Resource Public Key Infrastructure (RPKI) is technology that is aimed at making the Border Gateway Protocol (BGP) more secure. NLnet Labs develops a comprehensive set of free, open source tools to generate, publish and validate RPKI data. This project is funded by the Internet community.

RPKI is based on open standards and works by providing network operators a way to perform Route Origin Validation. Using the system, the legitimate holder of a block of IP addresses can make an authoritative statement about which Autonomous System (AS) is authorised to originate their IP prefix in BGP. In turn, other network operators can download and validate these statements and make routing decisions based on them.

For more information on how RPKI works, please refer to the documentation on Read the Docs.

Development

The NLnet Labs RPKI toolset consists of three major projects:

Krill

Krill is the RPKI Certificate Authority (CA) and Publication Server daemon. It allows organisations to run RPKI on their own systems as a child of one or more Regional Internet Registries (RIRs), i.e. APNIC, AFRINIC, ARIN, LACNIC and RIPE NCC. Krill can also run under a different parent, such as a National Internet Registry (NIR) or Enterprise and, in turn, act as a parent for other CAs.

Using Krill, operators can generate their own RPKI cryptographic material, instead of relying on the hosted systems that the five RIRs provide. With the included Publication Server, operators can publish RPKI data themselves or let a third party, such as a Content Delivery Network, do it on their behalf.

Routinator

Routinator 3000 is Relying Party software, also known as RPKI Validator. Operators can use it to download and validate the global RPKI data set and feed the result into their routers, or use it elsewhere in the BGP decision making process. Routinator has frequent releases and is actively being used in production environments.

RTRTR

RTRTR is a tool that collects, processes, and distributes data for route filtering. For larger networks, it is possible to centralise validation performed by Routinator and have RTRTR running in various Points-of-Presence (PoPs) around the world to which routers can connect.

Feedback

For general discussion and exchanging operational experiences we provide a mailing list. This is also the place where we will announce releases of the applications and updates on the project. If you are interested in deploying our software or you would like more information, please do not hestitate to contact us.