BGP (Border Gateway Protocol) is the protocol that powers the control plane of the inter-domain routing system, better known as the internet. Resource Public Key Infrastructure (RPKI) is technology that is aimed at making BGP more secure. NLnet Labs develops a comprehensive set of free, open source applications to parse, store, sort and analyze large quanttities of BGP data, as well as tools to generate, publish and validate RPKI data.
Both BGP and RPKI are based on open standards. BGP is the protocol that allows network operators of Autonomous Systems (ASes) to exchange routes, that describe all reachable destinations on the public internet. Furthermore, BGP describes how these routes should be stored in Routing Information Bases (RIBs).
RPKI works by providing network operators a way to perform Route Origin Validation. Using the system, the legitimate holder of a block of IP addresses can make an authoritative statement about which Autonomous System is authorised to originate their IP prefix in BGP. In turn, other network operators can download and validate these statements and make routing decisions based on them.
For more information on how RPKI works, please refer to the documentation on Read the Docs. For general discussion and exchanging operational experiences we provide a mailing list and a Discord server. This is also where we will announce releases of the applications and updates on the project.
The NLnet Labs Routing applications consists of four open source projects:
Krill is an RPKI Certificate Authority (CA) and Publication Server daemon. It allows organisations to run RPKI on their own systems as a child of one or more Regional Internet Registries (RIRs) or National Internet Registries (NIRs). Krill presents all resources as a single pool, allowing easy and seamless ROA management in an intuitive user interface.
Krill can also act as a parent for other CAs, allowing organisations to delegate ROA management to subdivisions or customers. With the included RPKI publication server operators can publish ROAs themselves or let a third party, such as their RIR, do it on their behalf.
Routinator 3000 is Relying Party software, also known as RPKI Validator. Operators can use it to download and verify the global RPKI data set and feed the result into their routers, or use it elsewhere in the BGP decision making process.
RTRTR is a tool that collects, processes, and distributes data for route filtering. For larger networks, it is possible to centralise validation performed by Routinator and have RTRTR running in various locations around the world to which routers can connect.
JDR is a tool to help you explore, inspect and troubleshoot anything RPKI. JDR interprets certificates and signed objects in the RPKI and annotates everything that could somehow cause trouble. You can search for Autonomous System Numbers, IP prefixes and browse RPKI repositories to analyse them.
Rotonda is a software that allows users to build BGP/BMP applications, with composable, programmable Routing Information Bases. These applications can range from small alerting systems, based on a property of a BGP/BMP message to a Route Collector, collecting data from hundreds of routers with thousands of peers. Other possibilities include route servers and route refelectors.