service permanently: https://www.ripe.net/certification/tools-and-resources All you need is a system with Java 1.6, rsync and 1GB of available memory. Simply unzip the file, run ./bin/rpki-validator from the base directory and browse to http://localhost:8080. Then enable the performance metrics by clicking "Yes" to the prompt. If you have any questions or feedback, please let me know. Many thanks, Alex Band RIPE NCC
As the global RPKI data set and system load grows, we want to ensure that the system is performing well. This is why we have added measurement functionality to the RIPE NCC RPKI Validator toolset: https://www.ripe.net/certification/rpki-validator-metrics
When enabled, it will gather the following data and send it to the RIPE NCC for analysis:
good stuff. though you know how much i like centralization :) of course you have seen the centralized rpki.net measurements presented by rob at iepg http://iepg.org/2012-03-ietf83/a-few-months-in-the-life-of-an-rpki-validator... and the measurements of an experiment using bit torrent instead of rsync http://iepg.org/2012-03-ietf83/rpki-bittorrent-experiment.pdf and sidr/paris. oops, good luck finding it, and he was cut short anyway due to the meeting's tech fiasco. but that is centralized. and, if you would care to publish your collection protocol, we would look at having the rpki.net relying party software shove data down it. but no promises. but we're more focused on giving the *user* the tools to measure and see. so you may want to look at the tables and graphs (graphs more germane to this discussion) from the rpki.net relying party software at, for example, http://www.hactrn.net/opaque/rcynic/index.html suggestions for improvement solicited, of course. randy
but we're more focused on giving the *user* the tools to measure and see. so you may want to look at the tables and graphs (graphs more germane to this discussion) from the rpki.net relying party software at, for example, http://www.hactrn.net/opaque/rcynic/index.html
oh, and the docco for install and config of the relying party software is at https://trac.rpki.net/wiki/doc/RPKI/RP randy
On Wed, May 16, 2012 at 7:50 PM, Randy Bush <randy@psg.com> wrote:
germane to this discussion) from the rpki.net relying party software at, for example, http://www.hactrn.net/opaque/rcynic/index.html
suggestions for improvement solicited, of course.
the text talks about rpki.net the link is for 'not rpki.net' how does this work? <insert clownposse here> rpki.net redirects to https://trac.rpki.net and poops out an ssl error :( security is 'hard'... Could someone make: 1) rpki.net function as http redirecting to https with the right cert (or put a SAN in the current cert?) 2) put the graphs at 'not rpki.net' on rpki.net (too) 3) indicate whether or not the graphs are of ongoing data or past-tense? -chris
Could someone make: 2) put the graphs at 'not rpki.net' on rpki.net (too)
no. that is the exact point. the graph to which i pointed is on rob's site. these are data each relying party can collect and see for themselves and their point of view in the universe, not some central authority. ripe/ncc thinks it is the center of the universe. we do not. we know it is in freemont [0], a neighborhood of seattle. so that url is very intentionally rob's relying party instance. i have one at http://rgnet.rpki.net/ but it has not been running as long as you can see. and sorry that our certs did not pay godzilla or gobble for the privilege of being in their bowsers. refund below [1] randy [0] - http://en.wikipedia.org/wiki/Fremont,_Seattle http://www.stonerforums.com/lounge/members/guiness-albums-stuff-picture19971... http://www.waymarking.com/gallery/image.aspx?f=1&guid=e712e7f5-0a55-4cc0-a40c-88deedce8d72&gid=3
On Wed, May 16, 2012 at 11:47 PM, Randy Bush <randy@psg.com> wrote:
and sorry that our certs did not pay godzilla or gobble for the privilege of being in their bowsers. refund below [1]
there was no [1]... startssl.com - free certs. (that work)
On 17 May 2012, at 00:47, Randy Bush wrote:
Could someone make: 2) put the graphs at 'not rpki.net' on rpki.net (too)
no. that is the exact point. the graph to which i pointed is on rob's site. these are data each relying party can collect and see for themselves and their point of view in the universe,
Which I think it is a very valuable thing as a RP operator. I haven't used the lastest versions of RIPE NCC validator for myself but that would be a nice feature to have there as well. I will update my rcynic installation, I liked the graphs.
not some central authority. ripe/ncc thinks it is the center of the universe. we do not. we know it is in freemont [0], a neighborhood of seattle.
I do not think that is the intention from RIPE NCC. The intention as I understood is to get the data that each RP is getting and to send it to central repository for further analysis. Which it is a centralized approach but for simplicity, not for thinking that they are the center of the universe. In my view there are 2 problems. One is to see as an RP operator how healthy are the repositories where you retrieve data (which for the url that you sent is done very nicely with rcynic), and two it is that as repository operator and protocol designers you'd like to see how good or bad your repository/protocols are doing to provide data to RPs in different locations of the world (which I think it is the aim of RIPE NCC effort).
so that url is very intentionally rob's relying party instance. i have one at http://rgnet.rpki.net/ but it has not been running as long as you can see.
and sorry that our certs did not pay godzilla or gobble for the privilege of being in their bowsers. refund below [1]
randy
[0] - http://en.wikipedia.org/wiki/Fremont,_Seattle http://www.stonerforums.com/lounge/members/guiness-albums-stuff-picture19971... http://www.waymarking.com/gallery/image.aspx?f=1&guid=e712e7f5-0a55-4cc0-a40c-88deedce8d72&gid=3
If anybody else is willing to share its data and URLs about their RP performance, I would be nice. I have an old rsync installation that I will try to update this weekend. Now it is here but does not show too much: http://www.labs.lacnic.net/~rpki/rpki-monitor/rpki-ta-status.xml Regards, as
participants (4)
-
Alex Band -
Arturo Servin -
Christopher Morrow -
Randy Bush