[SANOG] RKPI database

Nishal Goburdhan nishal at controlfreak.co.za
Mon Jun 15 10:18:16 UTC 2020


On 12 Jun 2020, at 9:34, Ashish Bhatnagar wrote:

>  Hi Team
>
> We have deployed RPKI with “rpki-validator-app-2.23” 2 years back 
> now we are looking to upgrade this to version 3.1 , Just want to check 
> the feedback of the latest validator and the way forward to upgrade.
>
> As per available documentation we need  to do fresh installation
> https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an-rpki-validator
>
> So any specific way to directly upgrade without stopping the older 
> version to newer we are using CentOS 7.


hi,

if your routers are already setup to use two validators, then you can, 
quite trivially, upgrade these one at a time, without causing a total 
outage.  as long as your routers are communicating with *at least one 
working validator* your network will not notice the difference.

if your routers are *not* setup to use two validators, then i suggest 
you fix that first.  and maybe even use three!  there’s a lot more 
useful information here:  https://rpki.readthedocs.io.  my current 
favourite is routinator3000, but consensus is that all the validators 
work :-)

while you’re taking the time to upgrade this, make sure that you also 
assess the way that your routers speak to the validators, eg.
# are they all inside your network?
# are the paths between your routers and your validators secure, and 
protected?
# if you’re running two validators, are you sure they are not VMs on 
the same server/cluster/..?
etc.

hth,
-n.


More information about the sanog mailing list