1RPKI-CLIENT(8) BSD System Manager's Manual RPKI-CLIENT(8)
2
4 rpki-client — RPKI validator to support BGP Origin Validation
5
7 rpki-client [-Bcfjnov] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8 [-T table] [-t tal] [outputdir]
9
11 The rpki-client utility queries the RPKI repository system with rsync(1)
12 to fetch all X.509 certificates, manifests, and revocation lists under a
13 given Trust Anchor. rpki-client subsequently validates each Route Origin
14 Authorization (ROA) by constructing and verifying a certification path
15 for the certificate associated with the ROA (including checking relevant
16 CRLs). rpki-client produces lists of the Validated ROA Payloads (VRPs)
17 in various formats.
18
19 The options are as follows:
20
21 -B Create output in the file bird in the output directory which is
22 suitable for the BIRD internet routing daemon.
23
24 -b sourceaddr
25 Tell the rsync client to use sourceaddr as the source address for
26 connections, which is useful on machines with multiple inter‐
27 faces.
28
29 -c Create output in the file csv in the output directory as comma-
30 separated values of the prefix in slash notation, the maximum
31 prefix length, the autonomous system number, and an abbreviation
32 for the trust anchor the entry is derived from.
33
34 -d cachedir
35 The directory where rpki-client will store the cached repository
36 data. Defaults to /var/lib/rpki-client.
37
38 -e rsync_prog
39 Use rsync_prog instead of rsync(1) to fetch repositories. It
40 must accept the -rlt, --address and --delete flags and connect
41 with rsync-protocol locations.
42
43 -f Accept out-of-date manifests. This will still report if a mani‐
44 fest has expired.
45
46 -j Create output in the file json in the output directory as JSON
47 object. This format is identical to that produced by the RIPE
48 NCC RPKI Validator and NLnet Labs routinator.
49
50 -n Assume that all requested repositories exist: don't update.
51
52 -o Create output in the file openbgpd in the output directory as
53 bgpd(8) compatible input. If the -B, -c, and -j options are not
54 specified this is the default.
55
56 -T table
57 For BIRD output generated with the -B option use table as roa ta‐
58 ble name instead of the default 'ROAS'.
59
60 -t tal Specify a Trust Anchor Location (TAL) file to be used. This
61 option can be used multiple times to load multiple TALs. By
62 default rpki-client will load all TAL files in /etc/pki/tals.
63
64 -v Specified once, prints information about status. Twice, prints
65 each filename as it's processed.
66
67 outputdir
68 The directory where rpki-client will write the output files.
69 Defaults to /var/lib/rpki-client.
70
71 By default rpki-client produces a list of unique roa-set statements in -o
72 (OpenBGPD compatible) output.
73
75 /etc/pki/tals/*.tal default TAL files used unless -t tal is
76 specified.
77 /var/cache/rpki-client cached repository data.
78 /var/lib/rpki-client/openbgpd default roa-set output file.
79
81 The rpki-client utility exits 0 on success, and >0 if an error occurs.
82
84 rsync(1), bgpd.conf(5)
85
87 The following standards are used or referenced in rpki-client:
88
89 RFC 3370
90 Cryptographic Message Syntax (CMS) Algorithms.
91
92 RFC 3779
93 X.509 Extensions for IP Addresses and AS Identifiers.
94
95 RFC 4291
96 IP Version 6 Addressing Architecture.
97
98 RFC 4631
99 Classless Inter-domain Routing (CIDR): The Internet Address Assign‐
100 ment and Aggregation Plan.
101
102 RFC 5280
103 Internet X.509 Public Key Infrastructure Certificate and Certificate
104 Revocation List (CRL) Profile.
105
106 RFC 5652
107 Cryptographic Message Syntax (CMS).
108
109 RFC 5781
110 The rsync URI Scheme.
111
112 RFC 5952
113 A Recommendation for IPv6 Address Text Representation.
114
115 RFC 6480
116 An Infrastructure to Support Secure Internet Routing.
117
118 RFC 6482
119 A Profile for Route Origin Authorizations (ROAs).
120
121 RFC 6485
122 The Profile for Algorithms and Key Sizes for Use in the Resource
123 Public Key Infrastructure (RPKI).
124
125 RFC 6486
126 Manifests for the Resource Public Key Infrastructure (RPKI).
127
128 RFC 6487
129 A Profile for X.509 PKIX Resource Certificates.
130
131 RFC 6488
132 Signed Object Template for the Resource Public Key Infrastructure
133 (RPKI).
134
135 RFC 7730
136 Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
137
139 The rpki-client utility was written by Kristaps Dzonsons
140 <kristaps@bsd.lv>.
141
142BSD May 10, 2020 BSD