rpki-client — RPKI
validator to support BGP Origin Validation
rpki-client utility queries the RPKI
repository system with
openrsync(1) to fetch all
X.509 certificates, manifests, and revocation lists under a given
subsequently validates each
Authorization (ROA) by constructing and verifying a certification
path for the certificate associated with the ROA (including checking
rpki-client produces lists of the
ROA Payloads (VRPs) in various formats.
The options are as follows:
- Create output in the file bird in the output
directory which is suitable for the BIRD internet routing daemon.
- Tell the rsync client to use sourceaddr as the
source address for connections, which is useful on machines with multiple
- Create output in the file csv in the output
directory as comma-separated values of the prefix in slash notation, the
maximum prefix length, the autonomous system number, and an abbreviation
for the trust anchor the entry is derived from.
- The directory where
rpki-client will store the
cached repository data. Defaults to
- Use rsync_prog instead of
openrsync(1) to fetch
repositories. It must accept the
--address flags and connect with rsync-protocol
- Create output in the file json in the output
directory as JSON object. This format is identical to that produced by the
RIPE NCC RPKI Validator and NLnet Labs routinator.
- Assume that all requested repositories exist: don't update.
- Create output in the file openbgpd in the output
directory as bgpd(8)
compatible input. If the
-j options are not
specified this is the default.
- For BIRD output generated with the
-B option use
table as roa table name instead of the default
- Terminate after timeout seconds of runtime, because
normal practice will restart from
cron(8). Disable by
specifying 0. Defaults to 1 hour.
- Specify a Trust Anchor Location (TAL) file to be used.
This option can be used multiple times to load multiple TALs. By default
rpki-client will load all TAL files in
- Specified once, prints information about status. Twice, prints each
filename as it's processed.
- The directory where
rpki-client will write the
output files. Defaults to
rpki-client produces a list of
roa-set statements in
-o (OpenBGPD compatible) output.
rpki-client should be run hourly by
crontab(1) to uncomment the
entry in root's crontab.
- default TAL files used unless
tal is specified.
- cached repository data.
- default roa-set output file.
rpki-client utility exits 0 on
success, and >0 if an error occurs.
The following standards are used or referenced in
- RFC 3370
- Cryptographic Message Syntax (CMS) Algorithms.
- RFC 3779
- X.509 Extensions for IP Addresses and AS Identifiers.
- RFC 4291
- IP Version 6 Addressing Architecture.
- RFC 4631
- Classless Inter-domain Routing (CIDR): The Internet Address Assignment and
- RFC 5280
- Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile.
- RFC 5652
- Cryptographic Message Syntax (CMS).
- RFC 5781
- The rsync URI Scheme.
- RFC 5952
- A Recommendation for IPv6 Address Text Representation.
- RFC 6480
- An Infrastructure to Support Secure Internet Routing.
- RFC 6482
- A Profile for Route Origin Authorizations (ROAs).
- RFC 6485
- The Profile for Algorithms and Key Sizes for Use in the Resource Public
Key Infrastructure (RPKI).
- RFC 6486
- Manifests for the Resource Public Key Infrastructure (RPKI).
- RFC 6487
- A Profile for X.509 PKIX Resource Certificates.
- RFC 6488
- Signed Object Template for the Resource Public Key Infrastructure
- RFC 7730
- Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
rpki-client utility was written by