The Road From RSYNC to RRDP

By Mark Kosters - Chief Technology Officer, ARIN

In July 2018, we received a suggestion from the community to support the RRDP protocol for Resource Public Key Infrastructure (RPKI) Publication. As you know, we take our community suggestions seriously, so when we see a suggestion that will improve the quality of a service we offer to our community, we move it to our to do list. Here’s a look at how we collaborated with the wider community to move from RSYNC to RRDP, and what the technical implications and benefits will be for our community as a result.

What is RRDP?

Let’s back up for a moment. RRDP stands for RPKI Repository Delta Protocol. It’s a protocol that came from the Internet Engineering Task Force (IETF) that was created to serve up the RPKI repository in a more incremental fashion. The RRDP protocol relies on Hypertext Transfer Protocol Secure (HTTPS) which is well supported in programming languages, so the development of relying party software becomes scalable and more robust. RRDP was specifically designed for scaling, and allows incremental changes to be served up over HTTPS.

Our Current Repository

Currently, our RPKI Repository is served up over the RSYNC protocol. According to the RFC, RRDP was specifically designed for scaling, and RSYNC had two drawbacks:

  • Repositories were weak to DOS service attacks
  • A lack of RSYNC client libraries

Overall, RRDP offers a more secure and efficient way for customers to connect to our RPKI repository by leveraging the same mechanisms that websites use today to mitigate DOS service attacks and greater third-party library support for HTTPS.

If you would like to learn more about RPKI, visit our website.

Collaboration with the Community

Instead of working to support RRDP completely on our own, we looked to the community to leverage existing work and achieve our goals in a faster and more efficient way. We learned that NLNetLabs was already in the process of writing a full end-user RPKI tool set. The first is called Routinator that would help people validate routes, and the second is Krill that is used to configure their routers and run local RPKI repositories. One part of this effort was adapting our existing repository generation process to also generate an RRDP repository – so we worked with NLNetLabs to utilize their code in our project! NLNetLabs Routinator is one of several available validators with RRDP support.  For more information on RPKI validators, you can visit our website. 

ARIN’s RPKI repository supports the RRDP protocol as of 3 December. We are very excited to offer these improvements to our RPKI repository for our community. With these changes, we will now plan to publish the repository on a more frequent basis. Instead of publishing four times a day as we did previously, we will be moving to publishing RPKI changes every five minutes.

This joint effort shows how we are able to take a suggestion from our Consultation and Suggestion Process, partner with the community to accomplish a goal, and bring forth technical improvements for our community to enjoy. We look forward to providing this improved service for you. If you have any questions, feel free to reach out to our Registration Services Team at 703.227.0660. If you have feedback, you can use the Feedback button at the top of arin.net or submit a suggestion of your own!

POST WRITTEN BY:

Mark Kosters

Chief Technology Officer, ARIN