rpki-client(8)

1RPKI-CLIENT(8)            BSD System Manager's Manual           RPKI-CLIENT(8)
2

NAME

4     rpki-client — RPKI validator to support BGP routing security
5

SYNOPSIS

7     rpki-client [-ABcjmnoRrVv] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8                 [-H fqdn] [-S skiplist] [-s timeout] [-T table] [-t tal]
9                 [outputdir]
10     rpki-client [-Vv] [-d cachedir] [-j] [-t tal] -f file ...
11

DESCRIPTION

13     The rpki-client utility queries the RPKI repository system with a built-
14     in HTTPS client and rsync(1) to fetch all X.509 certificates, manifests,
15     and revocation lists under a given Trust Anchor.  rpki-client subse‐
16     quently validates each Signed Object by constructing and verifying a cer‐
17     tification path for the certificate associated with the Object (including
18     checking relevant CRLs).  rpki-client produces lists of the Validated ROA
19     Payloads (VRPs), BGPsec Router Keys (BRKs), and Validated ASPA Payloads
20     (VAPs) in various formats.
21
22     The options are as follows:
23
24     -A      Exclude the ASPA-set from the output files that support it (JSON
25             and OpenBGPD).
26
27     -B      Create output in the files bird1v4, bird1v6, and bird (for bird2)
28             in the output directory which is suitable for the BIRD internet
29             routing daemon.
30
31     -b sourceaddr
32             Tell the HTTP and rsync clients to use sourceaddr as the source
33             address for connections, which is useful on machines with multi‐
34             ple interfaces.
35
36     -c      Create output in the file csv in the output directory as comma-
37             separated values of the Autonomous System, the prefix in slash
38             notation, the maximum prefix length, an abbreviation for the
39             Trust Anchor the entry is derived from, and the moment the VRP
40             will expire derived from the chain of X.509 certificates and CRLs
41             in seconds since the Epoch, UTC.
42
43     -d cachedir
44             The directory where rpki-client will store the cached repository
45             data.  Defaults to /var/cache/rpki-client.
46
47     -e rsync_prog
48             Use rsync_prog instead of rsync(1) to fetch repositories.  It
49             must accept the -rt and --address flags and connect with rsync-
50             protocol locations.
51
52     -f file ...
53             Decode the TAL or validate the Signed Object in file against the
54             RPKI cache stored in cachedir and print human-readable informa‐
55             tion about the object.  If file is an rsync:// URI, the corre‐
56             sponding file from the cache will be used.  This option implies
57             -n, and can be combined with -j to emit a stream of Concatenated
58             JSON.
59
60     -H fqdn
61             Create a shortlist and add fqdn to the shortlist.  rpki-client
62             only connects to shortlisted hosts.  The shortlist filter is en‐
63             forced during processing of the Subject Information Access (SIA)
64             extension in CA certificates, thus applies to both RSYNC and RRDP
65             connections.  This option can be used multiple times.
66
67     -j      Create output in the file json in the output directory as JSON
68             object.  See -c for a description of the fields.
69
70     -m      Create output in the file metrics in the output directory in
71             OpenMetrics format.
72
73     -n      Offline mode.  Validate the contents of cachedir and write to
74             outputdir without synchronizing via RRDP or RSYNC.
75
76     -o      Create output in the file openbgpd in the output directory as
77             bgpd(8) compatible input.  If the -B, -c, and -j options are not
78             specified this is the default.
79
80     -P posix-seconds
81             Specify the time for the evaluation in posix-seconds seconds from
82             the unix epoch.  This overrides the default of using the current
83             system time.
84
85     -R      Synchronize via RSYNC only.
86
87     -r      Synchronize via RRDP.  If RRDP fails, RSYNC will be used.  This
88             is the default.  Mutually exclusive with -n.
89
90     -S skiplist
91             Do not connect to hosts listed in the skiplist file.  Entries in
92             the skiplist are newline separated Fully Qualified Domain Names
93             (FQDNs).  A ‘#’ indicates the beginning of a comment; characters
94             up to the end of the line are not interpreted.  The skip filter
95             is enforced during processing of the Subject Information Access
96             (SIA) extension in CA certificates, thus applies to both RSYNC
97             and RRDP connections.  By default load entries from
98             /etc/pki/tals/skiplist.
99
100     -s timeout
101             Terminate after timeout seconds of runtime, because normal prac‐
102             tice will restart from cron(8).  Disable by specifying 0.  De‐
103             faults to 1 hour.  Individual RSYNC/RRDP repositories are timed
104             out after one fourth of timeout.  All network synchronisation
105             tasks are aborted after seven eights of timeout.
106
107     -T table
108             For BIRD output generated with the -B option use table as roa ta‐
109             ble name instead of the default 'ROAS'.
110
111     -t tal  Specify a Trust Anchor Location (TAL) file to be used.  This op‐
112             tion can be used multiple times to load multiple TALs.  By de‐
113             fault rpki-client will load all TAL files in /etc/pki/tals.  TAL
114             are small files containing a public key and URL endpoint address.
115
116     -V      Show the version and exit.
117
118     -v      Increase verbosity.  Specify once for synchronisation status,
119             twice to print the name of each file as it's processed.  If -f is
120             given, specify once to print more information about the encapsu‐
121             lated X.509 certificate, twice to print the certificate in PEM
122             format.
123
124     outputdir
125             The directory where rpki-client will write the output files.  De‐
126             faults to /var/lib/rpki-client.
127
128     By default rpki-client outputs validated payloads in -joBcm (JSON, Open‐
129     BGPD, BIRD, CSV and OpenMetric) formats.
130
131     rpki-client should be run hourly by cron(8): use crontab(1) to uncomment
132     the entry in root's crontab.
133

ENVIRONMENT

135     rpki-client utilizes the following environment variables:
136
137     http_proxy  URL of HTTP proxy to use.
138

FILES

140     /etc/pki/tals/*.tal            default TAL files used unless -t tal is
141                                    specified.
142     /etc/pki/tals/skiplist         default skiplist file, unless -S skiplist
143                                    is specified.
144     /var/cache/rpki-client         cached repository data.
145     /var/lib/rpki-client/openbgpd  default roa-set output file.
146
147     All the top-level TAL are included, except the ARIN TAL which is not made
148     available with terms compatible with open source.  That public key is
149     treated as a proprietary object in a lengthy legal agreement regarding
150     ARIN service restrictions.
151

EXIT STATUS

153     The rpki-client utility exits 0 on success, and >0 if an error occurs.
154

STANDARDS

159     X.509 Extensions for IP Addresses and AS Identifiers, RFC 3779.
160
161     Internet X.509 Public Key Infrastructure Certificate and Certificate
162     Revocation List (CRL) Profile, RFC 5280.
163
164     Cryptographic Message Syntax (CMS), RFC 5652.
165
166     The rsync URI Scheme, RFC 5781.
167
168     An Infrastructure to Support Secure Internet Routing, RFC 6480.
169
170     A Profile for Resource Certificate Repository Structure, RFC 6481.
171
172     The Profile for Algorithms and Key Sizes for Use in the Resource Public
173     Key Infrastructure (RPKI), RFC 6485.
174
175     A Profile for X.509 PKIX Resource Certificates, RFC 6487.
176
177     Signed Object Template for the Resource Public Key Infrastructure (RPKI),
178     RFC 6488.
179
180     The Resource Public Key Infrastructure (RPKI) Ghostbusters Record, RFC
181     6493.
182
183     Policy Qualifiers in Resource Public Key Infrastructure (RPKI)
184     Certificates, RFC 7318.
185
186     The Profile for Algorithms and Key Sizes for Use in the Resource Public
187     Key Infrastructure, RFC 7935.
188
189     The RPKI Repository Delta Protocol (RRDP), RFC 8182.
190
191     A Profile for BGPsec Router Certificates, Certificate Revocation Lists,
192     and Certification Requests, RFC 8209.
193
194     Resource Public Key Infrastructure (RPKI) Trust Anchor Locator, RFC 8630.
195
196     Finding and Using Geofeed Data, RFC 9092.
197
198     Manifests for the Resource Public Key Infrastructure (RPKI), RFC 9286.
199
200     RPKI Signed Object for Trust Anchor Key,
201     https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-signed-tal, Oct,
202     2022.
203
204     A Profile for RPKI Signed Checklists (RSCs), RFC 9323.
205
206     A Profile for Route Origin Authorizations (ROAs),
207     https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rfc6482bis, Nov,
208     2022.
209
210     A Profile for Autonomous System Provider Authorization (ASPA),
211     https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile,
212     Jun, 2023.
213
214     On the use of the CMS signing-time attribute in RPKI Signed Objects,
215     https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-cms-
216     signing-time, June, 2023.
217

HISTORY

219     rpki-client first appeared in OpenBSD 6.7.
220

AUTHORS

222     Kristaps Dzonsons <kristaps@bsd.lv>, Claudio Jeker <claudio@openbsd.org>,
223     Theo Buehler <tb@openbsd.org>, and Job Snijders <job@openbsd.org>.
224
225BSD                              June 26, 2023                             BSD