We are incredibly excited that six months after the first release of Krill it already powers delegated RPKI for over 150 organisations. Now we are launching Krill 0.7.1 ‘Sobremesa’, the biggest update yet of our open source RPKI Certificate Authority software. This version lets you create and maintain Route Origin Authorisations (ROAs) based on your BGP announcements. This makes it incredibly easy to manage ROAs.
令我们感到无比兴奋的是,自Krill首次发布以来六个月,它已经为150多个组织的授权RPKI提供支持。 现在,我们将发布Krill 0.7.1'Sobremesa',这是我们开源RPKI证书颁发机构软件的最大更新。 此版本使您可以基于BGP公告创建和维护路由源授权(ROA)。 这使得管理ROA变得异常容易。
Krill already lets you to manage and publish ROAs seamlessly across multiple Regional Internet Registries. Now Krill will also tell you what the effect is of all ROAs that you created, indicating which announcements seen in BGP are authorised and which ones are not, along with the reason. This ensures your ROAs accurately reflect your intended routing at all times.
Krill已经使您可以跨多个区域Internet注册表无缝地管理和发布ROA。 现在,Krill还将告诉您创建的所有ROA的效果,指示在BGP中看到的哪些公告得到授权,哪些没有得到授权,以及原因。 这样可确保您的ROA始终准确反映您的预期路由。
All status and validity information is clearly displayed in the user interface, giving you an immediate insight into which ROAs and BGP announcements require your attention. Announcements with an Invalid or NotFound state can be authorised with just a few clicks and will be published immediately.
所有状态和有效性信息都清楚地显示在用户界面中,使您可以立即了解需要注意的ROA和BGP公告。 一个无效或NOTFOUND状态通告可以只需点击几下的授权,并且将立即公布。
In addition to providing an overview of all announcements that are seen in BGP, Krill will also inform you if there are any ROAs that don’t seem to affect any announcements at all. These are indicated as “Unseen”. This may be intentional, for example when pre-authorising your DDoS-protection service ASN, but it also lets you easily spot outdated ROAs that can be cleaned up.
除了提供BGP中所有公告的概述之外,Krill还将通知您是否有似乎完全不影响任何公告的ROA。 这些被标记为“看不见”。 例如,在对DDoS保护服务ASN进行预授权时,这可能是有意的,但是它也使您可以轻松地发现可以清除的过时ROA。
All of this information is also exposed to the Prometheus endpoint, allowing you to set up a dashboard with Grafana and configure alerts.
所有这些信息还公开给Prometheus端点,使您可以使用Grafana设置仪表板并配置警报。
自动应用最佳做法 (Best Practices Applied Automatically)
The ROA suggestions that Krill does are based on best operational practices, as described in RFC 7115. This RFC advises operators to be conservative in the use of the maximum prefix length (maxLength) in ROAs. For example, if a prefix will have only a few sub-prefixes announced, multiple ROAs for the specific announcements should be used as opposed to one ROA with a long maxLength. Krill will guide users towards applying these best practices.
Krill所做的ROA建议基于最佳操作实践,如RFC 7115中所述 。 该RFC建议运营商在ROA中使用最大前缀长度(maxLength)时要保持保守。 例如,如果一个前缀仅声明了几个子前缀,则应使用多个ROA来声明特定的通告,而不是一个具有长maxLength的ROA。 Krill将指导用户应用这些最佳实践。
Liberal usage of maxLength opens up the network to a “forged origin attack”. ROAs should be as precise as possible, meaning they should match prefixes as announced in BGP.
自由使用maxLength可以使网络遭受“伪造的原始攻击”。 ROA应尽可能精确,这意味着它们应与BGP中宣布的前缀匹配。
In a forged origin attack, a malicious actor spoofs the AS number of another network. With a minimal ROA length, the attack does not work for sub-prefixes that are not covered by overly long maxLength. For example, if, instead of creating a single ROA 10.0.0.0/16–24, you issue 10.0.0.0/16–16 and 10.0.42.0/24–24, a forged origin attack cannot succeed against the announcement of 10.0.666.0/24.
在伪造源攻击中,恶意行为者欺骗了另一个网络的AS编号。 如果ROA长度最小,则该攻击不适用于未由过长的maxLength覆盖的子前缀。 例如,如果您发布10.0.0.0/16-16和10.0.42.0/24-24而不是创建单个ROA 10.0.0.0/16-24,则伪造的原始攻击将无法成功地宣告10.0.666.0 / 24。
BGP数据源 (BGP Data Sources)
To display BGP information, Krill 0.7.1 relies on the route collector information from the RIPE NCC Routing Information Service (RIS), which is currently refreshed once every eight hours. In future releases we will extend Krill so that it can use near-real-time data, or even a local feed with your own BGP information instead. Still, for many users of the hosted RPKI systems offered by the Regional Internet Registries, Krill’s new user interface and guidance offer a huge leap forward.
为了显示BGP信息,Krill 0.7.1依赖于RIPE NCC路由信息服务 (RIS)的路由收集器信息,该信息当前每八小时刷新一次。 在将来的版本中,我们将扩展Krill,使其可以使用近实时数据,甚至可以使用具有您自己的BGP信息的本地提要。 尽管如此,对于区域互联网注册局提供的托管RPKI系统的许多用户而言,Krill的新用户界面和指南仍是一个巨大的飞跃。
Other features on the roadmap include the expansion of the monitoring and alerting features, for example allowing you to “mute” BGP announcements that are intentionally Invalid or NotFound. We will also let you tag ROAs to assign them a certain purpose or customer.
路线图上的其他功能包括监视和警报功能的扩展,例如,允许您“静音”故意是无效或未发现的BGP公告。 我们还将让您标记ROA,以为其分配特定的目的或客户。
此版本中的其他优点 (Other Goodies in this Release)
For users of recent Debian and Ubuntu releases we now offer pre-built packages with our releases. Installation instructions are available in our documentation on Read the Docs.
对于最近Debian和Ubuntu版本的用户,我们现在提供预发行版本的软件包 。 安装说明是我们提供的文档上阅读文档。
All of the new functionality in Krill 0.7.1 is has been translated into the six languages that we now offer: English, Portugese, Spanish, French, Greek and Dutch. Our thanks go out to everyone in the community who contributed a translation!
Krill 0.7.1中的所有新功能已被翻译成我们现在提供的六种语言:英语,葡萄牙语,西班牙语,法语,希腊语和荷兰语。 感谢社区中所有贡献翻译的人!
If you would like see your preferred language in Krill and feel confident about describing Certificate Authorities, Trust Anchors and Relying Parties in your local language, do not hesitate to send a GitHub pull request on the Lagosta user interface project.
如果您希望在Krill中看到自己喜欢的语言,并且对用本地语言描述证书颁发机构,信任锚和依赖方感到有信心,请随时在Lagosta用户界面项目上发送GitHub Pull请求 。
As always, please keep the feedback coming on the mailing list, GitHub and Twitter as we work our way towards Krill 1.0 and beyond! ❤️🦐
与往常一样,在 我们朝着Krill 1.0及更高版本的方向努力时 ,请将反馈保留在 邮件列表 , GitHub 和 Twitter上 ! ❤️🦐
请支持我们 (Please support us)
Our thanks go out to the RIPE NCC Community Projects Fund, the Mozilla Open Source Support Fund and the Dutch National Cyber Security Centre for funding the development of our RPKI toolset throughout 2019. Now, with NIC.br and APNIC as our only remaining sponsors, we hope you join them in financially supporting our open source efforts.
感谢RIPE NCC社区项目基金,Mozilla开源支持基金和荷兰国家网络安全中心在整个2019年为我们RPKI工具集的开发提供资金。现在,只有NIC.br和APNIC作为我们唯一的赞助商,我们希望您与 他们一起 为我们的开源工作提供财务支持。
翻译自: https://medium.com/nlnetlabs/krill-gains-powerful-roa-management-based-on-bgp-routing-6862c452d539
614
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
