skip to content
Maathuran's Blog
Installing Krill to create RPKI.

Installing Krill to create RPKI's

/ 3 min read

lxc, ipv6, rpki, roa, ripedb

Introduction

Create a new LXC in Proxmox; you can use the Helper Script below to make it easier.

bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/debian.sh)"
PXE1

Install Krill

After creating the LXC, run the following to add the Krill packages.

update all the packages on the LXC

sudo apt update

Install the prerequisites

sudo apt install \
  ca-certificates \
  curl \
  gnupg \
  lsb-release

add the GPG key from NLnet

curl -fsSL https://packages.nlnetlabs.nl/aptkey.asc | sudo gpg --dearmor -o /usr/share/keyrings/nlnetlabs-archive-keyring.gpg

Choose the main repo with the following

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nlnetlabs-archive-keyring.gpg] https://packages.nlnetlabs.nl/linux/debian \
$(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/nlnetlabs.list > /dev/null

finally, install Krill

sudo apt update
sudo apt install krill

After it is installed, use nano to open the config file to get the admin_token and, if needed, change the service_url

nano /etc/krill.conf

After recording the admin_token start Krill as a service with sudo systemctl enable --now krill

Install Caddy

run the following in the LXC to add and install Caddy

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

First, stop the background caddy instance with Caddy stop, then launch the internal reverse proxy with the following

caddy reverse-proxy \
    --from :80 \
    --to https://localhost:3000 \
    --internal-certs \
    --insecure

After starting, you should be able to visit the Krill WebGui with the LCX’s IPv4 address KRILL1

For the CA Handle, you can call it anything; I will be using as-name from RIPE. KRILL2

You will need to add RIPE’s Repository to publish the ROA’s and the Parent to import the IPv6/ASN. KRILL3

RIPE setup

We will need to configure RIPE to delegate the RPKI to Krill. On the Right side, click RPKI, then click the Delegated radio button. RIPE4

Choose I accept. Create my Certificate Authority RIPE5

Krill Adding a Parent

Under Krill, go over to the Parents tab then click on Add an additional parent KRILL6

Download the Child Request to upload to RIPEDB KRILL7

On RIPE, click Choose File and select the child_request.xml, then click Upload. RIPE8

After the file is uploaded, click on Download this server's identity XML file (used to configure your local Certificate Authority) to download the parent XML to upload to Krill RIPE9

For the Parent Name, you can put RIPE, then click on Confirm. KRILL10

You will see your ASN under resources KRILL11

Krill Adding a Repository

Under Krill, go to Repository and click on Add a repository KRILL12

Download the Publisher's Request KRILL13

In RIPE, click on + Provision new repository RIPE14

Upload the publisher request xml from Krill, then click on Upload. RIPE15

Download the Repository Response XML from RIPE and upload it to Krill RIPE16

Upload the Repository Response, then click on Confirm. KRILL17

You will see your RIPE Repository KRILL18

Creating ROA

Under the ROAs tab of Krill, Click on Add ROA KRILL19

Fill out ASN, Prefix, Max Length, and Comment, then click on Confirm. KRILL20

You will see the new ROA added; it will push to RIPE when the next sync happens. KRILL21