Resource Public Key Infrastructure (RPKI) is technology that is aimed at making the Border Gateway Protocol (BGP) more secure. NLnet Labs develops a comprehensive set of free, open source tools to generate, publish and validate RPKI data.
RPKI is based on open standards and works by providing network operators a way to perform Route Origin Validation. Using the system, the legitimate holder of a block of IP addresses can make an authoritative statement about which Autonomous System (AS) is authorised to originate their IP prefix in BGP. In turn, other network operators can download and validate these statements and make routing decisions based on them.
For more information on how RPKI works, please refer to the documentation on Read the Docs. For general discussion and exchanging operational experiences we provide a mailing list and a Discord server. This is also where we will announce releases of the applications and updates on the project.
The NLnet Labs RPKI toolset consists of four open source projects:
Krill is an RPKI Certificate Authority (CA) and Publication Server daemon. It allows organisations to run RPKI on their own systems as a child of one or more Regional Internet Registries (RIRs) or National Internet Registries (NIRs). Krill presents all resources as a single pool, allowing easy and seamless ROA management in an intuitive user interface.
Krill can also act as a parent for other CAs, allowing organisations to delegate ROA management to subdivisions or customers. With the included RPKI publication server operators can publish ROAs themselves or let a third party, such as their RIR, do it on their behalf.
Routinator 3000 is Relying Party software, also known as RPKI Validator. Operators can use it to download and verify the global RPKI data set and feed the result into their routers, or use it elsewhere in the BGP decision making process.
RTRTR is a tool that collects, processes, and distributes data for route filtering. For larger networks, it is possible to centralise validation performed by Routinator and have RTRTR running in various locations around the world to which routers can connect.
JDR is a tool to help you explore, inspect and troubleshoot anything RPKI. JDR interprets certificates and signed objects in the RPKI and annotates everything that could somehow cause trouble. You can search for Autonomous System Numbers, IP prefixes and browse RPKI repositories to analyse them.