[RPKI] Migration from other software

Tim Bruijnzeels tim at nlnetlabs.nl
Thu Jun 11 07:27:11 UTC 2020

Hi Cathy,

> On 10 Jun 2020, at 05:50, zhangcuiling via RPKI <rpki at lists.nlnetlabs.nl> wrote:
> Hi all,
> Does Krill plan to support migration from other software?

For the moment there is no standards way to migrate one RPKI CA to another. I am in the early stages of discussing this with some others and may bring a proposal to the IETF, but.. this is complicated, and it will take time. And it would only work if all involved parties (source CA, destination CA, parent, children, publication server) implement the process/protocol that is yet to be defined.

To replace existing software in place, keeping its data, keys, parent, child and publication relationships would be very hard. The DRL software uses a database, and it uses openssl based keys as far as I know. So, theoretically a migration could be coded. But it would be very specific to the source package version, it would be a lot of work to implement, and it would be very hard to test beforehand.

> Or does one have to re-setup the relationship with its parent CAs and children CAs?
> It seems that the AS-IP mapping data is easy to export and import between different software.
> How to use the same key after data migration is a key problem.

The best way to do this would be to set up a new RPKI CA under the current parent alongside the other implementation. It will receive a new certificate with the same resources for its own key. Then migrate all the children and/or ROAs. If you are looking to use co-hosted delegated child CAs, then Krill can support any number of them - but bear in mind that you should think about how to secure access by users to just their own CA (currently Krill has a single master password only). If you have remote children, you will need to ask them to add your new CA as their new parent. And once all this is done, remove the other implementation.

I have checked with APNIC and for their system it is possible to run two CA instances in paralel if you ask them.

> And does Krill have a performance test benchmark yet?
> Or maybe performance is not that important because the real TPS couldn't be too high.

Because we believe that performance is not a problem we have never benchmarked. Memory usage for a single CA krill is in the order of 10s of MBs, CPU usage is mostly close to 0%, except for brief moments when:
- talking to a parent about updated resources (once per hour)
- being talked to by a child (once per hour per child)
- re-issuing MFT and CRL (once every 16 hours)
- changing ROAs (depends on your needs, but typically less than once per day)

If you are thinking of having many co-hosted CAs in Krill then it may be worth doing a stress test. The basic API building blocks for adding/removing co-hosted CAs, changing ROAs and publishing are in place. So it should not be hard to make a test.

Kind regards,

> Cathy
> 2020-06-10
> -- 
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki

More information about the RPKI mailing list