Initialisation¶
Before running Routinator for the first time, you must prepare the working
environment. You do this using the init
subcommand. This will create
the directory for the Trust Anchor Locator (TAL) files and copy the
desired TALs into it, and create the directory for the local RPKI cache.
If you have installed Routinator using a package from our software package
repository, the application is configured to run as a system service with the
user routinator. We have included an initialisation script named
routinator-init and pre-installed a configuration
file located in /etc/routinator/routinator.conf
to make the
setup process easy for you. The configuration is meant to prepare Routinator for
production environments, explicitly setting the TAL and RPKI cache directories
and enabling the HTTP and RTR servers on localhost.
The routinator-init script invokes the init
subcommand as
the user routinator and takes configuration file into consideration. All of
the options for the init
subcommand can be appended to the
routinator-init script, which are described below. If you have built
Routinator using Cargo you also have to perform the initialisation steps, but in
this case you invoke the init
subcommand directly.
Important
There is a subtle difference in the initialisation commands depending on how you installed Routinator.
When installed using a package, you would for example enter:
routinator-init --list-tals
When built using Cargo, you would use:
routinator init --list-tals
Trust Anchor Locators¶
Trust Anchor Locators (TALs) provide hints for the trust anchor certificates to be used both to discover and validate all RPKI content. There are five TALs, one for each Regional Internet Registry (RIR). For production environments these are the only five you will ever need to fetch and validate all available RPKI data.
Some RIRs and third parties also provide separate TALs for testing purposes,
allowing operators to gain experience with using RPKI in a safe environment.
Both the production and testbed TALs are bundled with Routinator and can be
installed with the init
subcommand.
To get an overview of all available TALs use the --list-tals
option:
routinator init --list-tals
This displays the following overview:
.---- --rir-tals
| .- --rir-test-tals
V V
X afrinic AFRINIC production TAL
X apnic APNIC production TAL
X arin ARIN production TAL
X lacnic LACNIC production TAL
X ripe RIPE production TAL
X apnic-testbed APNIC RPKI Testbed
X arin-ote ARIN Operational Test and Evaluation Environment
X ripe-pilot RIPE NCC RPKI Test Environment
nlnetlabs-testbed NLnet Labs RPKI Testbed
Preparing for Production Environments¶
Warning
Using the TAL from ARIN requires you to read and accept their
Relying Party Agreement before you can
use it. Running the init
subcommand will provide you with
instructions.
By default, the repository and TAL directory will be created under
$HOME/.rpki-cache
. You can change their location using the
--repository-dir
and --tal-dir
options, or by using a
configuration file.
In the most common scenario, you will want to install the TALs of the five RIRs. To do this, run the following command:
routinator init --rir-tals
This will return the following message:
Before we can install the ARIN TAL, you must have read
and agree to the ARIN Relying Party Agreement (RPA).
It is available at
https://www.arin.net/resources/manage/rpki/rpa.pdf
If you agree to the RPA, please run the command
again with the --accept-arin-rpa option.
Running the init
subcommand with the --accept-arin-rpa
option added will create the repository and TAL directory and copy the five
Trust Anchor Locator files into it:
routinator init --rir-tals --accept-arin-rpa
If you built Routinator using Cargo and set up a configuration
file before initialisation, make sure to refer to it using the
--config
option, e.g.:
routinator --config /home/routinator/routinator.conf init --rir-tals --accept-arin-rpa
If you decide you cannot agree to the ARIN RPA terms, you can use the
--skip-tal
option to exclude the TAL. If, at a later point, you wish
to include the ARIN TAL you can add it to your current installation using the
--force
option, to force the installation of all TALs.
Preparing for Test Environments¶
To install all of the TALs for the various test environments, you can use the
--rir-test-tals
option. However, in most cases you will want to
install a specific one, using the --tal
option.
For example, to add the TAL for the ARIN Operational Test and Evaluation Environment to an already initialised Routinator, enter:
routinator init --force --tal arin-ote
New in version 0.9.0: --list-tals
, --rir-tals
, --rir-test-tals
,
--tal
and --skip-tal
Deprecated since version 0.9.0: --decline-arin-rpa
, use --skip-tal
instead
Verifying Initialisation¶
You should verify if Routinator has been initialised correctly and your firewall allows the required outbound connections on ports 443 and 873. From a cold start, it will take ten to fifteen minutes to do the first validation run that builds up the validated cache. Subsequent runs will be much faster, because only the changes between the repositories and the validated cache need to be processed.
If you have installed Routinator from a package and run it as a service, you can check the status using:
sudo systemctl status routinator
And check the logs using:
sudo journalctl --unit=routinator
Important
Because it is expected that the state of the entire RPKI is not perfect as all times, you may see several warnings about objects that are either stale or failed cryptographic verification, or repositories that are temporarily unavailable.
If you have built Routinator using Cargo it is recommended to perform an
initial test run. You can do this by having Routinator print a validated ROA
payload (VRP) list with the vrps
subcommand, and using -v
twice to increase the log level to debug:
routinator -vv vrps
Now, you can see how Routinator connects to the RPKI trust anchors, downloads the the contents of the repositories to your machine, verifies it and produces a list of VRPs in the default CSV format to standard output.
RRDP https://rrdp.ripe.net/notification.xml: Tree has 0 entries.
RRDP https://rrdp.ripe.net/notification.xml: updating from snapshot.
Found valid trust anchor https://rpki.afrinic.net/repository/AfriNIC.cer. Processing.
Found valid trust anchor https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer. Processing.
RRDP https://rrdp.afrinic.net/notification.xml: Tree has 0 entries.
RRDP https://rrdp.afrinic.net/notification.xml: updating from snapshot.
RRDP https://rrdp.apnic.net/notification.xml: Tree has 0 entries.
RRDP https://rrdp.apnic.net/notification.xml: updating from snapshot.
RRDP https://rrdp.afrinic.net/notification.xml: snapshot update completed.
Found valid trust anchor https://rrdp.arin.net/arin-rpki-ta.cer. Processing.
RRDP https://rrdp.arin.net/notification.xml: Tree has 0 entries.
RRDP https://rrdp.arin.net/notification.xml: updating from snapshot.
rsync://repository.lacnic.net/rpki/: successfully completed.
Found valid trust anchor https://rrdp.lacnic.net/ta/rta-lacnic-rpki.cer. Processing.
RRDP https://rrdp.lacnic.net/rrdp/notification.xml: Tree has 0 entries.
RRDP https://rrdp.lacnic.net/rrdp/notification.xml: updating from snapshot.
RRDP https://rrdp.arin.net/notification.xml: snapshot update completed.
RRDP https://rrdp.sub.apnic.net/notification.xml: Tree has 0 entries.
RRDP https://rrdp.sub.apnic.net/notification.xml: updating from snapshot.
RRDP https://rrdp.ripe.net/notification.xml: snapshot update completed.
RRDP https://rrdp.sub.apnic.net/notification.xml: snapshot update completed.
RRDP https://rpki-repo.registro.br/rrdp/notification.xml: Tree has 0 entries.
RRDP https://rpki-repo.registro.br/rrdp/notification.xml: updating from snapshot.
RRDP https://rrdp.twnic.tw/rrdp/notify.xml: Tree has 0 entries.
RRDP https://rrdp.twnic.tw/rrdp/notify.xml: updating from snapshot.
...
ASN,IP Prefix,Max Length,Trust Anchor
AS137884,103.116.116.0/23,23,apnic
AS9003,91.151.112.0/20,20,ripe
AS38553,120.72.19.0/24,24,apnic
AS58045,37.209.242.0/24,24,ripe
AS9583,202.177.175.0/24,24,apnic
AS50629,2a0f:ba80::/29,29,ripe
AS398085,2602:801:a008::/48,48,arin
AS21050,83.96.22.0/24,24,ripe
AS55577,183.82.223.0/24,24,apnic
AS44444,157.167.73.0/24,24,ripe
AS197695,194.67.97.0/24,24,ripe
...