RPKI Engine  1.0
Overview

Terminology

A few special terms that appear often enough in code or documentation that they need explaining.

Todo:
These explanations should be fleshed out properly.
IRBE:
Internet Registry Back End.
IRDB:
Internet Registry Data Base.
BPKI:
Business PKI.
RPKI:
Resource PKI.

Programs

At present the package is intended to be run out of the rpkid/ directory.

In addition to the library routines in the rpkid/rpki/ directory, the package includes the following programs:

Most of these programs take configuration files in a common format similar to that used by the OpenSSL command line tool. The test programs also take input in YAML format to drive the tests. Runs of the yamltest test tool will generate a fairly complete set configuration files which may be useful as examples.

Basic operation consists of creating the appropriate MySQL databases (see MySQL Setup), configuring relationships between parents and children and between publication clients and repositories (see The myrpki tool), starting rpkid, pubd, rootd, and irdbd, and using the left-right and publication control protocols (see The myrpki tool) to set up rpkid's and pubd's internal state. All other operations should occur either as a result of cron events or as a result of incoming left-right and up-down protocol requests.

The core programs are all event-driven, and are (in theory) capable of supporting an arbitrary number of hosted RPKI engines to run in a single rpkid instance, up to the performance limits of the underlying hardware.

At present the daemon programs all run in foreground, that is, the daemons themselves make no attempt to put themselves in background. The easiest way to run the servers is to run the start_servers script, which examines your rpki.conf file and starts the appropriate servers in background using rpki.conf as the configuration file for each server as well.

If you prefer, you can run each server by hand instead of using the script, eg, using Bourne shell syntax to run rpkid in background:

   $ rpkid &
   $ echo >rpkid.pid  "$!"
 

All of the daemons use syslog by default. You can change this by running either the servers themselves or the start_servers script with the "-d" option. Used as an argument to a server directly, "-d" causes that server to log to stderr instead of to syslog. Used as an argument to start_servers, "-d" starts each of the servers with "-d" while redirecting stderr from each server to a separate log file. This is intended primarily for debugging.

Some of the options that the several daemons take are common to all daemons. Which daemon they affect depends only on which sections of which config files they are in. See Common Options for details.

rpkid

rpkid is the main RPKI engine daemon. Configuration of rpkid is a two step process: a config file to bootstrap rpkid to the point where it can speak using the left-right protocol, followed by dynamic configuration via the left-right protocol. The latter stage is handled by the myrpki tool.

rpkid stores dynamic data in an SQL database, which must have been created for it, as explained in the Installation Guide.

pubd

pubd is the publication daemon. It implements the server side of the publication protocol, and is used by rpkid to publish the certificates and other objects that rpkid generates.

pubd is separate from rpkid for two reasons:

pubd stores dynamic data in an SQL database, which must have been created for it, as explained in the Installation Guide. pubd also stores the published objects themselves as disk files in a configurable location which should correspond to an appropriate module definition in rsync.conf; see the Configuration Guide for details.

rootd

rootd is a stripped down implmenetation of (only) the server side of the up-down protocol. It's a separate program because the root certificate of an RPKI certificate tree requires special handling and may also require a special handling policy. rootd is a simple implementation intended for test use, it's not suitable for use in a production system. All configuration comes via the config file; see the Configuration Guide for details.

irdbd

irdbd is a sample implemntation of the server side of the IRDB callback subset of the left-right protocol. In production use this service is a function of the IRBE stub; irdbd may be suitable for production use in simple cases, but an IR with a complex IRDB may need to extend or rewrite irdbd.

irdbd requires a pre-populated database to represent the IR's customers. irdbd expects this database to use the SQL schema defined in rpkid/irdbd.sql. Once this database has been populated, the IRBE stub needs to create the appropriate objects in rpkid's database via the control subset of the left-right protocol, and store the linkage handles (foreign keys into rpkid's database) in the IRDB. See the Installation Guide and the MySQL setup instructions for details.

smoketest

smoketest is a test harness to set up and run a collection of rpkid and irdbd instances under scripted control.

Unlike the programs described above, smoketest takes two configuration files in different languages. The first configuration file uses the same syntax as the above configuration files but is completely optional. The second configuration file is the test script, which is encoded using the YAML serialization language (see http://www.yaml.org/ for more information on YAML). The YAML script is not optional, as it describes the test layout. smoketest is designed to support running a fairly wide set of test configurations as canned scripts without writing any new control code. The intent is to make it possible to write meaningful regression tests.

See smoketest.conf for what can go into the (optional) first configuration file.

See smoketest.yaml for what goes into the (required) second configuration file.

yamltest

yamltest is another test harness to set up and run a collection of rpkid and irdbd instances under scripted control. It is similar in many ways to smoketest , and in fact uses the same YAML test description language, but its purpose is different: smoketest runs a particular test scenario through a series of changes, then shuts it down; yamltest, on the other hand, sets up a test network using the same tools that a real user would (principally the myrpki tool), and leaves the test running indefinitely.

yamltest grew out of smoketest and the two probably should be merged back into a single tool which supports both kinds of testing.

Further Reading

If you're interested in this package you might also be interested in:

Getting Started

The first step to bringing up rpkid and friends is installing the code, which is described in the Installation Guide.

 All Classes Namespaces Files Functions Variables Properties