A new open source RPKI CA solution: NLnet Labs' Krill

Wed Dec 18 09:40:03 UTC 2019

An update to this:

Last week Krill was deployed at NIC.br, the National Internet Registry of Brazil, making RPKI available to Brazilian operators for the first time. 

This is an interesting scenario, as NIC.br does not offer a Hosted RPKI service like the five RIRs do. Instead, every Brazilian operator has to run Delegated RPKI. This means running RPKI CA software to create a resource certificate yourself, have it signed by the NIC.br parent CA (which is, in turn, signed by the LACNIC CA) and then use it to create ROAs.

NIC.br does offer an RPKI Publication Server to their members. As a result, operators don’t have to make their certificate and ROAs available to the world themselves via Rsync+HTTPS, but can instead publish in the NIC.br RPKI repository. 

Practically, this means installing Krill on minimal hardware, exchanging two XML files with the parent CA in their web portal, after which you can manage ROAs locally using a CLI, API and soon a UI.

I was curious to see how many operators would be willing to take this route. Now, after one week, 25 Krill instances are running and over 100 ROAs are already published with 100% data accuracy. 

It’ll be interesting to see how this evolves over the next few months, as it changes the mostly Hosted RPKI landscape we’ve seen over the last 8 years.

-Alex

> On 3 Dec 2019, at 17:08, Job Snijders <job at ntt.net> wrote:
> 
> Dear fellow network operators,
> 
> It appears Santa brought presents early this year! I'd like to draw
> attention to the below forwarded message and provide my take on it.
> 
> Some of you represent organisations that interact with multiple RIRs,
> and have concluded it can be challenging to figure out the RPKI ROA
> provisioning process for each individual RIR and integrate those
> different processes with your internal business process.
> 
> Every RIR provides their members with what is called a 'hosted' RPKI
> service. The 'hosted' RPKI service means the RIRs offer web interfaces
> which operators use to create & publish RPKI ROAs. However, the devil is
> in de details: concepts such as 'who holds the private keys?' or the API
> specification differ from RIR to RIR. In this context the differences
> aren't necessarily good or bad, they are just different.
> 
> For many operators the RIR hosted model is excellent, but ... there also
> is a class of users who would perhaps benefit from something more
> 'unified', and this is where Krill comes in!
> 
> The use case where Krill really shines is that you can ask your RIR to
> delegate your resources to your Krill instance, and then build your
> tooling to interact with just Krill (instead of building RIR-specific
> software)!
> 
> To me the very existence of Krill is a sign of a maturing RPKI
> ecosystem. If I stare deeply into my crystal ball I can already see the
> rise of third-party hosted RPKI solutions for provisioning & monitoring
> RPKI objects, or integrations with IPAM systems such as 6connect. I
> believe these would be positive developments for the operational
> Internet community.
> 
> In short: if RPKI is on your company's roadmap, give Krill a spin! :)
> 
> get the goods: https://github.com/NLnetLabs/krill
> documentation: https://rpki.readthedocs.io/en/latest/krill/
> 
> Kind regards,
> 
> Job
> 
> ----- Forwarded message from Alex Band <alex at nlnetlabs.nl> -----
> 
> Date: Tue, 3 Dec 2019 12:33:51 +0100
> From: Alex Band <alex at nlnetlabs.nl>
> To: rpki at nlnetlabs.nl
> Subject: [RPKI] Krill 0.4.0 'The Krill Factor' released and running in
> 	production
> 
> Dear mailing list,
> 
> We are incredibly proud to introduce Krill 0.4.0 'The Krill Factor'. This
> release is the culmination of one and a half years of designing, building,
> testing and documenting our RPKI Certificate Authority (CA) and
> Publication Server solution.
> 
> The first three releases of Krill were meant to test the implementation.
> With Krill 0.4.0 'The Krill Factor', we are confident that the software
> can be used reliably with all five Regional Internet Registries (RIRs) and
> its Route Origin Authorisations (ROAs) are correctly validated by all
> Relying Party software implementations. As a result, NLnet Labs is now
> running Krill in production under the RIPE NCC parent CA.
> 
> With Krill 0.4.0 'The Krill Factor', operators can now generate and
> publish RPKI cryptographic material themselves to authorise their BGP
> announcements. It supports running RPKI under all five RIRs simultaneously
> and transparently, so if you have IP address space in multiple regions you
> can manage it as a single pool. Krill can also delegate to child
> organisations or customers who, in turn, run their own CA. The built-in
> publication server lets operators publish certificates and ROAs from their
> own infrastructure. Alternatively, you can use a third party which offers
> RPKI publication as a service. In short, all essential functions to run
> RPKI yourself using Krill are now available.
> 
> Krill can be managed using a Command Line Interface (CLI), as well as an
> Application Programming Interface (API). An optional web-based user
> interface is currently being developed as a separate project, named
> Lagosta. With Krill 0.4.0 'The Krill Factor' data storage and the API are
> now stable, allowing for seamless updates going forward. This release
> serves as a starting point for further development throughout 2020 and
> beyond, where we will work on features such as high availability and
> support for just-in-time authorisations integrated tightly with internal
> routing management.
> 
> Starting with Krill 0.4.0 and Routinator 0.6.0 we are offering commercial
> support for our RPKI software solutions, in case this is a requirement for
> your organisation or if you want to support the future development of the
> software. The service-level agreement (SLA) contract and security policy
> is on par with our DNS software NSD and Unbound. End of support for the
> software will be publicly announced two years in advance. Krill is
> licensed under the Mozilla Public License 2.0. Routinator and all
> libraries that are built to support the RPKI toolset are licensed under
> the BSD 3-Clause License.
> 
> Once again, We would like to extend our gratitude to NIC.br, the RIPE NCC
> Community Projects Fund, the Dutch National Cyber Security Centre and the
> Mozilla Open Source Support Fund for financially supporting the
> development of Krill, as well as our Relying Party software package
> Routinator. In addition, our thanks go out to DigitalOcean for offering
> their cloud infrastructure for our automated test platform, Fastly for
> their CDN services, as well as Juniper, Cisco and Nokia for providing us
> with virtual routers for testing. These organisations make it possible for
> us to develop free, open source software in a sustainable way. Please
> reach out to us if you want to join this effort.
> 
> On behalf of the NLnet Labs RPKI Team,
> Alex
> -- 
> RPKI mailing list
> RPKI at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/rpki
> 
> ----- End forwarded message -----