The beta version of the first public, open-source reference C implementation of the RPKI/RTR router end is available.
The RTRlib is an open-source C implementation of the RPKI/Router Protocol client. The library allows to fetch and store validated prefix origin data from a trusted RTR cache and performs origin verification of prefixes. It supports different types of transport sessions (e.g., SSH, unprotected TCP) and is easily extendable.
Automatic failover for multiple RTR servers is not yet implemented, but planned for the next release.
The beta version and further documentation is available at:
Background: The RPKI/RTR Protocol & Origin Validation
RPKI-enabled routers do not store ROAs itself but only the validated content of these authorities. The validation of ROAs will be performed by trusted cache servers, which will be deployed at the network operator site. The RPKI/RTR protocol defines a standard mechanism to maintain the exchange of the prefix/origin AS mapping between the cache server and routers.
In combination with a BGP prefix origin validation scheme a router is able to verify received BGP updates without suffering from cryptographic complexity.
The RTRlib
The RTRlib is a lightweight C library. It implements the RPKI/RTR protocol for the router end and the proposed prefix origin validation scheme. The RTRlib provides functions to establish a connection to a single or multiple trusted caches and to determine the validation state of a prefix/origin AS mapping.
The RTRlib is useful for developers of routing software but also for network operators. Developers can integrate the RTRlib into the BGP daemon to extend their implementation towards RPKI. Network operators may use the RTRlib to develop monitoring tools, e.g., to check the proper operation of caches or to evaluate their performance.
The current version of the RTRlib includes a simple RTR client program. This command line tool connects to a configurable cache server via unprotected TCP or SSH and prints status messages of the RPKI/RTR protocol out to STDOUT.
RTRlib Architecture Overview
The library follows a flexible design. The software architecture includes different layers to simplify the extension or exchange of individual parts.
The lowest layer of the architecture is built by the Transport sockets. It allows for the implementation of different transport channels that provide a common interface to exchange PDUs with the cache (i.e., the RPKI-RTR server). The current version of the library supports unprotected TCP and SSH.
On the top of the transport layer the RTR socket uses a transport socket for RTR-specific data exchange with the RTR server. The RTR socket implements the RPKI-RTR protocol, i.e., fetches validation records and stores them in a prefix table data structure.
The Prefix validation table stores validated prefix origin data. The abstract data structure provides a common interface to add and delete entries as well as to verify a specific prefix. The library implements a Longest Prefix Tree, but can be extended to other data structures.
On top of the modular architecture the RTR connection manager maintains the connection to multiple RTR servers. This includes failover mechanisms. It represents the main interface for users of the library.
Further information
- http://rpki.realmv6.org
- http://tools.ietf.org/html/draft-ietf-sidr-rpki-rtr-16
- http://tools.ietf.org/html/draft-ietf-sidr-pfx-validate-02
Comments 0
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.