rpki-client — RPKI
validation for bgpd Route Origin Validation
rpki-client utility produces all route
announcements starting with trust anchor locators. It uses
openrsync(1) to fetch certificates,
manifests, revocation lists, and route announcements themselves.
The options are as follows:
- Format the output suitable for the BIRD internet routing daemon.
- Tell the rsync client to use the specified bind_addr
as the source address for connections.
- Format the output as comma-separated values of the prefix in slash
notation, the maximum prefix length, the autonomous system number, and an
abbreviation for the trust anchor the entry is derived from.
- Use rsync_prog instead of
openrsync(1) to fetch repositories.
It must accept the
flags and connect with rsync-protocol locations.
- Accept out-of-date manifests. This will still report if a manifest has
- Format the output as JSON object. This format is identical to that
produced by the RIPE NCC RPKI Validator and NLnet Labs routinator.
- Assume that all requested repositories exist: don't update.
- Don't parse certificate revocation files. This additional step can take a
- For BIRD output use table as roa table name instead
of the default 'roa'.
- Specify a trust anchor locator (TAL) file to be used. This option can be
used multiple times to load multiple TALs. By default
rpki-client will load all TAL files in
- Specified once, prints information about status. Twice, prints each
filename as it's processed.
- The file
rpki-client will write the
rpki-client produces a list of
roa-set statements as specified by
- default TAL files used unless
tal is specified.
rpki-client utility exits 0 on
success, and >0 if an error occurs.
The following standards are used or referenced in
- RFC 3370
- Cryptographic Message Syntax (CMS) Algorithms.
- RFC 3779
- X.509 Extensions for IP Addresses and AS Identifiers.
- RFC 4291
- IP Version 6 Addressing Architecture.
- RFC 4631
- Classless Inter-domain Routing (CIDR): The Internet Address Assignment and
- RFC 5280
- Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile.
- RFC 5652
- Cryptographic Message Syntax (CMS).
- RFC 5781
- The rsync URI Scheme.
- RFC 5952
- A Recommendation for IPv6 Address Text Representation.
- RFC 6480
- An Infrastructure to Support Secure Internet Routing.
- RFC 6482
- A Profile for Route Origin Authorizations (ROAs).
- RFC 6485
- The Profile for Algorithms and Key Sizes for Use in the Resource Public
Key Infrastructure (RPKI).
- RFC 6486
- Manifests for the Resource Public Key Infrastructure (RPKI).
- RFC 6487
- A Profile for X.509 PKIX Resource Certificates.
- RFC 6488
- Signed Object Template for the Resource Public Key Infrastructure
- RFC 7730
- Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
rpki-client utility was written by