rpki-client(8)

1RPKI-CLIENT(8)            BSD System Manager's Manual           RPKI-CLIENT(8)
2

NAME

4     rpki-client — RPKI validator to support BGP Origin Validation
5

SYNOPSIS

7     rpki-client [-Bcjnov] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8                 [-s timeout] [-T table] [-t tal] [outputdir]
9

DESCRIPTION

11     The rpki-client utility queries the RPKI repository system with rsync(1)
12     to fetch all X.509 certificates, manifests, and revocation lists under a
13     given Trust Anchor.  rpki-client subsequently validates each Route Origin
14     Authorization (ROA) by constructing and verifying a certification path
15     for the certificate associated with the ROA (including checking relevant
16     CRLs).  rpki-client produces lists of the Validated ROA Payloads (VRPs)
17     in various formats.
18
19     The options are as follows:
20
21     -B      Create output in the file bird in the output directory which is
22             suitable for the BIRD internet routing daemon.
23
24     -b sourceaddr
25             Tell the rsync client to use sourceaddr as the source address for
26             connections, which is useful on machines with multiple inter‐
27             faces.
28
29     -c      Create output in the file csv in the output directory as comma-
30             separated values of the prefix in slash notation, the maximum
31             prefix length, the autonomous system number, and an abbreviation
32             for the trust anchor the entry is derived from.
33
34     -d cachedir
35             The directory where rpki-client will store the cached repository
36             data.  Defaults to /var/cache/rpki-client.
37
38     -e rsync_prog
39             Use rsync_prog instead of rsync(1) to fetch repositories.  It
40             must accept the -rt and --address flags and connect with rsync-
41             protocol locations.
42
43     -j      Create output in the file json in the output directory as JSON
44             object.  This format is identical to that produced by the RIPE
45             NCC RPKI Validator and NLnet Labs routinator.
46
47     -n      Assume that all requested repositories exist: don't update.
48
49     -o      Create output in the file openbgpd in the output directory as
50             bgpd(8) compatible input.  If the -B, -c, and -j options are not
51             specified this is the default.
52
53     -T table
54             For BIRD output generated with the -B option use table as roa ta‐
55             ble name instead of the default 'ROAS'.
56
57     -s timeout
58             Terminate after timeout seconds of runtime, because normal prac‐
59             tice will restart from cron(8).  Disable by specifying 0.
60             Defaults to 1 hour.
61
62     -t tal  Specify a Trust Anchor Location (TAL) file to be used.  This
63             option can be used multiple times to load multiple TALs.  By
64             default rpki-client will load all TAL files in /etc/pki/tals.
65
66     -v      Specified once, prints information about status.  Twice, prints
67             each filename as it's processed.
68
69     outputdir
70             The directory where rpki-client will write the output files.
71             Defaults to /var/lib/rpki-client.
72
73     By default rpki-client produces a list of unique roa-set statements in -o
74     (OpenBGPD compatible) output.
75
76     rpki-client should be run hourly by cron(8): use crontab(1) to uncomment
77     the entry in root's crontab.
78

FILES

80     /etc/pki/tals/*.tal            default TAL files used unless -t tal is
81                                    specified.
82     /var/cache/rpki-client         cached repository data.
83     /var/lib/rpki-client/openbgpd  default roa-set output file.
84

EXIT STATUS

86     The rpki-client utility exits 0 on success, and >0 if an error occurs.
87

STANDARDS

92     The following standards are used or referenced in rpki-client:
93
94     RFC 3370
95          Cryptographic Message Syntax (CMS) Algorithms.
96
97     RFC 3779
98          X.509 Extensions for IP Addresses and AS Identifiers.
99
100     RFC 4291
101          IP Version 6 Addressing Architecture.
102
103     RFC 4631
104          Classless Inter-domain Routing (CIDR): The Internet Address Assign‐
105          ment and Aggregation Plan.
106
107     RFC 5280
108          Internet X.509 Public Key Infrastructure Certificate and Certificate
109          Revocation List (CRL) Profile.
110
111     RFC 5652
112          Cryptographic Message Syntax (CMS).
113
114     RFC 5781
115          The rsync URI Scheme.
116
117     RFC 5952
118          A Recommendation for IPv6 Address Text Representation.
119
120     RFC 6480
121          An Infrastructure to Support Secure Internet Routing.
122
123     RFC 6482
124          A Profile for Route Origin Authorizations (ROAs).
125
126     RFC 6485
127          The Profile for Algorithms and Key Sizes for Use in the Resource
128          Public Key Infrastructure (RPKI).
129
130     RFC 6486
131          Manifests for the Resource Public Key Infrastructure (RPKI).
132
133     RFC 6487
134          A Profile for X.509 PKIX Resource Certificates.
135
136     RFC 6488
137          Signed Object Template for the Resource Public Key Infrastructure
138          (RPKI).
139
140     RFC 7730
141          Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
142

AUTHORS

144     The rpki-client utility was written by Kristaps Dzonsons
145     <kristaps@bsd.lv>.
146
147BSD                           September 15, 2020                           BSD