A new open source RPKI CA solution: NLnet Labs' Krill

Dear fellow network operators,

It appears Santa brought presents early this year! I'd like to draw
attention to the below forwarded message and provide my take on it.

Some of you represent organisations that interact with multiple RIRs,
and have concluded it can be challenging to figure out the RPKI ROA
provisioning process for each individual RIR and integrate those
different processes with your internal business process.

Every RIR provides their members with what is called a 'hosted' RPKI
service. The 'hosted' RPKI service means the RIRs offer web interfaces
which operators use to create & publish RPKI ROAs. However, the devil is
in de details: concepts such as 'who holds the private keys?' or the API
specification differ from RIR to RIR. In this context the differences
aren't necessarily good or bad, they are just different.

For many operators the RIR hosted model is excellent, but ... there also
is a class of users who would perhaps benefit from something more
'unified', and this is where Krill comes in!

The use case where Krill really shines is that you can ask your RIR to
delegate your resources to your Krill instance, and then build your
tooling to interact with just Krill (instead of building RIR-specific

To me the very existence of Krill is a sign of a maturing RPKI
ecosystem. If I stare deeply into my crystal ball I can already see the
rise of third-party hosted RPKI solutions for provisioning & monitoring
RPKI objects, or integrations with IPAM systems such as 6connect. I
believe these would be positive developments for the operational
Internet community.

In short: if RPKI is on your company's roadmap, give Krill a spin! :slight_smile:

get the goods: https://github.com/NLnetLabs/krill
documentation: https://rpki.readthedocs.io/en/latest/krill/

Kind regards,


----- Forwarded message from Alex Band <alex@nlnetlabs.nl> -----

An update to this:

Last week Krill was deployed at NIC.br, the National Internet Registry of Brazil, making RPKI available to Brazilian operators for the first time.

This is an interesting scenario, as NIC.br does not offer a Hosted RPKI service like the five RIRs do. Instead, every Brazilian operator has to run Delegated RPKI. This means running RPKI CA software to create a resource certificate yourself, have it signed by the NIC.br parent CA (which is, in turn, signed by the LACNIC CA) and then use it to create ROAs.

NIC.br does offer an RPKI Publication Server to their members. As a result, operators don’t have to make their certificate and ROAs available to the world themselves via Rsync+HTTPS, but can instead publish in the NIC.br RPKI repository.

Practically, this means installing Krill on minimal hardware, exchanging two XML files with the parent CA in their web portal, after which you can manage ROAs locally using a CLI, API and soon a UI.

I was curious to see how many operators would be willing to take this route. Now, after one week, 25 Krill instances are running and over 100 ROAs are already published with 100% data accuracy.

It’ll be interesting to see how this evolves over the next few months, as it changes the mostly Hosted RPKI landscape we’ve seen over the last 8 years.