Krill lets organisations run RPKI on their own systems as a child of one or more Regional Internet Registries (RIRs). It can also run under a different parent, such as a National Internet Registry (NIR) or Enterprise and, in turn, act as a parent for other organisations.
With Krill, operators can generate and publish RPKI cryptographic material to authorise their BGP announcements. The implementation will support running the CA both upwards and downwards. Upwards means that operators can have multiple parents, such as ARIN, RIPE NCC, etc., simultaneously and transparently. Downwards means that the CA can delegate to child organisations or customers who, in turn, run their own CA. This makes Krill ideal for National Internet Registries and Enterprises.
A publication server is included in Krill, but can also be run as an independent component. This means organisations can host published certificates and ROAs themselves, or let a third party, such as a Content Delivery Network, do it on their behalf.
Krill is intended for:
- Organisations which do not want to rely on the web interface of the hosted systems that the RIRs offer, but require RPKI management that is integrated with their own systems
- Organisations that need to be able to delegate RPKI to their customers or different business units, so that that they can run their own CA and manage ROAs themselves
- Organisations that manage address space from multiple RIRs. Using Krill, they can manage all ROAs for all resources seamlessly within one system
- Organisations who want to be operationally independent from their parent RIR, such as NIRs or Enterprises
We are committed to delivering a basic, production quality implementation of Krill by late 2019, with development continuing to offer a full-featured toolset throughout 2020. A detailed project plan is available on GitHub, allowing you to track our progress, submit feedback and request features.