We’re pleased to announce that a project we helped fund has now been released! Jointly sponsored by 6connect, NetNod, IIS.SE, and SUNET, the rpki-client project has culminated in the development of usable software, on schedule with just a few months of wall time.
The importance of RPKI, or Resource Public Key Infrastructure, is well established and has been gaining more attention as of late. Designed to secure the Internet’s routing infrastructure – specifically the Border Gateway Protocol (BGP) – RPKI allows us to connect Internet number resource information like IP addresses to a trust anchor. Using RPKI, the legitimate holders of number resources can then control the operation of Internet routing protocols in order to thwart route hijacking or router misconfigurations.
“Because of 6connect’s enthusiastic support for rpki-client, the internet has now gained a healthy ecosystem of RPKI validators. Large scale robust RPKI based Origin Validation contributes to a more secure and reliable internet, I am grateful for 6connect’s sponsorship!”
– Job Snijders, OpenBSD Project
What’s interesting is that the push to implement RPKI has gathered momentum over the past year or so. As discussed at the NANOG 76 conference earlier this month, technical efforts in the field have proliferated recently, with global players like AT&T now dropping invalid routes, Cloudflare developing new validation software, and NTT using RPKI data to generate filters. The American Registry for Internet Numbers (ARIN) is also currently undertaking efforts to increase RPKI usage.
However, until now, only two RPKI validators have been in general usage among network operators: NLNetLab’s Routinator 3000 and RIPE NCC’s RPKI Validator. For optimum security, freedom of choice, and increased diversity in the RPKI ecosystem, it’s crucial to have more implementations available!
Here at 6connect, we’re delighted to have had the opportunity to help advance Internet routing security by jointly funding this important project. Rpki-client is an implementation that covers the client side of RPKI, which is responsible for downloading and validating route origin statements. The project’s principal author, Kristaps Dzonsons, has truly taken to heart the design focus of simplicity and security; rpki-client implements RPKI components that are necessary for validating route statements while at the same time omitting superfluities.
And best of all, being released under a liberal open-source license, rpki-client is freely available to anyone who wants to use it! The portable version of the rpki-client source code, which can run on *BSD and Linux distributions, is available on Github here: https://github.com/kristapsdz/rpki-client. (Please see the project page for more information about the project’s architecture, algorithm, and portability.)
The OpenBSD project has also imported a copy of the source code into its main development tree, where it will remain for some time with the typical back-and-forth between the portable version and the OpenBSD-specific one. The hope is that the code can be polished up to a high enough quality to be included as a tool in the 6.6 release of the OpenBSD operating system in November 2019.
But the future holds many more developments. Currently, the software can: 1) download all RPKI repositories; 2) validate the RPKI tree; and 3) output RPKI VRPs in OpenBGPD format – which is a wonderful beginning.
We’re looking forward to seeing continued progress in the months to come! A few of the upcoming developments will likely include the ability to use LibreSSL in addition to OpenSSL, more outputs such as JSON, porting to other operating systems, and support for RRDP.
This project represents a huge win for the Internet community, and we’re proud to have been a part of getting it off the ground. Congratulations to everyone who put in the hard work needed to make this vision a reality!