By Alex Band
NLnet Labs have been working on Krill, our RPKI Certificate Authority and publication server, for about one and a half years now. The first three releases of Krill were meant to test the implementation. With the fourth release, in December 2019, things got serious quite fast…
Krill 0.4.0 ‘The Krill Factor’ delivered a functionally complete Certificate Authority and publication server with a stable API, allowing for seamless updates going forward. This served as a great starting point for a National Internet Registry (NIR) such as NIC.br to offer an RPKI service to their members, as the API was all they needed to integrate Krill into their backend services and member portal. NIC.br launched their service in December 2019, with Indonesian NIR IDNIC adopting Krill for their RPKI service around the same time.
This version of Krill only offered a command line interface as a wrapper around the API, which meant that early adopters wanting to run Delegated RPKI had to go through— we considered—quite an elaborate process to install, configure and use Krill. But despite these apparent hurdles, we were very encouraged by the uptake.
Two months after the public launch, over 70 organisations around the world are running Delegated RPKI using Krill.
With the feedback we received, along with our roadmap, we focussed our efforts on the next release, improving the installation, onboarding, interoperability and usability. Now, after two months, we are excited to launch Krill 0.5.0 ‘Serve no Turf’.
The first release, Lagosta 0.1.0 ‘Fritto Misto’, contains everything to get started with Krill. It lets you to set up a Certificate Authority, perform the exchanges with one or more Regional and National Internet Registries, configure a publication server and manage Route Origin Authorisations (ROAs).
You can expect the user interface to evolve heavily over time, by adding ROA suggestions, tagging and alerting.
The user interface is compiled as static HTML and JS and is bundled with the Krill package. We’re proud that this addition resulted in just an 8MB increase in memory usage, making Krill still completely capable of running on minimalist hardware such as a Raspberry Pi.
But the UI is not the only major change in version 0.5.0. The documentation
has received an overhaul as well, covering every aspect of the software. Furthermore, you can now install and run Krill on a new Debian/Ubuntu machine in just seven steps, greatly simplifying the process compared to previous versions:
# Install the C toolchain, OpenSSL and curl apt install build-essential libssl-dev openssl pkg-config curl # Install Rust curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh source ~/.cargo/env # Install Krill cargo install krill # Create a data directory, generate config and start Krill mkdir ~/data krillc config simple --token correct-horse-battery-staple \ --data ~/data/ > ~/data/krill.conf krill --config ~/data/krill.conf
After starting up, Krill exposes its user interface and API through the built-in web server, allowing you to get started straight away.
In addition, Krill has gained a Prometheus endpoint, offering monitoring out of the box.
Solving RIR Quirks
During the testing we performed over the last few months, we initially concluded that Krill was fully standards compliant and worked well with all RPKI implementations that the five RIRs offer. However, it turned out the production systems sometimes behaved somewhat differently than their test environments. As a result, we now ironed out some interoperability issues with ARIN and APNIC, ensuring Krill works now reliably with all RIRs.
We want to thank Cynthia Revström for the fantastic help she provided in solving some of the issues we found when setting up Krill under ARIN.
As Cynthia is from Sweden, she went above and beyond in order to register a company in the USA to get ARIN address space in the name of science. During her exploration, she discovered through trial and error that ARIN does not support the RFC 8183 key exchange format, but only an older, pre-RFC notation.
We resolved this by building a toggle in the UI that transforms the parent request XML into a format that ARIN accepts, while we wait for them to implement a permanent solution.
Krill 0.5.0 will accept both the old and standardised key exchange format, so there is no need to transform the response file you get from ARIN.
Meanwhile, on the other side of the planet, things were a bit off with APNIC as well. Though everything works fine with their RPKI testbed, the certificate-parsing code of the APNIC production system does not handle dates past 2038. This was a problem because Krill creates BPKI certificates with dates 100 years in the future. To make matters worse, the BPKI TA that APNIC sends back in the parent response XML is not a self-signed certificate, although this is formally required by the IETF standards. This meant Krill rejects it.
Krill 0.5.0 now creates BPKI certificates with a lifetime of 15 years instead, which means that we have until 2035 to come up with a way to roll ID keys, or more fun still, ID algorithms.
We are confident that with this feature set Krill is a great solution for a broad audience, ranging from Internet registries to Enterprises, as well as small ISPs.
Coming Up Next
For Krill 0.6.0 we are planning to improve the history and audit trail, add proper service scripts, make the creation of ROAs smarter, and much more.
Please support us
Our thanks go out to the RIPE NCC Community Projects Fund, the Mozilla Open Source Support Fund and the Dutch National Cyber Security Centre for funding the development of our RPKI toolset throughout 2019. Now, with NIC.br as our only remaining sponsor, we hope you join them in financially supporting our open source efforts.