Running Krill under ARIN

Running Krill under ARIN
By Pedro Szekely – CC-BY-SA-2.0

When using RPKI in the ARIN region you have the choice between using the Hosted RPKI service in ARIN Online, or running Delegated RPKI. While using ARIN's web interface to manage Route Origin Authorizations (ROAs) works okay, running Delegated RPKI with free, open-source Krill has several advantages:

  • Krill will show you which BGP announcements are done with your resources, easily letting you authorize them with ROAs with a single click.
  • Krill will show you the effect your ROAs have on the RPKI validity of your routes, alerting you of misconfigurations and possible hijacks.
  • Certificates and ROAs are automatically renewed for as long as you authorize the routes.
  • Krill's Prometheus endpoint easily integrates monitoring and alerting with your existing tooling.
  • You can seamlessly manage multiple organizations in a single Krill instance.
  • You can configure named users with roles and permissions over specific resources and business units, also letting you delegate resources further down.
  • And of course, as you will be the only holder of the private key of your resource certificate there is no need to create and use ARIN's ROA Request Key Pair.
Krill's web interface shows you your ROAs, as well as your resources, the BGP announcements seen with them and their RPKI validity

Before You Get Started

We'll provide a step-by-step guide how you can run Krill under ARIN. Before getting started there are a few things you need:

  • IPv4 or IPv6 resources allocated to your organization by ARIN
  • A signed Registration Services Agreement (RSA) or Legacy RSA
  • Your user account needs to be associated with the org as the Admin, Tech or Routing Point of Contact (POC)

In addition, keep in mind that setting up and switching between Hosted RPKI and Delegated RPKI requires a ticket and action from ARIN's Registration Services Department.

πŸ’‘
When your Hosted RPKI configuration is reset, all your existing ROAs will be removed. This will make your routes temporarily fall back to the NotFound validity state, until you have recreated your ROAs in Krill. This means there is a short period you lose the protection RPKI offers, but reachability will not be affected.

Lastly, it's important to note that ARIN offers their members the Publication Service for Delegated RPKI. This is a highly recommended service as it reduces the costs and risks of running one's own delegated Certification Authority (CA) dramatically. This model is known as Hybrid RPKI, which is what we'll show in this guide.

Setting up Krill

The first step is to set up a production Krill instance for your CA. You can of course follow our comprehensive documentation, but if you want to have a look at how we set up our own Krill CA server, with multi-user logins and Let's Encrypt and NGINX for secure access, then please have a look at the section called "Production CA Server with Multi User Access Setup" in this blog post. Note that you can skip the first part about the set up of a Krill Publication Server, because you can (and should) use ARIN's Publication Service for Delegated RPKI instead.

🦐
Krill has minimal system requirements and doesn't have a strict uptime requirement if you use ARIN's Publication Service. The CA doesn't need to be exposed to the Internet, making it easy to keep your keys safe.

After installation and configuration you can head over to Krill's user interface. After logging in, you'll be asked to set a CA Handle. This is name that helps you and others recognise your organization. In this guide we'll keep it simple and choose the name ARINL:

Krill's welcome screen
Krill's welcome screen

Configuring your RPKI CA under ARIN

πŸ˜„
Spoiler alert: With just a bit of clicking you'll be exchanging a handful of XML files between Krill and ARIN to set up Delegated RPKI and publication. That's it!

After installing and configuring the Krill server it's time to set up Delegated RPKI in ARIN Online. As said, if you're currently using Hosted RPKI you'll need to open a ticket to have your current CA reset.

First, click Configure Delegated under Manage RPKI in ARIN Online:

We'll now be doing two XML file exchanges: first a Parent/Child CA request and response, and then a Publisher/Repository request and response.

The Parent/Child Exchange

In the following screen you will be asked to connect your Certificate Authority to ARIN's Parent CA:

Note that in Krill, you'll first land on Repository tab to configure publication. However, ARIN wants to do the Parent/Child setup first, which will generate a ticketed request. So, make sure to click the Parents tab and copy the Child Request XML by clicking the copy button:

The child request / parent response screen

After pasting the XML in the Child Request XML form in ARIN Online and hitting Submit, you'll get a confirmation that a ticket was generated. If you get an error, you most likely submitted the Publisher Request XML by accident. If all is well, you should get a response within two business days:

Ticket submission confirmation

After the ticket is processed and you come back to the Manage RPKI screen, you'll see a status overview with your certificate, your certified resources and most importantly a link to the Current Parent Response XML, which you should click:

Now copy the Parent Response XML:

Go back to Krill and paste the XML in the Parent Response field. The file will automatically populate the Parent Name field with "ARIN", but you can change this to something more descriptive in case you manage multiple organizations. Finish off by clicking Confirm:

Now that Parent/Child CA communication is established, Krill will receive all AS Numbers and IP resources you are entitled to. There are periodic checks to verify if there are any changes in your entitlements, which will be updated automatically.

πŸ’‘
You can repeat the Parent/Child exchange multiple times if you represent multiple organizations under ARIN. All resources and ROAs can be managed as a single pool.

The Publisher/Repository Exchange

Because we want to use the ARIN Publication Service for Delegated RPKI, we'll now go through similar steps to submit a Publisher Request to ARIN and give a Repository Response back to Krill.

After you successfully set up Parent/Child CA connection, Krill should bring you to the Repository tab, where you'll do the second exchange:

Copy the Publisher Request XML file and navigate to the Publication Repository tab in ARIN Online:

Paste the Publisher Request XML into the form and click Submit. This will not be a ticketed request, but you'll immediately get a Repository Response XML file:

Copy the Repository Response XML in ARIN Online, paste it into the corresponding field in Krill and click Confirm:

Now, Krill will immediately bring you to the ROAs tab, where it will show you all resources you hold, as well as all BGP announcements with your IP prefixes that are seen by the RIPE RIS route collectors. Note that if the initial setup process hasn't quite completed yet, you'll see a Refresh link.

Managing ROAs

Now, to authorize a route origin, you simply click the + button to let Krill create a matching Route Origin Authorization (ROA) for it. These ROAs will be published immediately in the ARIN RPKI repository and be renewed automatically for as long as you authorize the route.

You can also add a ROA configuration manually, for example for a new announcement you're planning to do. Note that you can authorize any ASN to originate your prefixes, such as a DDoS protection service. To prevent a forged origin attack, Krill follows the best practice to populate the Maximum Prefix Length field to the same length as the prefix:

After authorizing a route origin, you'll see a green SEEN label appearing that indicates that the route is announced and authorized by a ROA. As your BGP annoucements or ROAs change over time, you can see several other statuses as well, which you can read about in the Krill documentation:

If you are in doubt about the RPKI validity state of one of your routes, you can click the "Analyse my ROAs" link at the bottom of the ROAs page. This will provide you with suggestions on how to solve common issues.

Further Exploration

Finally, there is a lot more to discover in Krill, such as setting up Prometheus monitoring, using the CLI or API, configuring named users with roles and permissions over specific resources and organization units, or delegating resources further down to customers or business units, who run a Krill CA as a child of you.

If you need help or additional information, please don’t hesitate to talk to us on our Discord server or mailing list! πŸ‘‹