rpki-client — RPKI
validator to support BGP Origin Validation
rpki-client utility queries the RPKI
repository system with a built-in HTTP client and
openrsync(1) to fetch all X.509
certificates, manifests, and revocation lists under a given
subsequently validates each
Authorization (ROA) by constructing and verifying a certification
path for the certificate associated with the ROA (including checking
rpki-client produces lists of the
ROA Payloads (VRPs) in various formats.
The options are as follows:
- Create output in the files bird1v4,
bird1v6, and bird (for
bird2) in the output directory which is suitable for the BIRD internet
- Tell the HTTP and rsync clients to use sourceaddr as
the source address for connections, which is useful on machines with
- Create output in the file csv in the output
directory as comma-separated values of the prefix in slash notation, the
maximum prefix length, the autonomous system number, and an abbreviation
for the trust anchor the entry is derived from.
- The directory where
rpki-client will store the
cached repository data. Defaults to
- Use rsync_prog instead of
openrsync(1) to fetch repositories.
It must accept the
--address flags and connect with rsync-protocol
- Create output in the file json in the output
directory as JSON object. This format is similar to that produced by other
- Offline mode. Validate the contents of cachedir
without synchronizing via RRDP or RSYNC.
- Create output in the file openbgpd in the output
directory as bgpd(8) compatible input. If
-j options are not specified this is the
- Do not synchronize via RRDP. This is the default.
- Attempt to synchronize via RRDP. If RRDP fails, RSYNC will be used. This
flag is for testing purposes and will be removed in a future release.
Mutually exclusive with
- Terminate after timeout seconds of runtime, because
normal practice will restart from
cron(8). Disable by specifying 0.
Defaults to 1 hour.
- For BIRD output generated with the
-B option use
table as roa table name instead of the default
- Specify a Trust Anchor Location (TAL) file to be used.
This option can be used multiple times to load multiple TALs. By default
rpki-client will load all TAL files in
- Show the version and exit.
- Specified once, prints information about status. Twice, prints each
filename as it's processed.
- The directory where
rpki-client will write the
output files. Defaults to
rpki-client produces a list of
roa-set statements in
-o (OpenBGPD compatible) output.
rpki-client should be run hourly by
crontab(1) to uncomment the entry in
- default TAL files used unless
tal is specified.
- cached repository data.
- default roa-set output file.
rpki-client utility exits 0 on
success, and >0 if an error occurs.
The following standards are used or referenced in
- RFC 3370
- Cryptographic Message Syntax (CMS) Algorithms.
- RFC 3779
- X.509 Extensions for IP Addresses and AS Identifiers.
- RFC 4291
- IP Version 6 Addressing Architecture.
- RFC 4631
- Classless Inter-domain Routing (CIDR): The Internet Address Assignment and
- RFC 5280
- Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile.
- RFC 5652
- Cryptographic Message Syntax (CMS).
- RFC 5781
- The rsync URI Scheme.
- RFC 5952
- A Recommendation for IPv6 Address Text Representation.
- RFC 6480
- An Infrastructure to Support Secure Internet Routing.
- RFC 6482
- A Profile for Route Origin Authorizations (ROAs).
- RFC 6485
- The Profile for Algorithms and Key Sizes for Use in the Resource Public
Key Infrastructure (RPKI).
- RFC 6486
- Manifests for the Resource Public Key Infrastructure (RPKI).
- RFC 6487
- A Profile for X.509 PKIX Resource Certificates.
- RFC 6488
- Signed Object Template for the Resource Public Key Infrastructure
- RFC 6493
- The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
- RFC 7730
- Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
- RFC 8182
- The RPKI Repository Delta Protocol (RRDP).
rpki-client utility was written by