The Road From RSYNC to RRDP

In July 2018, we received a suggestion from the community to support the RRDP protocol for Resource
Public Key Infrastructure (RPKI) Publication. As you know, we take our
community suggestions seriously, so when we see a suggestion that will improve
the quality of a service we offer to our community, we move it to our to do
list. Here’s a look at how we collaborated with the wider community to move
from RSYNC to RRDP, and what the technical implications and benefits will be
for our community as a result.

What is RRDP?

Let’s back up for a moment. RRDP
stands for RPKI Remote Delta Protocol. It’s a protocol that came from the
Internet Engineering Task Force (IETF) that was created to serve up the RPKI
repository in a more incremental fashion. The RRDP protocol relies on Hypertext
Transfer Protocol Secure (HTTPS) which is well supported in programming
languages, so the development of relying party software becomes scalable and
more robust. RRDP was specifically designed for scaling, and allows incremental
changes to be served up over HTTPS.

Our Current Repository

Currently, our RPKI Repository is
served up over the RSYNC protocol. According to the RFC, RRDP was specifically
designed for scaling, and RSYNC had two drawbacks:

  • Repositories were weak to DOS service attacks
  • A lack of RSYNC client libraries

Overall, RRDP offers a more secure and efficient way for customers to connect to our RPKI repository by leveraging the same mechanisms that websites use today to mitigate DOS service attacks and greater third-party library support for HTTPS.

If you would like to learn more
about RPKI, visit our website.

Collaboration with the Community

Instead of working to support RRDP completely on our own, we looked to the community to leverage existing work and achieve our goals in a faster and more efficient way. We learned that NLNetLabs was already in the process of writing a full end-user RPKI tool set. The first is called Routinator that would help people validate routes, and the second is Krill that is used to configure their routers and run local RPKI repositories. One part of this effort was adapting our existing repository generation process to also generate an RRDP repository – so we worked with NLNetLabs to utilize their code in our project! NLNetLabs Routinator is one of several available validators with RRDP support.  For more information on RPKI validators, you can visit our website. 

ARIN’s RPKI repository supports the RRDP protocol as of 3 December. We are very excited to offer these improvements to our RPKI repository for our community. With these changes, we will now plan to publish the repository on a more frequent basis. Instead of publishing four times a day as we did previously, we will be moving to publishing RPKI changes every five minutes.

This joint effort shows how we are
able to take a suggestion from our Consultation and Suggestion Process, partner with the community to
accomplish a goal, and bring forth technical improvements for our community to
enjoy. We look forward to providing this improved service for you. If you have
any questions, feel free to reach out to our Registration Services Team at
703.227.0660. If you have feedback, you can use the Feedback button at the top
of arin.net or submit a suggestion of your own!

The post The Road From RSYNC to RRDP appeared first on Team ARIN.

Be the first to comment

Leave a Reply