A proposal for a new RPKI validator: OpenBSD rpki-client(1)

[ TL;DR — DONE! We reached the $20,000 fundraiser goal! Thank you NetNod, IIS.SE, SUNET & 6connect for supporting this effort! ]

BGP routing security is in vogue! We’re seeing a ton of interest in RPKI based BGP Origin Validation: significant uptake in The Netherlands and global players such as Cloudflare have committed themselves to RPKI technology. RPKI will play a critical role in improving the Internet’s security posture, but how do we bring this technology to the masses? I propose we work together and fund rpki-client(1) and release this under the OpenBSD umbrella.

Drawing by Natasha Allegri

Overview of the RPKI ecosystem

RPKI is a specialised public key infrastructure (PKI) framework designed to secure the Internet’s routing infrastructure. It uses X.509 PKI Certificates with extensions for IP Addresses and ASNs. For network operators, RPKI resource certificates offer verifiable proof of ownership of a resource’s allocation or assignment by a Regional Internet Registry (RIR). Network operators can create cryptographically verifiable statements (so-called “ROAs”) about the route announcements they authorise to be made for the prefixes they own. Only the legitimate holder of the IP prefix can create a RPKI ROA using their resource certificate. Other network operators can use RPKI Validator software to download and validate these ROAs. The resulting data set can be used for BGP route filtering.

At the moment of writing, only two RPKI validators are popular amongst network operators: RIPE NCC’s RPKI Validator and NLNetLab’s Routinator 3000. This is a worrisome situation… as my grandmother used to say: “you can’t build a stable chair with just two legs”. A healthy software ecosystem offers operators at least two excellent choices at any given moment. To accomplish this, at least, three or four RPKI validator implementations need to exist and compete with each other. So, we need more implementations!

OK — so what’s your end game here?

My dream is to help create a BGP router software stack which out-of-the-box provides as much security as possible. The OpenBSD project provides the perfect foundation for this dream: its base installation comes with fully-featured BGP-4 & OSPF daemons, a DNSSEC aware resolver is installed by default, it has LibreSSL, and of course it comes with the venerable OpenSSH tools. OpenBSD breathes security. Making RPKI Origin Validation an integral part of the routing stack will be a fantastic leap forward, and perhaps can even serve as a proof-of-concept to inspire the likes of Juniper and Cisco!

Between RIPE NCC’s Java implementation and NLNetLabs’s Rust implementation, the OpenBSD rpki-client(1) will further expand the ecosystem’s diversity by being implemented in C. Design goals are to work with minimal dependencies, not drag in a heavy ecosystem, and follow PrivSep design principles.

The project being developed under the OpenBSD umbrella doesn’t mean its use will be limited to the OpenBSD operating system. In fact, pieces of OpenBSD software are probably running on your computer or smartphone right now! Rpki-client(1) will be perfect to include in your own software distribution.

OpenBSD success stories

Converting money into excellent open-source code isn’t something new for us. For example, this year we successfully revived the OpenBGPD routing daemon — my original pitch can be viewed here and a report on OpenBGPD’s progress is available here. An extensive overview of OpenBSD innovations and programs is available on the OpenBSD website.

Kristaps Dzonsons will be responsible for rpki-client(1)’s development — he has extensive experience with Public Key Infrastructure systems, authored various tools such as mandoc (a popular manpage compiler) and acme-client(1) (a lightweight Let’s Encrypt client). Very few people would be more qualified to write RPKI validation software!

Application Architecture

Rpki-client(1) will be a portable CLI tool that operators run from cron. The tool will retrieve RPKI repositories from the RIRs through either the rsync protocol or RRDP, perform all required cryptographic validations and subsequently extract all RPKI ROA information. The utility’s output can be used as configuration for daemons such as BIRD or OpenBGPD, or can be sent to Cisco and Juniper devices when used in conjunction with GoRTR.

How can you help?

Long story short: we need $20,000 USD. For $20K we’ll build, test, document, and release a fully functional RPKI validator under a liberal open source license — this is an absolute bargain. Anyone who helps fund this project can tout they made a tangible difference for Internet routing security!

Regarding financial logistics: Kristaps Dzonsons’ US-based company will invoice sponsors directly for the amount pledged. My own role in this project is product & project management, which I perform strictly on a voluntary basis. If you are interested in helping fund this project, please send me a note at job@ntt.net or job@openbsd.org.

When a few organisations each chip in a few thousand dollars, within a few months we’ll all get to enjoy a new, secure, open-source, BSD licensed, reliable RPKI validator!