« Blog Home

RPKI Client Project Update

rpki-client
Last summer, we announced the release of the long-awaited rpki-client project that we helped fund in a joint sponsorship with NetNod, IIS.SE, and SUNET. 

Specifically, rpki-client is an implementation that covers the client side of RPKI (Resource Public Key Infrastructure), which is responsible for downloading and validating route origin statements. The project culminated in usable software that since then has been freely available under an open-source license for anyone who would like to make use of it.

Now, a year later, we’re pleased to report that some important updates have recently been made to the RPKI client library! But first, some background information.

The Importance of RPKI

As Job Snijders of the OpenBSD Project put it, “large-scale robust RPKI-based Origin Validation contributes to a more secure and reliable Internet.” Indeed, using RPKI, the legitimate holders of number resources can control the operation of Internet routing protocols to prevent route hijacking and routing misconfigurations.

The American Registry for Internet Numbers (ARIN), in particular, has taken a leading role in promoting the use of RPKI – and support for its widespread implementation has only grown of late, as other global players undertake efforts to increase RPKI usage and help secure the Internet’s routing infrastructure.

(One of the most recent positive developments includes Latvian network equipment manufacturer MikroTik “dipping its toes” into RPKI Origin Validation, which will have “profound consequences for the regions that heavily rely on MikroTik to connect to the global Internet routing system,” notes Snijders.)

To that end, it’s crucial to have more RPKI validators available for general use among network operators – and we’re pleased to have been able to assist in bringing one to fruition! More technical information about the rpki-client project’s origin and architecture can be found in our previous announcement post here.

The Latest News

During NANOG 79 earlier this month, an update on ARIN’s new Internet Routing Registry was presented by President and CEO John Curran. He spent some time detailing the RPKI functionality that has been added to the RPKI client library by ARIN in the last six months as well, namely the following:

  • Repository generation changed to run every 5 minutes
  • Added RPKI Repository Delta Protocol (RRDP) support as an alternative to rsync for repository retrieval
  • Changed the default validity period of a Route Origin Authorization (ROA) to 825 days
  • Delegated RPKI server updated to support RFC 8083 Up/Down protocol (with much time spent testing various delegated software implementations to ensure interoperability)
  • Added the capability to list and delete ROAs in ARIN’s Registration RESTful Service (Reg-RWS)

A few other upgrades and enhancements are also on the way, as Curran outlined in his presentation here.

For us at 6connect, it has been gratifying to see such advancements being made in the RPKI ecosystem – and we’re proud to have played a role in promoting Internet routing security for the benefit of the entire online community. Onward and upward!