RPKI validator to support BGP Origin
rpki-client utility queries the RPKI
repository system with a built-in HTTP client and
openrsync(1) to fetch all X.509 certificates, manifests, and
revocation lists under a given Trust Anchor.
rpki-client subsequently validates each
Signed Object by constructing and verifying a
certification path for the certificate associated with the Object (including
checking relevant CRLs).
rpki-client produces lists
ROA Payloads (VRPs) and
Keys (BRKs) in various formats.
The options are as follows:
- Create output in the files bird1v4, bird1v6, and bird (for bird2) in the output directory which is suitable for the BIRD internet routing daemon.
- Tell the HTTP and rsync clients to use sourceaddr as the source address for connections, which is useful on machines with multiple interfaces.
- Create output in the file csv in the output directory as comma-separated values of the Autonomous System, the prefix in slash notation, the maximum prefix length, an abbreviation for the Trust Anchor the entry is derived from, and the moment the VRP will expire derived from the chain of X.509 certificates and CRLs in seconds since the Epoch, UTC.
- The directory where
rpki-clientwill store the cached repository data. Defaults to /var/cache/rpki-client.
- Use rsync_prog instead of
openrsync(1) to fetch repositories. It must accept the
--addressflags and connect with rsync-protocol locations.
- Decode the
validate the Signed Object in file
against the RPKI cache stored in cachedir and print
human-readable information about the object. If file
is an rsync:// URI, the corresponding file from the cache will be used.
This option implies
-n, and can be combined with
-jto emit a stream of Concatenated JSON.
- Create output in the file json in the output
directory as JSON object. See
-cfor a description of the fields.
- Offline mode. Validate the contents of cachedir and write to outputdir without synchronizing via RRDP or RSYNC.
- Create output in the file openbgpd in the output
directory as bgpd(8) compatible input. If the
-joptions are not specified this is the default.
- Synchronize via RSYNC only.
- Synchronize via RRDP. If RRDP fails, RSYNC will be used. This is the
default. Mutually exclusive with
- Do not connect to hosts listed in the skiplist file.
Entries in the skiplist are newline separated
Qualified Domain Names (FQDNs). A
#’ indicates the beginning of a comment; characters up to the end of the line are not interpreted. The skip filter is enforced during processing of the Subject Information Access (SIA) extension in CA certificates, thus applies to both RSYNC and RRDP connections. By default load entries from /etc/rpki/skiplist.
- Terminate after timeout seconds of runtime, because normal practice will restart from cron(8). Disable by specifying 0. Defaults to 1 hour. Individual RSYNC/RRDP repositories are timed out after one fourth of timeout. All network synchronisation tasks are aborted after seven eights of timeout.
- For BIRD output generated with the
-Boption use table as roa table name instead of the default 'ROAS'.
- Specify a Trust Anchor Location (TAL) file to be used.
This option can be used multiple times to load multiple TALs. By default
rpki-clientwill load all TAL files in /etc/rpki.
- Show the version and exit.
- Increase verbosity. Specify once for synchronisation status, twice to
print the name of each file as it's processed. If
-fis given, specify once to print more information about the encapsulated X.509 certificate, twice to print the certificate in PEM format.
- The directory where
rpki-clientwill write the output files. Defaults to /var/db/rpki-client/.
rpki-client produces a list of
roa-set statements in
-o (OpenBGPD compatible) output.
rpki-client should be run hourly by
crontab(1) to uncomment the entry in root's crontab.
rpki-client utilizes the following
- URL of HTTP proxy to use.
- default TAL files used unless
-ttal is specified.
- default skiplist file, unless
-Sskiplist is specified.
- cached repository data.
- default roa-set output file.
rpki-client utility exits 0 on
success, and >0 if an error occurs.
The following standards are used or referenced in
- RFC 3370
- Cryptographic Message Syntax (CMS) Algorithms.
- RFC 3779
- X.509 Extensions for IP Addresses and AS Identifiers.
- RFC 4291
- IP Version 6 Addressing Architecture.
- RFC 4631
- Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan.
- RFC 5280
- Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
- RFC 5652
- Cryptographic Message Syntax (CMS).
- RFC 5781
- The rsync URI Scheme.
- RFC 5952
- A Recommendation for IPv6 Address Text Representation.
- RFC 6480
- An Infrastructure to Support Secure Internet Routing.
- RFC 6482
- A Profile for Route Origin Authorizations (ROAs).
- RFC 6485
- The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI).
- RFC 6486
- Manifests for the Resource Public Key Infrastructure (RPKI).
- RFC 6487
- A Profile for X.509 PKIX Resource Certificates.
- RFC 6488
- Signed Object Template for the Resource Public Key Infrastructure (RPKI).
- RFC 6493
- The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
- RFC 7318
- Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Certificates.
- RFC 8182
- The RPKI Repository Delta Protocol (RRDP).
- RFC 8209
- A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests.
- RFC 8630
- Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
- A profile for Resource Public Key Infrastructure (RPKI) Signed Checklists (RSC).
- A Profile for Autonomous System Provider Authorization (ASPA).
rpki-client first appeared in
rpki-client utility was written by