Dear Members,
Please find attached a PostMortem Report on the RPKI Validation Incident which occurred on the 2nd of March 2015 *Overview of AFRINIC RPKI System * AFRINIC RPKI's system launched on 1st January 2011 is composed of an Offline root CA and a production CA. Both CA publish objects in the RPKI repository available at http://rpki.afrinic.net <http://rpki.afrinic.net/> <http://rpki.afrinic.net/>/ rsync://rpki.afrinic.net <http://rpki.afrinic.net/> <http://rpki.afrinic.net/> Like every CA in the RPKI, the Offline root CA maintains a CRL and a manifest for the certificates it manages and objects in its repository. http://rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/ As per CA practices, the CRL and manifest are valid for 30 days ( Next update time is set to 30days). Processes and mechanisms have been put in place to refresh these objects weeks before expiration. *Description of the incident * * * The CRL and Manifest of the root CA were refreshed on the 01/28/2015 and next update set to 03/02/2015 as showed below: Manifest ------------- Object Type: RPKI Manifest Signing time: 2015-01-28T08:01:29.000Z Version: 0 Number: 59 This update time: 2015-01-28T08:01:28.000Z Next update time: 2015-03-02T08:01:28.000Z CRL --------- Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /CN=AfriNIC-Root-Certificate Last Update: Jan 28 08:01:28 2015 GMT Next Update: Mar 2 08:01:28 2015 GMT Due to some issues with internal monitoring system, this task was missed and as from 08:01 AM UTC, the 03/02/2015, the CRL and Manifest were invalid and therefore the whole AFRINIC RPKI repository became invalid. This was the first time this incident occurred since January 2011. *Actions taken* The incident was reported by a ticket opened on our support system the 03/02/2014 at 10:30 PM UTC. Investigations confirmed the issue and immediate corrective measures taken. At 5:55 AM on the 03/03/2015, the repository has been restored to normal mode. The internal systems and processes have been reviewed and appropriate measures taken such as more stringent monitoring, regular system audit, redundancy, etc to avoid this in the future. Questions or comments to [email protected] <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> __________ Patrisse Deesse Interim Chief Executive Officer AFRINIC Ltd t: +230 403 5122 | f: +230 466 6758 | tt: @afrinic | w: www.afrinic.net facebook.com/afrinic | flickr.com/afrinic | youtube.com/afrinicmedia ___________________________ Join us for AIS'15 in Tunisia 24 May to 5 June, 2015
_______________________________________________ announce mailing list [email protected] https://lists.afrinic.net/mailman/listinfo.cgi/announce
