1RPKI-CLIENT(8) BSD System Manager's Manual RPKI-CLIENT(8)
2
4 rpki-client — RPKI validator to support BGP Origin Validation
5
7 rpki-client [-Bcjnov] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8 [-s timeout] [-T table] [-t tal] [outputdir]
9
11 The rpki-client utility queries the RPKI repository system with rsync(1)
12 to fetch all X.509 certificates, manifests, and revocation lists under a
13 given Trust Anchor. rpki-client subsequently validates each Route Origin
14 Authorization (ROA) by constructing and verifying a certification path
15 for the certificate associated with the ROA (including checking relevant
16 CRLs). rpki-client produces lists of the Validated ROA Payloads (VRPs)
17 in various formats.
18
19 The options are as follows:
20
21 -B Create output in the file bird in the output directory which is
22 suitable for the BIRD internet routing daemon.
23
24 -b sourceaddr
25 Tell the rsync client to use sourceaddr as the source address for
26 connections, which is useful on machines with multiple inter‐
27 faces.
28
29 -c Create output in the file csv in the output directory as comma-
30 separated values of the prefix in slash notation, the maximum
31 prefix length, the autonomous system number, and an abbreviation
32 for the trust anchor the entry is derived from.
33
34 -d cachedir
35 The directory where rpki-client will store the cached repository
36 data. Defaults to /var/cache/rpki-client.
37
38 -e rsync_prog
39 Use rsync_prog instead of rsync(1) to fetch repositories. It
40 must accept the -rt and --address flags and connect with rsync-
41 protocol locations.
42
43 -j Create output in the file json in the output directory as JSON
44 object. This format is identical to that produced by the RIPE
45 NCC RPKI Validator and NLnet Labs routinator.
46
47 -n Assume that all requested repositories exist: don't update.
48
49 -o Create output in the file openbgpd in the output directory as
50 bgpd(8) compatible input. If the -B, -c, and -j options are not
51 specified this is the default.
52
53 -T table
54 For BIRD output generated with the -B option use table as roa ta‐
55 ble name instead of the default 'ROAS'.
56
57 -s timeout
58 Terminate after timeout seconds of runtime, because normal prac‐
59 tice will restart from cron(8). Disable by specifying 0.
60 Defaults to 1 hour.
61
62 -t tal Specify a Trust Anchor Location (TAL) file to be used. This
63 option can be used multiple times to load multiple TALs. By
64 default rpki-client will load all TAL files in /etc/pki/tals.
65
66 -v Specified once, prints information about status. Twice, prints
67 each filename as it's processed.
68
69 outputdir
70 The directory where rpki-client will write the output files.
71 Defaults to /var/lib/rpki-client.
72
73 By default rpki-client produces a list of unique roa-set statements in -o
74 (OpenBGPD compatible) output.
75
76 rpki-client should be run hourly by cron(8): use crontab(1) to uncomment
77 the entry in root's crontab.
78
80 /etc/pki/tals/*.tal default TAL files used unless -t tal is
81 specified.
82 /var/cache/rpki-client cached repository data.
83 /var/lib/rpki-client/openbgpd default roa-set output file.
84
86 The rpki-client utility exits 0 on success, and >0 if an error occurs.
87
89 rsync(1), bgpd.conf(5)
90
92 The following standards are used or referenced in rpki-client:
93
94 RFC 3370
95 Cryptographic Message Syntax (CMS) Algorithms.
96
97 RFC 3779
98 X.509 Extensions for IP Addresses and AS Identifiers.
99
100 RFC 4291
101 IP Version 6 Addressing Architecture.
102
103 RFC 4631
104 Classless Inter-domain Routing (CIDR): The Internet Address Assign‐
105 ment and Aggregation Plan.
106
107 RFC 5280
108 Internet X.509 Public Key Infrastructure Certificate and Certificate
109 Revocation List (CRL) Profile.
110
111 RFC 5652
112 Cryptographic Message Syntax (CMS).
113
114 RFC 5781
115 The rsync URI Scheme.
116
117 RFC 5952
118 A Recommendation for IPv6 Address Text Representation.
119
120 RFC 6480
121 An Infrastructure to Support Secure Internet Routing.
122
123 RFC 6482
124 A Profile for Route Origin Authorizations (ROAs).
125
126 RFC 6485
127 The Profile for Algorithms and Key Sizes for Use in the Resource
128 Public Key Infrastructure (RPKI).
129
130 RFC 6486
131 Manifests for the Resource Public Key Infrastructure (RPKI).
132
133 RFC 6487
134 A Profile for X.509 PKIX Resource Certificates.
135
136 RFC 6488
137 Signed Object Template for the Resource Public Key Infrastructure
138 (RPKI).
139
140 RFC 7730
141 Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
142
144 The rpki-client utility was written by Kristaps Dzonsons
145 <kristaps@bsd.lv>.
146
147BSD September 15, 2020 BSD