OpenBSD manual page server

Manual Page Search Parameters

RPKI-CLIENT(8) System Manager's Manual RPKI-CLIENT(8)

rpki-clientRPKI validator to support BGP Origin Validation

rpki-client [-Bcjnov] [-b sourceaddr] [-d cachedir] [-e rsync_prog] [-s timeout] [-T table] [-t tal] [outputdir]

The rpki-client utility queries the RPKI repository system with openrsync(1) to fetch all X.509 certificates, manifests, and revocation lists under a given Trust Anchor. rpki-client subsequently validates each (ROA) by constructing and verifying a certification path for the certificate associated with the ROA (including checking relevant CRLs). rpki-client produces lists of the (VRPs) in various formats.

The options are as follows:

Create output in the file bird in the output directory which is suitable for the BIRD internet routing daemon.
Tell the rsync client to use sourceaddr as the source address for connections, which is useful on machines with multiple interfaces.
Create output in the file csv in the output directory as comma-separated values of the prefix in slash notation, the maximum prefix length, the autonomous system number, and an abbreviation for the trust anchor the entry is derived from.
The directory where rpki-client will store the cached repository data. Defaults to /var/cache/rpki-client.
Use rsync_prog instead of openrsync(1) to fetch repositories. It must accept the -rt and --address flags and connect with rsync-protocol locations.
Create output in the file json in the output directory as JSON object. This format is identical to that produced by the RIPE NCC RPKI Validator and NLnet Labs routinator.
Assume that all requested repositories exist: don't update.
Create output in the file openbgpd in the output directory as bgpd(8) compatible input. If the -B, -c, and -j options are not specified this is the default.
For BIRD output generated with the -B option use table as roa table name instead of the default 'ROAS'.
Terminate after timeout seconds of runtime, because normal practice will restart from cron(8). Disable by specifying 0. Defaults to 1 hour.
Specify a Trust Anchor Location (TAL) file to be used. This option can be used multiple times to load multiple TALs. By default rpki-client will load all TAL files in /etc/rpki.
Specified once, prints information about status. Twice, prints each filename as it's processed.
The directory where rpki-client will write the output files. Defaults to /var/db/rpki-client/.

By default rpki-client produces a list of unique roa-set statements in -o (OpenBGPD compatible) output.

rpki-client should be run hourly by cron(8): use crontab(1) to uncomment the entry in root's crontab.

default TAL files used unless -t tal is specified.
cached repository data.
default roa-set output file.

The rpki-client utility exits 0 on success, and >0 if an error occurs.

openrsync(1), bgpd.conf(5)

The following standards are used or referenced in rpki-client:

RFC 3370
Cryptographic Message Syntax (CMS) Algorithms.
RFC 3779
X.509 Extensions for IP Addresses and AS Identifiers.
RFC 4291
IP Version 6 Addressing Architecture.
RFC 4631
Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan.
RFC 5280
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
RFC 5652
Cryptographic Message Syntax (CMS).
RFC 5781
The rsync URI Scheme.
RFC 5952
A Recommendation for IPv6 Address Text Representation.
RFC 6480
An Infrastructure to Support Secure Internet Routing.
RFC 6482
A Profile for Route Origin Authorizations (ROAs).
RFC 6485
The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI).
RFC 6486
Manifests for the Resource Public Key Infrastructure (RPKI).
RFC 6487
A Profile for X.509 PKIX Resource Certificates.
RFC 6488
Signed Object Template for the Resource Public Key Infrastructure (RPKI).
RFC 7730
Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.

The rpki-client utility was written by Kristaps Dzonsons <‍>.

September 15, 2020 OpenBSD-current