The RTRlib is a lightweight, open-source C library that implements the RPKI/RTR protocol. Basically, it fetches data from an RPKI cache server and allows for prefix origin validation as well as BGP path validation. The RTRlib is the backend for BGP daemons and monitoring tools.
The current version implements RFC 6810, RFC 6811, and draft-ietf-sidr-rpki-rtr-rfc6810-bis-02. The RTRlib is open source and licensed under MIT.
The RTRlib gives you easy and highly efficient access to cryptographically valid RPKI data without relying on a specific cache server or RPKI validator implementation. The RTRlib is useful for developers of routing software but also for network operators. Developers can integrate the RTRlib into the BGP daemon to extend their implementation towards RPKI. Network operators may use the RTRlib to develop monitoring tools (e.g., to evaluate the performance of caches or to validate BGP data).
Any BGP speaker can announce any IP prefix. A BGP peer cannot verify the correctness of the data. If a bogus update was successful, traffic is incorrectly redirected, which might lead to interception or dropping.
The RPKI is a Public Key Infrastructure to attest the ownership of IP prefixes and autonomous system numbers, also known as Internet resources. The attestation objects are stored in distributed repositories.
Part of the RPKI are ROA objects that implement the binding between AS number and IP prefix(es). Thus a BGP router can verify the origin of an IP prefix included within an BGP update.
To reduce load at BGP routers, RPKI objects are fetched and cryptographically validated by cache servers. The RPKI/RTR protocol defines a standard mechanism to maintain the exchange of valid RPKI data between cache server and router, which is implemented by the RTRlib.
Download the latest release. Follow the installation instructions. Finally, integrate RTRlib in your own application or run one of the command line tools which are included in the RTRlib package.
The RTRlib comes with some basic command line tools. Just check the bin/ directory. The rtrclient connects to an RPKI-RTR server, and prints protocol information and fetched ROA data to the console. The cli-validator allows the interactive validation of IP prefixes and origin ASes.
For direct question, just subscribe to rtrlib@googlegroups.com. For feature requests or bug reports use the GitHub issue tracker.
The code base of the RTRlib is publicly available on GitHub: https://github.com/rtrlib/rtrlib/. Feel free to download or to contribute.
The RTRlib is free software. You can redistribute it and/or modify. RTRlib is licensed under MIT, which allows easy redistribution or modification of the software in private, research, and industry deployment.
The RTRlib is used to perform prefix origin validation in Free Range Routing. We are working on bringing the implementation to the FRR master branch. Thorough testing is significantly supported by NetDEF.
We provide an external tool that feeds the BIRD BGP daemon with RPKI data. This tool does not change the software code base of BIRD. It maintains RPKI data within BIRD by using the RTRlib and the BIRD API. There is also effort to integrate RTRlib natively in BIRD. BGPsec support is provided here.
RBV implements a simple REST API to validate IP prefixes. It thus allows lightweight development of RESTful Web services which present prefix validation, such as web monitoring tools. The API is compliant with the RIPE RPKI Validator. However, as the back end is based on the RTRlib, RBV is not bound to a specific RPKI cache server implementation.
For Mozilla Firefox and Google Chrome, we provide add-ons to show the prefix validation state of the web server infrastructure behind the requested website. These plugins are natively integrated within the web browser. The back end is based on RTRlib and RBV. Source code is publicly available for Firefox and Chrome.
The RTRlib is used to perform prefix origin validation in Quagga. You just need to compile Quagga with --enable-rpki. To control the best path selection depending on the RPKI validation outcome, you can configure Route Maps. We are working on bringing the implementation to the Quagga master branch. Thorough testing is significantly supported by NetDEF.
CAIDA BGPStream is an open source framework for live/historical BGP data analysis. Currently, there is progress to support live RPKI origin validation based on the RTRlib in BGPStream.
If you are writing a paper that refers to the RTRlib, please cite as follows:
Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H. Schiller, RTRlib: An Open-Source Library in C for RPKI-based Prefix Origin Validation, In: Proc. of 7th USENIX Security Workshop on Cyber Security Experimentation and Test (CSET), Berkeley, CA, USA:USENIX Assoc., 2013.
Matthias Wählisch, Olaf Maennel, Thomas C. Schmidt, Towards Detecting BGP Route Hijacking using the RPKI, In: Proc. of ACM SIGCOMM. Poster Session, pp. 103--104, New York:ACM, August 2012.
Matthias Wählisch, Thomas C. Schmidt, See How ISPs Care: An RPKI Validation Extension for Web Browsers, In: Proc. of ACM SIGCOMM, Demo Session, pp. 115--116, New York:ACM, August 2015.
RTRlib was originally founded by researchers from the Internet Technologies Lab at Freie Universität Berlin (now Chair of Distributed and Networked Systems at TU Dresden) and reseachers from the INET research group at Hamburg University of Applied Sciences, under the supervision of Matthias Wählisch and Thomas Schmidt. It is now a community project. The list of contributors is available on GitHub. Join us!
Public questions regarding the development for the RTRlib should be issued via the GitHub. For questions regarding formal project establishment, please contact Matthias Wählisch and Thomas Schmidt .
