[RPKI] Krill 0.4.0 'The Krill Factor' released and running in production

Alex Band alex at nlnetlabs.nl
Tue Dec 3 11:33:51 UTC 2019

Dear mailing list,

We are incredibly proud to introduce Krill 0.4.0 'The Krill Factor'. This
release is the culmination of one and a half years of designing, building,
testing and documenting our RPKI Certificate Authority (CA) and
Publication Server solution.

The first three releases of Krill were meant to test the implementation.
With Krill 0.4.0 'The Krill Factor', we are confident that the software
can be used reliably with all five Regional Internet Registries (RIRs) and
its Route Origin Authorisations (ROAs) are correctly validated by all
Relying Party software implementations. As a result, NLnet Labs is now
running Krill in production under the RIPE NCC parent CA.

With Krill 0.4.0 'The Krill Factor', operators can now generate and
publish RPKI cryptographic material themselves to authorise their BGP
announcements. It supports running RPKI under all five RIRs simultaneously
and transparently, so if you have IP address space in multiple regions you
can manage it as a single pool. Krill can also delegate to child
organisations or customers who, in turn, run their own CA. The built-in
publication server lets operators publish certificates and ROAs from their
own infrastructure. Alternatively, you can use a third party which offers
RPKI publication as a service. In short, all essential functions to run
RPKI yourself using Krill are now available.

Krill can be managed using a Command Line Interface (CLI), as well as an
Application Programming Interface (API). An optional web-based user
interface is currently being developed as a separate project, named
Lagosta. With Krill 0.4.0 'The Krill Factor' data storage and the API are
now stable, allowing for seamless updates going forward. This release
serves as a starting point for further development throughout 2020 and
beyond, where we will work on features such as high availability and
support for just-in-time authorisations integrated tightly with internal
routing management.

Starting with Krill 0.4.0 and Routinator 0.6.0 we are offering commercial
support for our RPKI software solutions, in case this is a requirement for
your organisation or if you want to support the future development of the
software. The service-level agreement (SLA) contract and security policy
is on par with our DNS software NSD and Unbound. End of support for the
software will be publicly announced two years in advance. Krill is
licensed under the Mozilla Public License 2.0. Routinator and all
libraries that are built to support the RPKI toolset are licensed under
the BSD 3-Clause License.

Once again, We would like to extend our gratitude to NIC.br, the RIPE NCC
Community Projects Fund, the Dutch National Cyber Security Centre and the
Mozilla Open Source Support Fund for financially supporting the
development of Krill, as well as our Relying Party software package
Routinator. In addition, our thanks go out to DigitalOcean for offering
their cloud infrastructure for our automated test platform, Fastly for
their CDN services, as well as Juniper, Cisco and Nokia for providing us
with virtual routers for testing. These organisations make it possible for
us to develop free, open source software in a sustainable way. Please
reach out to us if you want to join this effort.

On behalf of the NLnet Labs RPKI Team,

More information about the RPKI mailing list