rpki-client — RPKI
validator to support BGP Origin Validation
rpki-client utility queries the RPKI
repository system with a built-in HTTP client and
openrsync(1) to fetch all X.509
certificates, manifests, and revocation lists under a given
subsequently validates each Signed Object by constructing
and verifying a certification path for the certificate associated with the
Object (including checking relevant CRLs).
rpki-client produces lists of the
ROA Payloads (VRPs) and
Keys (BRKs) in various formats.
The options are as follows:
- Create output in the files bird1v4,
bird1v6, and bird (for
bird2) in the output directory which is suitable for the BIRD internet
- Tell the HTTP and rsync clients to use sourceaddr as
the source address for connections, which is useful on machines with
- Create output in the file csv in the output
directory as comma-separated values of the
System, the prefix in slash notation, the maximum prefix length,
an abbreviation for the Trust Anchor the entry is
derived from, and the moment the VRP will expire derived from the chain of
X.509 certificates and CRLs in seconds since the Epoch, UTC.
- The directory where
rpki-client will store the
cached repository data. Defaults to
- Use rsync_prog instead of
openrsync(1) to fetch repositories.
It must accept the
--address flags and connect with rsync-protocol
- Decode the
validate the Signed Object in file
against the RPKI cache stored in cachedir and print
human-readable information about the object. If file
is an rsync:// URI, the corresponding file from the cache will be used.
This option implies
-n, and can be combined with
-j to emit a stream of
- Create output in the file json in the output
directory as JSON object. See
-c for a description
of the fields.
- Offline mode. Validate the contents of cachedir and
write to outputdir without synchronizing via RRDP or
- Create output in the file openbgpd in the output
directory as bgpd(8) compatible input. If
-j options are not specified this is the
- Synchronize via RSYNC only.
- Synchronize via RRDP. If RRDP fails, RSYNC will be used. This is the
default. Mutually exclusive with
- Do not connect to hosts listed in the skiplist file.
Entries in the skiplist are newline separated
Qualified Domain Names (FQDNs). A
#’ indicates the beginning of a
comment; characters up to the end of the line are not interpreted. The
skip filter is enforced during processing of the
Information Access (SIA) extension in CA certificates, thus
applies to both RSYNC and RRDP connections. By default load entries from
- Terminate after timeout seconds of runtime, because
normal practice will restart from
cron(8). Disable by specifying 0.
Defaults to 1 hour. Individual Publication Points are timed out after one
- For BIRD output generated with the
-B option use
table as roa table name instead of the default
- Specify a Trust Anchor Location (TAL) file to be used.
This option can be used multiple times to load multiple TALs. By default
rpki-client will load all TAL files in
- Show the version and exit.
- Specified once, prints information about status. Twice, prints each
filename as it's processed.
- The directory where
rpki-client will write the
output files. Defaults to
rpki-client produces a list of
roa-set statements in
-o (OpenBGPD compatible) output.
rpki-client should be run hourly by
crontab(1) to uncomment the entry in
rpki-client utilizes the following
- URL of HTTP proxy to use.
- default TAL files used unless
tal is specified.
- default skiplist file, unless
skiplist is specified.
- cached repository data.
- default roa-set output file.
rpki-client utility exits 0 on
success, and >0 if an error occurs.
The following standards are used or referenced in
- RFC 3370
- Cryptographic Message Syntax (CMS) Algorithms.
- RFC 3779
- X.509 Extensions for IP Addresses and AS Identifiers.
- RFC 4291
- IP Version 6 Addressing Architecture.
- RFC 4631
- Classless Inter-domain Routing (CIDR): The Internet Address Assignment and
- RFC 5280
- Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile.
- RFC 5652
- Cryptographic Message Syntax (CMS).
- RFC 5781
- The rsync URI Scheme.
- RFC 5952
- A Recommendation for IPv6 Address Text Representation.
- RFC 6480
- An Infrastructure to Support Secure Internet Routing.
- RFC 6482
- A Profile for Route Origin Authorizations (ROAs).
- RFC 6485
- The Profile for Algorithms and Key Sizes for Use in the Resource Public
Key Infrastructure (RPKI).
- RFC 6486
- Manifests for the Resource Public Key Infrastructure (RPKI).
- RFC 6487
- A Profile for X.509 PKIX Resource Certificates.
- RFC 6488
- Signed Object Template for the Resource Public Key Infrastructure
- RFC 6493
- The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
- RFC 7318
- Policy Qualifiers in Resource Public Key Infrastructure (RPKI)
- RFC 8182
- The RPKI Repository Delta Protocol (RRDP).
- RFC 8209
- A Profile for BGPsec Router Certificates, Certificate Revocation Lists,
and Certification Requests.
- RFC 8630
- Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
- A profile for Resource Public Key Infrastructure (RPKI) Signed Checklists
rpki-client first appeared in
rpki-client utility was written by