Aging Relying Party Clients
Also, if you see us in person, ask for a sticker and business card
Friends, yes, we are a day late with this month’s newsletter. We will endeavor not to be late again … but hey, what do you want for nothing? This month we focus on the Resource Public Key Infrastructure (RPKI). We examine relying party (RP) client software usage in-the-wild. If you’ve seen our daily statistical graphs, you may be surprised at how much more there is to say about that component of the Internet infrastructure. Next up, we felt it was time to make a small investment. We'll be sharing the outcome of this investment with some of you (…read on for further details). As always, we close with an organization update.
By operating our own RPKI publication point (PP), we can observe most of the world’s RPKI relying party (RP) clients. The RPKI model requires RPs to maintain a timely and consistent set of all data from the global RPKI repository. The RPKI repository comprises all the objects published by the world’s PPs, one of which is our own. These days most RP software supports the RPKI Repository Delta Protocol (RRDP) that utilizes HTTPS transport. Like most HTTP-based clients, RRDP fetches by RPs include a client software-identifying user-agent string in the HTTP header. A recent Tweet referenced our PP measurement page with a desire to see more details about the population of RP clients utilizing outdated software.
We are here to help provide just the sort of data and analysis Alex is looking for. As Alex shows, we publish a plot showing the distribution of well-known RP client software implementations. We have more data and can dig deeper into the user-agent string that RP clients send, because most clients include the software implementation and version information, just like you are apt to see from any ordinary web client.
Let’s first point out, as Alex does, that current data plotted suggests there are approximately 100 RIPE Validators a day. Due to our method of counting validators for the software implementations graph, that number does not tell the whole story. First, we consider an RRDP client to be RIPEv3 if the user-agent header contains the string “
RIPE NCC RPKI Validator”. Then, and here is the significant part, we group IPv4 clients into /24 prefixes and IPv6 clients into /64 prefixes. We then count each /24 or /64 prefix once. This hack is to smooth out the popularity of RP implementations that may move around in the same subnet, or make up a larger load-balanced pool. If we didn’t do this, the number of distinct RIPEv3 RPKI validators would be closer to 150.
Support for the RIPE NCC Validator ended on July 1, 2021. In the world of RPKI, that is both a long time and a potentially serious operational risk. The other major implementations are regularly updated. In Alex’s Twitter thread, it was asked which implementations “are most frequently outdated?” We can quickly understand this by counting how many unique clients use an implementation’s latest version and how many do not. In April 2022, we see (note: consider these numbers approximations, and recall that we are not aggregating by /24 or /64 so this may not reflect a precise accounting where client addresses are unstable.):
Routinator versions > 10.2 = 1659
Routinator versions <= 10.2 = 3678
OctoRPKI > 1.4.2 = 25
OctoRPKI <= 1.4.2 = 253
OctoRPKI uknown = 44
FORT == 1.5.3 = 184
FORT < 1.5.3 = 39
This is a rough look at aging RP client software, but hopefully, this provides some answers to what we see in the wild. We believe there are a lot more stories to tell. If your questions are still not fully answered, we hope it is only because our analysis here has been incomplete. We are interested in telling richer stories and helping others analyze the data for their own stories. Please let us know your thoughts on the different angles we should be looking at this data.
Stickers and Business Cards
It is a small thing, but we now have some stickers and business cards. You can only obtain them from an in-person interaction with us. Sorry, we’re too cheap to mail them, and they’re not valuable enough to be worth it. The Dataplane.org stickers and business cards are pretty cool, so you will want to add them to your collection. After the past two years of limited travel and social interaction, we’re seeing opportunities where this is beginning to gradually change. We are looking forward to meeting up and fully engaging with various communities.
The State of Dataplane.org
We will soon be making some updates to our web pages. Changes will be relatively minor compared to the complete make-over Matt had done, but they are needed tweaks and fixes. The biggest news behind the scenes is the work we’re doing to manage our finances. We are compiling expenses incurred last year for our tax accountant and starting to map out how to best organize all our bills. The total costs of running the organization to date have been minimal, but the actual number of bills is extensive. We have approximately 100 bills to pay, and many are paid monthly. We’re not perfect at it yet. In fact, we have a couple of humorous stories about how we (jtk really) have overpaid a provider, because we simply weren’t paying close enough attention.
This month, we’ve made limited progress on the technical front, and things may be slow going for the next couple of weeks as we finish our tax preparation. Our technical priority is building out our new back-end for additional capacity and reliability of services.
Feel free to reach out via email, Twitter, or Slack (request an invite if you need one).