Krill 0.8.1 'The Gentle Art' Released

Published: Tue 17 November 2020
Last updated: Thu 21 November 2024

We are happy to introduce Krill 0.8.1 'The Gentle Art'. This release is less restrictive when creating ROAs, while still providing enough guidance to accurately reflect your routing intent.

Krill automatically downloads BGP announcement information from RIPE RIS and uses this to analyse the known BGP announcements for the address space on your resource certificate(s). This allows Krill to show the RPKI validation status of your announcements, warn about possible issues, and do some suggestions on ROAs you may want to create or remove.

Krill 0.8.1 recognises the following 'States' in its analysis:

State Explanation
NOT FOUND This announcement is not covered by any of your ROAs
INVALID ASN The prefix for this announcement is covered by one or more of your ROAs. However, none of those ROAs allow announcements of this prefix by this ASN.
INVALID LENGTH The ASN for this announcement is covered by one or more of your ROAs. However, the prefix is more specific than allowed.
SEEN This is a ROA you created which allows at least one known BGP announcement. Note it may also disallow one or more other announcements. You can show details if you click on the '>' icon.
TOO PERMISSIVE This ROA uses the max length field to allow multiple announcements, but Krill does not see all most specific announcements in its BGP information.
REDUNDANT This is a ROA you created which is included in full by at least one other ROA you created. I.e. you have a ROA for the same ASN, covering this prefix and including the maximum length.
NOT SEEN This is a ROA you created but it does not cover any known announcements. This may be a ROA you created for a backup or planned announcement. On the other hand, this could also be a stale ROA in which case it is better to remove it.
DISALLOWING This is a ROA for which no allowed announcements are seen, yet it disallows one or more announcements. If this is done on purpose it may be better to create a ROA for ASN 0 instead.
AS0 This is a ROA you created for a prefix with ASN 0. Since ASN 0 cannot occur in BGP such ROAs are effectively used to disallow announcements of prefixes on the global BGP table.
REDUNDANT (AS0) An AS0 ROA is considered redundant in case you have at least one ROA covering the entire prefix for a real ASN. In such cases this ROA does not provide any further protection on top of that existing ROA.

In addition to this we have included some small improvements for the Krill Publication Server. To install Krill 0.8.1 you can use Cargo, the Rust package manager, or use the packages for Debian and Ubuntu we provide on https://packages.nlnetlabs.nl

Related links:

software update rpki