NAME
rpki-client
—
RPKI validator to support BGP Origin
Validation
SYNOPSIS
rpki-client |
[-Bcjnov ] [-b
sourceaddr] [-d
cachedir] [-e
rsync_prog] [-s
timeout] [-T
table] [-t
tal] [outputdir] |
DESCRIPTION
The rpki-client
utility queries the RPKI
repository system with
openrsync(1) to fetch all X.509 certificates, manifests, and
revocation lists under a given Trust Anchor.
rpki-client
subsequently validates each
Route Origin
Authorization (ROA) by constructing and verifying a certification
path for the certificate associated with the ROA (including checking
relevant CRLs). rpki-client
produces lists of the
Validated
ROA Payloads (VRPs) in various formats.
The options are as follows:
-B
- Create output in the file bird in the output directory which is suitable for the BIRD internet routing daemon.
-b
sourceaddr- Tell the rsync client to use sourceaddr as the source address for connections, which is useful on machines with multiple interfaces.
-c
- Create output in the file csv in the output directory as comma-separated values of the prefix in slash notation, the maximum prefix length, the autonomous system number, and an abbreviation for the trust anchor the entry is derived from.
-d
cachedir- The directory where
rpki-client
will store the cached repository data. Defaults to /var/cache/rpki-client. -e
rsync_prog- Use rsync_prog instead of
openrsync(1) to fetch repositories. It must accept the
-rt
and--address
flags and connect with rsync-protocol locations. -j
- Create output in the file json in the output directory as JSON object. This format is identical to that produced by the RIPE NCC RPKI Validator and NLnet Labs routinator.
-n
- Assume that all requested repositories exist: don't update.
-o
- Create output in the file openbgpd in the output
directory as bgpd(8) compatible input. If the
-B
,-c
, and-j
options are not specified this is the default. -T
table- For BIRD output generated with the
-B
option use table as roa table name instead of the default 'ROAS'. -s
timeout- Terminate after timeout seconds of runtime, because normal practice will restart from cron(8). Disable by specifying 0. Defaults to 1 hour.
-t
tal- Specify a Trust Anchor Location (TAL) file to be used.
This option can be used multiple times to load multiple TALs. By default
rpki-client
will load all TAL files in /etc/rpki. -v
- Specified once, prints information about status. Twice, prints each filename as it's processed.
- outputdir
- The directory where
rpki-client
will write the output files. Defaults to /var/db/rpki-client/.
By default rpki-client
produces a list of
unique roa-set
statements in
-o
(OpenBGPD compatible) output.
rpki-client
should be run hourly by
cron(8): use
crontab(1) to uncomment the entry in root's crontab.
FILES
- /etc/rpki/*.tal
- default TAL files used unless
-t
tal is specified. - /var/cache/rpki-client
- cached repository data.
- /var/db/rpki-client/openbgpd
- default roa-set output file.
EXIT STATUS
The rpki-client
utility exits 0 on
success, and >0 if an error occurs.
SEE ALSO
STANDARDS
The following standards are used or referenced in
rpki-client
:
- RFC 3370
- Cryptographic Message Syntax (CMS) Algorithms.
- RFC 3779
- X.509 Extensions for IP Addresses and AS Identifiers.
- RFC 4291
- IP Version 6 Addressing Architecture.
- RFC 4631
- Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan.
- RFC 5280
- Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
- RFC 5652
- Cryptographic Message Syntax (CMS).
- RFC 5781
- The rsync URI Scheme.
- RFC 5952
- A Recommendation for IPv6 Address Text Representation.
- RFC 6480
- An Infrastructure to Support Secure Internet Routing.
- RFC 6482
- A Profile for Route Origin Authorizations (ROAs).
- RFC 6485
- The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI).
- RFC 6486
- Manifests for the Resource Public Key Infrastructure (RPKI).
- RFC 6487
- A Profile for X.509 PKIX Resource Certificates.
- RFC 6488
- Signed Object Template for the Resource Public Key Infrastructure (RPKI).
- RFC 7730
- Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
AUTHORS
The rpki-client
utility was written by
Kristaps Dzonsons
<kristaps@bsd.lv>.