Introducing the š Routinator 3000
Lean, blazingly fast RPKI Validation. As it should be.
NLnet Labs is embarking on a new adventure. In the coming months we will be developing an RPKI toolset aimed at making BGP routing more secure. It will consist of three parts: a Certificate Authority package, a Publication Server and Relying Party software. Weāve chosen to do the development in a modern systems programming language, Rust.
NOTE: If you love open source, open standards and making great software that supports the core of the Internet, come work with us!
Getting a basic Relying Party package together was the easiest way to get started, so after several weeks of furious coding we are proud to introduce the š Routinator 3000. This code is still experimental, but we felt it was good enough to release it and start gathering some feedback.
To show you what we have right now, youāll need to clone and build the package yourself. To demonstrate Iāll be doing this on a pristine Mac running High Sierra. Thereās two things you need for the Routinator: rsync and Rust. As rsync is already available on my Mac, all I need to do is get Rust which is as simple as running
curl https://sh.rustup.rs -sSf | sh
After proceeding with the regular installation, all of the default components are downloaded and installed. Once it successfully completes, make sure you run
source $HOME/.cargo/env
This way you will immediately be able to run commands like cargo build
and cargo run
without having to log out and back in first. Some of the libraries Routinator depends on require a C toolchain to be present. Your system probably has some easy way to install the minimum set of packages to build from C sources. If you are unsure, try to run cc
on the command line. If thereās a complaint about missing input files, you are probably good to go. In my case, I got prompted to install Xcode as I didnāt have that yet.
After hitting āInstallā, you grab some coffee āļø and wait for installer to complete. Running cc
again returned clang: error: no input files
which means Iām good to go.
I still had Routinator in my ~/Downloads folder, so after navigating there I simply ran
cargo build
Now that it was successful, I can run
cargo run
Routinator will connect to the Trust Anchors of the five Regional Internet Registries: ARIN, APNIC, AFRINIC, RIPE NCC and LACNIC. This process may be quite slow initially, because of the way the rsync repositories are structured. Once the fetching and validation has completed, Routinator will send a CSV structured output to stdout
by default.
To get better performance of this release, build and run it in release mode. It will then take long time to build but is quick to run.
cargo run --release
Routinator has a number of command line options available, allowing you to choose the output format, the cache directory and more. You can have cargo pass the options to the executable after a double hyphen. To find out about them, run
cargo run --release -- -h
When playing with these options, you might find -n
useful. It will cause Routinator to skip the rsync-ing of the repository and significantly increase your turn-around.
Routinator supports CSV, JSON and RPSL output, formatted in the almost same way as the RIPE NCC RPKI Validator, ensuring compatibity. As a simple test I just wanted a JSON file on my Desktop, so I ended up running
cargo run --release -- -f json -o /Users/alex/Desktop/roa.json
Once all the RIRs support the RRDP protocol and we have implemented it in Routinator, the whole process should be a lot faster. Seeing that the RIPE NCC has the largest repository and they support RRDP along with APNIC, the next version of Routinator should see a significant performance improvement.
This first release does not run as a daemon yet so for now youāll have to rely on a job scheduler like cron
, but you can expect this in an upcoming release. For now, we hope you have something to sink your teeth into. We look forward to your feedback.