[RPKI] How to generate a .tal file of the embedded ta
Ximon Eighteen
ximon at nlnetlabs.nl
Wed Jun 3 09:14:30 UTC 2020
Good morning Cathy,
Please find specific answers to your questions inline below. First, let
me just say thanks for using Krill and for reaching out with questions,
it's always great to see Krill being used and to get input from the
community.
Please note that while Krill is indeed capable of acting as a **test**
Trust Anchor and serving a **test** Trust Anchor Locator file, this was
intended mainly for our own internal testing purposes, for example the
Krill end-to-end test [1] uses the TA and TAL with Routinator as you
intend to do.
As this was primarily created for internal testing purposes it is not
currently well documented but we hope to spend some time reviewing and
improving the Krill documentation in general over the coming weeks. It
also means that there are some limitations at present, e.g. the TAL only
supports HTTPS, not Rsync, the resources assigned to the TA are
hard-coded and cannot be changed, and when you set "use_ta = true" Krill
currently assumes that you have also set "repo_enabled = true". For the
E2E test we do work around the lack of Rsync support in the TAL in order
to test with other Relying Party software that don't/didn't support
RRDP, but it's not a very nice hack.
As a side note, if you are amenable to running Krill on DigitalOcean or
Amazon Web Services, you might find Krill Manager [2] helpful for this,
as it can set up Krill as a repository server for you (one child CA
pre-created, repo_enabled = true, with NGINX (for RRDP) + Let's Encrypt
certificate and Rsyncd already setup and running), you just have to set
"use_ta = true" and restart Krill, e.g. I just setup
https://(ca|rrdp|rsync).tatest.krill.cloud/ in DigitalOcean using Krill
Manager with "use_ta = true".
See more information inline below. Please feel free to ask if you have
any more questions.
Ximon
---
[1]
https://github.com/NLnetLabs/krill/actions?query=workflow%3A%22E2E+Test%22
[2] https://rpki.readthedocs.io/en/latest/krill/krillmanager/
On 03-06-2020 10:02, zhangcuiling via RPKI wrote:
> Hi all,
>
> I'd like to run a test environment with krill as CAs (embedded ta and a
> created sub CA) and routinator as RP.
>
>
> It seems that there is no .tal file of the embedded ta. So I need to
> create one for RP.
There is indeed a TAL, if you have set "use_ta = true" in krill.conf and
restarted Krill. It will be served at the service URI with /ta/ta.tal
appended.
When running behind a proxy such as NGINX this will be available at the
external URL and port. If not using a proxy then it will be served at
the Krill domain and port, e.g. https://localhost:3000/ta/ta.tal,
depending on the settings in your krill.conf file.
E.g. for my deployment in DigitalOcean the service_uri is set to
"https://ca.tatest.krill.cloud/" and the TAL is available here:
$ wget -qO- https://ca.tatest.krill.cloud/ta/ta.tal
https://ca.tatest.krill.cloud/ta/ta.cer
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTMuQLdhkZPJlitmb7J+
G7JHa7I0dWgAS9OPO9eada4zS+u5Z2SAYmyRoJopJJ53w64D2mqhpiWyKxoKa0b8
HHnapMZ/6SSKnyb2Z2UVOjvnMUNvRs14fY1MJpN7XYgca4tUNO8xxHdahudVjOso
SgNpv1qsTxz0A+vMRPWwcdbvtJ95tiqs9JftW8PE8Uw1pQSzYPcIY86lgCF2NiJK
Vc9v5ythsYG0DaN5ogb6hD/l87Tuf1NY0yAVVwCgFEZx+QCVtkJDmttRDsgQ66I5
5J8k4Z8TMtZQ7ZkvypkdtII/ozyMAEOCxt7wtepg2OUzifpu+MkflHYgm6oJ0chU
wwIDAQAB
>
> But I can't find the .cer file of the embedded ta.
See /ta/ta.cer, e.g.:
$ https://ca.tatest.krill.cloud/ta/ta.cer
<snip -- binary content>
> Is there a method to get the .cer file of .tal file of the embedded ta?
One quick way to test Routinator with a Krill TA is like so:
$ docker volume create routinator-tals
$ docker run --rm -v routinator-tals:/mnt alpine wget -qO/mnt/krill.tal
https://ca.tatest.krill.cloud/ta/ta.tal
$ docker run --rm -v routinator-tals:/home/routinator/.rpki-cache/tals
nlnetlabs/routinator vrps
ASN,IP Prefix,Max Length,Trust Anchor
AS64496,10.0.0.0/24,24,krill
The Krill instance was setup using Krill Manager with own repo enabled
and a CA named "ca", then "use_ta = true" was added to krill.conf and
Krill was restarted. Then these krillc commands were used:
$ krillc parents request --ca ca > /tmp/child_request.xml
$ krillc children add remote --ca ta --child ca --ipv4 "10.0.0.0/8"
--ipv6 "2001:DB8::/32" --rfc8183 /tmp/child_request.xml >
/tmp/parent-resp.xml
$ krillc parents add remote --ca ca --parent ta --rfc8183
/tmp/parent-resp.xml
$ echo "A: 10.0.0.0/24 => 64496" > /tmp/roas.delta
$ krillc roas update --ca ca --delta /tmp/roas.delta
You can see the produced content like so:
$ rsync --list-only rsync://rsync.tatest.krill.cloud/repo/ca/0/
drwxr-xr-x 4,096 2020/06/03 09:03:38 .
-rw-r--r-- 2,276 2020/06/03 09:03:38
31302e302e302e302f3234203d3e203634343936.roa
-rw-r--r-- 474 2020/06/03 09:03:38
B9C8D9271D77592B9CA066AAE8353161D81ADF97.crl
-rw-r--r-- 2,499 2020/06/03 09:03:38
B9C8D9271D77592B9CA066AAE8353161D81ADF97.mft
$ wget -qO- https://rrdp.tatest.krill.cloud/rrdp/notification.xml
<notification xmlns="http://www.ripe.net/rpki/rrdp" version="1"
session_id="77dc7be9-fe10-4197-8286-1d7e5ca6760f" serial="4">
<snapshot
uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/4/snapshot.xml"
hash="ceff9918f2ae47b0bc90cc2e81ada0d804739163f461ad5cd21486f4151a3b8c" />
<delta serial="4"
uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/4/delta.xml"
hash="b5f98c01a1752267ced951e99d8be7811df8b067cbd5f3d33fd9a4bac5f53280" />
<delta serial="3"
uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/3/delta.xml"
hash="3cf184cbba34f12faf13661289642d4706fe7a4b702b4e90dd033693038d3cfd" />
<delta serial="2"
uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/2/delta.xml"
hash="2d79c5d57945b11342f811581492d14551d44bd5f1c45afb923142969f66b232" />
<delta serial="1"
uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/1/delta.xml"
hash="0f74c2cbc6213754917672aa595c618d4d4ad6925a04d1e95d87e5b745f9f6a3" />
> Thanks a lot.
>
> Best wishes,
>
> Cathy
>
More information about the RPKI
mailing list