Krill 0.8.0 'The Art of ROA Maintenance' Released
We are happy to introduce Krill 0.8.0 'The Art of ROA Maintenance'. In this version we have added further refinements to the ROA management interface to give users the confidence that their authorisations accurately reflect their BGP announcements.
The first of these improvements are warnings about ROAs that are too permissive, meaning that they allow more announcements than what is seen in BGP. This encourages users to apply best operational practices. Secondly, Krill will not allow the creation of redundant ROAs, or ROAs that would make other ones redundant. Lastly, there is now support for AS0 ROAs, which are explicit statements that specify which prefixes should never be seen on the public Internet.
The backend has several improvements and refinements as well, such as allowing aggregation of ROAs to lower the number of objects, and improved reporting on communication with parents and repository. To make Krill more resilient, we have added recovery functionality in case data on disk is incomplete due to for example a full disk or failed system. In relation to this, we now ensure Krill stops in case data cannot be written to disk to prevent inconsistent states. Lastly, Krill does a full re-synchronisation with its parents and the repository on startup.
With this release we have also started to operate a Krill testbed service. The testbed offers both a parent CA and a repository. As such you can just run a Krill instance, on a laptop even, without the need to operate real infrastructure for testing.
It allows you to register any resources for your Child CA, allowing you to test with your real resources. Because this testbed uses its own TEST Trust Anchor — ROAs created here will not end up being used by production routers.
You can find the test service here: https://testbed.rpki.nlnetlabs.nl/
To install Krill 0.8.0 you can use Cargo, the Rust package manager, or use the packages for Debian and Ubuntu we provide on https://packages.nlnetlabs.nl
- "Testing .. 123 Delegated RPKI", blog post on the RPKI testbed service
- Release notes
- Krill Github repository
- Krill Documentation
- NLnet Labs RPKI Tools