Krill — A New RPKI Certificate Authority

From outer space to the depths of the sea, NLnet Labs knows no boundaries with their Resource Public Key Infrastructure (RPKI) project.

Krill — A New RPKI Certificate Authority

By Tim Bruijnzeels

Six months ago we launched Routinator, our Relying Party software, atop a tiny red rocket. Now, coming to you from the deep blue sea, we are releasing a developer preview of Krill, an RPKI Certificate Authority and Publication Server daemon.

Krill is a small, but indispensable element in the routing food chain. It lets organisations run RPKI on their own systems as a child of one or more Regional Internet Registries (RIRs), National Internet Registries (NIRs) or Enterprises.

We figured Krill would be a fitting name, as it is nourishment to the worlds largest [BGP] filter feeders. Also, being a crustacean, it is a nod to the Rust programming language. And of course, puns will be endless…

Functionality

With this software package, operators can generate and publish RPKI cryptographic material to authorise their BGP announcements, delegate child certificates and lastly, publish their own cryptographic material or do it on behalf of others.

If you are a member of more than one RIR and you manage IP address space and routes across them, then Krill will allow you to use RPKI seamlessly and transparently. Instead of having to rely on multiple web interfaces to manage Route Origin Authorisations (ROAs), you can all do it from one place, running on your own systems.

Alternatively, it can be useful to run Krill if you want to be able to delegate RPKI management to certain business units or customers. Up to now, organisations were in many cases forced to manage everything on their customer’s behalf.

Transparent Development

Because we believe in transparent development, we have already made the source code of Krill publicly available on GitHub. At this time, only the Publication Server daemon is functional, but you will be able to follow, and provide feedback on, the development of the Certificate Authority. For this purpose we have made a public roadmap with several milestones.

We are committed to delivering a basic, production quality implementation of Krill by late 2019, with development continuing to offer a full-featured toolset throughout 2020.

Open Source Documentation

While software development is ongoing, we also set out to provide comprehensive documentation on RPKI technology itself, as well as the tools that NLnet Labs is developing for it. Some of the people working on the project have more than ten years experience with RPKI technology, standards and deployment. This can be incredibly helpful for other parts of the world where deployment is only just picking up.

The documentation is available on rpki.readthedocs.io. We have also made this an open source project on GitHub, allowing the network operator community, researchers and interested parties around the world to contribute their expertise. In the same way, a community driven RPKI FAQ has emerged in recent months. Using the open source Sphinx and ReadTheDocs tools, this allows versioning and translations as well.

A Project in Rust

The RPKI toolset is the first major project that we are building exclusively in Rust. At its core Rust is a systems language that combines C level performance with modern high level elements, such as a strong type system, error handling, and concurrency. Besides all this the Rust build system and dependency management system are superb.

It has been quite a change for an organisation who relied almost entirely on C. The experience has been great thus far, and as the language develops it’s only getting better.

A Liberal License, Ready for the Future

Open source and open standards have been a fundamental part of our DNA since 1999. Everything we do is aimed at enhancing the open, secure and innovative nature of the Internet.

Over the years, a lot has changed in the way we work and the way we are funded. NLnet Labs used to be financed entirely from a single source, and only a handful of people developed prototypes and worked on research projects. But today, with twelve people on staff maintaining production grade software such as NSD and Unbound, on which a large part of the Internet industry depends, the playing field is quite different. In addition, we have to look after ourselves financially now.

With this in mind, we had to think about how we were going to make the RPKI project viable in the long term, ensuring enough developers — with mouths to feed — could maintain it to the standards that you have grown used to from us. We also have the ambition that this project enables new research and new standards that benefit the Internet community.

We decided to release Krill under the Mozilla Public License 2.0 (MPL2). We felt this would strike the best balance between what we stand for as an organisation, while ensuring we can build open source software in a sustainable way.

Please note that Routinator and all libraries that we are developing for the RPKI project are available under the BSD 3-Clause License. Our thanks go out to ISC for their advice and sharing their experiences, after adopting the MPL2 license for BIND9 several years ago.

What does this mean for you? In short, the MPL2 license requires that anyone who has changed the source code must publish their changes, or pay for an exception to the license. It doesn’t impact anyone who is using the software without redistributing it, nor anyone redistributing it without changes.

Funding and Support

Currently, the development of Krill and Routinator is graciously funded by NIC.br, the National Internet Registry of Brazil, the RIPE NCC Community Projects Fund, the National Cyber Security Centre of the Netherlands and the Mozilla Open Source Support Programme. In addition, Juniper, Nokia and Cisco support us with virtual routers and guidance.

This allows us to dedicate nearly two full-time developers to the RPKI project until the tools are feature complete. Of course we could do more, or go faster, with your support. So if you consider routing security an important topic and you think this kind of open source development is great, please consider helping us.

Of course, additional funding is always welcome, but you can also contribute in other ways, such as time, expertise or infrastructure. For example, through the efforts of the community we can now offer Routinator on Docker Hub.

Specifically, we can currently use your help in the following areas:

  • Donate your time and expertise to further improve the RPKI documentation and FAQ
  • Build and maintain Routinator binaries for various platforms

Oh, look, Krill!