1RPKI-CLIENT(8)            BSD System Manager's Manual           RPKI-CLIENT(8)
2

NAME

4     rpki-client — RPKI validator to support BGP Origin Validation
5

SYNOPSIS

7     rpki-client [-Bcfjnov] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8                 [-T table] [-t tal] [outputdir]
9

DESCRIPTION

11     The rpki-client utility queries the RPKI repository system with rsync(1)
12     to fetch all X.509 certificates, manifests, and revocation lists under a
13     given Trust Anchor.  rpki-client subsequently validates each Route Origin
14     Authorization (ROA) by constructing and verifying a certification path
15     for the certificate associated with the ROA (including checking relevant
16     CRLs).  rpki-client produces lists of the Validated ROA Payloads (VRPs)
17     in various formats.
18
19     The options are as follows:
20
21     -B      Create output in the file bird in the output directory which is
22             suitable for the BIRD internet routing daemon.
23
24     -b sourceaddr
25             Tell the rsync client to use sourceaddr as the source address for
26             connections, which is useful on machines with multiple inter‐
27             faces.
28
29     -c      Create output in the file csv in the output directory as comma-
30             separated values of the prefix in slash notation, the maximum
31             prefix length, the autonomous system number, and an abbreviation
32             for the trust anchor the entry is derived from.
33
34     -d cachedir
35             The directory where rpki-client will store the cached repository
36             data.  Defaults to /var/lib/rpki-client.
37
38     -e rsync_prog
39             Use rsync_prog instead of rsync(1) to fetch repositories.  It
40             must accept the -rlt, --address and --delete flags and connect
41             with rsync-protocol locations.
42
43     -f      Accept out-of-date manifests.  This will still report if a mani‐
44             fest has expired.
45
46     -j      Create output in the file json in the output directory as JSON
47             object.  This format is identical to that produced by the RIPE
48             NCC RPKI Validator and NLnet Labs routinator.
49
50     -n      Assume that all requested repositories exist: don't update.
51
52     -o      Create output in the file openbgpd in the output directory as
53             bgpd(8) compatible input.  If the -B, -c, and -j options are not
54             specified this is the default.
55
56     -T table
57             For BIRD output generated with the -B option use table as roa ta‐
58             ble name instead of the default 'ROAS'.
59
60     -t tal  Specify a Trust Anchor Location (TAL) file to be used.  This
61             option can be used multiple times to load multiple TALs.  By
62             default rpki-client will load all TAL files in /etc/pki/tals.
63
64     -v      Specified once, prints information about status.  Twice, prints
65             each filename as it's processed.
66
67     outputdir
68             The directory where rpki-client will write the output files.
69             Defaults to /var/lib/rpki-client.
70
71     By default rpki-client produces a list of unique roa-set statements in -o
72     (OpenBGPD compatible) output.
73

FILES

75     /etc/pki/tals/*.tal            default TAL files used unless -t tal is
76                                    specified.
77     /var/cache/rpki-client         cached repository data.
78     /var/lib/rpki-client/openbgpd  default roa-set output file.
79

EXIT STATUS

81     The rpki-client utility exits 0 on success, and >0 if an error occurs.
82

SEE ALSO

84     rsync(1), bgpd.conf(5)
85

STANDARDS

87     The following standards are used or referenced in rpki-client:
88
89     RFC 3370
90          Cryptographic Message Syntax (CMS) Algorithms.
91
92     RFC 3779
93          X.509 Extensions for IP Addresses and AS Identifiers.
94
95     RFC 4291
96          IP Version 6 Addressing Architecture.
97
98     RFC 4631
99          Classless Inter-domain Routing (CIDR): The Internet Address Assign‐
100          ment and Aggregation Plan.
101
102     RFC 5280
103          Internet X.509 Public Key Infrastructure Certificate and Certificate
104          Revocation List (CRL) Profile.
105
106     RFC 5652
107          Cryptographic Message Syntax (CMS).
108
109     RFC 5781
110          The rsync URI Scheme.
111
112     RFC 5952
113          A Recommendation for IPv6 Address Text Representation.
114
115     RFC 6480
116          An Infrastructure to Support Secure Internet Routing.
117
118     RFC 6482
119          A Profile for Route Origin Authorizations (ROAs).
120
121     RFC 6485
122          The Profile for Algorithms and Key Sizes for Use in the Resource
123          Public Key Infrastructure (RPKI).
124
125     RFC 6486
126          Manifests for the Resource Public Key Infrastructure (RPKI).
127
128     RFC 6487
129          A Profile for X.509 PKIX Resource Certificates.
130
131     RFC 6488
132          Signed Object Template for the Resource Public Key Infrastructure
133          (RPKI).
134
135     RFC 7730
136          Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
137

AUTHORS

139     The rpki-client utility was written by Kristaps Dzonsons
140     <kristaps@bsd.lv>.
141
142BSD                              May 10, 2020                              BSD
Impressum