Introducing the šŸš€ Routinator 3000

Alex Band
The NLnet Labs Blog
4 min readJul 26, 2018

Lean, blazingly fast RPKI Validation. As it should be.

NLnet Labs is embarking on a new adventure. In the coming months we will be developing an RPKI toolset aimed at making BGP routing more secure. It will consist of three parts: a Certificate Authority package, a Publication Server and Relying Party software. Weā€™ve chosen to do the development in a modern systems programming language, Rust.

NOTE: If you love open source, open standards and making great software that supports the core of the Internet, come work with us!

Getting a basic Relying Party package together was the easiest way to get started, so after several weeks of furious coding we are proud to introduce the šŸš€ Routinator 3000. This code is still experimental, but we felt it was good enough to release it and start gathering some feedback.

To show you what we have right now, youā€™ll need to clone and build the package yourself. To demonstrate Iā€™ll be doing this on a pristine Mac running High Sierra. Thereā€™s two things you need for the Routinator: rsync and Rust. As rsync is already available on my Mac, all I need to do is get Rust which is as simple as running

curl https://sh.rustup.rs -sSf | sh

After proceeding with the regular installation, all of the default components are downloaded and installed. Once it successfully completes, make sure you run

source $HOME/.cargo/env

This way you will immediately be able to run commands like cargo build and cargo run without having to log out and back in first. Some of the libraries Routinator depends on require a C toolchain to be present. Your system probably has some easy way to install the minimum set of packages to build from C sources. If you are unsure, try to run cc on the command line. If thereā€™s a complaint about missing input files, you are probably good to go. In my case, I got prompted to install Xcode as I didnā€™t have that yet.

After hitting ā€œInstallā€, you grab some coffee ā˜•ļø and wait for installer to complete. Running cc again returned clang: error: no input files which means Iā€™m good to go.

I still had Routinator in my ~/Downloads folder, so after navigating there I simply ran

cargo build
So far so good!

Now that it was successful, I can run

cargo run
Behold, fetching and validation in progressā€¦

Routinator will connect to the Trust Anchors of the five Regional Internet Registries: ARIN, APNIC, AFRINIC, RIPE NCC and LACNIC. This process may be quite slow initially, because of the way the rsync repositories are structured. Once the fetching and validation has completed, Routinator will send a CSV structured output to stdout by default.

Did we mention itā€™s lean?

To get better performance of this release, build and run it in release mode. It will then take long time to build but is quick to run.

cargo run --release

Routinator has a number of command line options available, allowing you to choose the output format, the cache directory and more. You can have cargo pass the options to the executable after a double hyphen. To find out about them, run

cargo run --release -- -h

When playing with these options, you might find -n useful. It will cause Routinator to skip the rsync-ing of the repository and significantly increase your turn-around.

Routinator supports CSV, JSON and RPSL output, formatted in the almost same way as the RIPE NCC RPKI Validator, ensuring compatibity. As a simple test I just wanted a JSON file on my Desktop, so I ended up running

cargo run --release -- -f json -o /Users/alex/Desktop/roa.json

Once all the RIRs support the RRDP protocol and we have implemented it in Routinator, the whole process should be a lot faster. Seeing that the RIPE NCC has the largest repository and they support RRDP along with APNIC, the next version of Routinator should see a significant performance improvement.

This first release does not run as a daemon yet so for now youā€™ll have to rely on a job scheduler like cron, but you can expect this in an upcoming release. For now, we hope you have something to sink your teeth into. We look forward to your feedback.

Follow the adventures of our little rocket on Twitter.

--

--

Alex Band
The NLnet Labs Blog

Work at @NLnetLabs, makers of fine open source software for DNS and BGP.