Krill is a free, open-source Resource Public Key Infrastructure Certificate Authority and publication server developed by NLnet Labs. It enables organizations to manage delegated RPKI under one or multiple Regional Internet Registries , facilitating the creation and publication of Route Origin Authorizations either on their own servers or through third-party services. Designed for robustness and efficiency, Krill is written in the Rust programming language, ensuring lightweight performance suitable for deployment on minimal hardware configurations.
Key Features and Functionality:
- Delegated RPKI Management: Krill allows seamless management of ROAs across multiple RIRs, presenting all resources as a unified pool within a single integrated system.
- Intuitive ROA Management Interface: Users can create and maintain ROAs based on BGP announcements associated with their certified address space. The system provides clear feedback on the impact of each ROA, indicating authorized and unauthorized BGP announcements to ensure accurate routing intentions.
- Flexible Deployment Options: Krill offers multiple installation methods, including Debian and Ubuntu packages, Cargo builds, and Docker containers. It features a built-in web server, user interface, command-line interface, API, OpenID authentication, and Prometheus monitoring endpoints, facilitating easy integration into existing systems.
- Delegation Capabilities: Organizations can delegate RPKI management to customers or different business units, allowing them to operate their own CAs and manage ROAs independently.
Primary Value and Problem Solved:
Krill addresses the complexities associated with managing RPKI across multiple RIRs by providing a unified, user-friendly platform for ROA management. It simplifies the delegation of RPKI responsibilities within organizations, enhancing operational efficiency and security. By offering real-time insights into BGP announcements and ROA configurations, Krill ensures that routing policies accurately reflect organizational intentions, thereby improving the overall security and reliability of internet routing.
