1RPKI-CLIENT(8) BSD System Manager's Manual RPKI-CLIENT(8)
2
4 rpki-client — RPKI validator to support BGP Origin Validation
5
7 rpki-client [-BcjnoRrVv] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8 [-s timeout] [-T table] [-t tal] [outputdir]
9
11 The rpki-client utility queries the RPKI repository system with a built-
12 in HTTP client and rsync(1) to fetch all X.509 certificates, manifests,
13 and revocation lists under a given Trust Anchor. rpki-client subse‐
14 quently validates each Route Origin Authorization (ROA) by constructing
15 and verifying a certification path for the certificate associated with
16 the ROA (including checking relevant CRLs). rpki-client produces lists
17 of the Validated ROA Payloads (VRPs) in various formats.
18 The options are as follows:
20 -B Create output in the files bird1v4, bird1v6, and bird (for bird2)
22 in the output directory which is suitable for the BIRD internet
23 routing daemon.
24 -b sourceaddr
26 Tell the HTTP and rsync clients to use sourceaddr as the source
27 address for connections, which is useful on machines with multi‐
28 ple interfaces.
29 -c Create output in the file csv in the output directory as comma-
31 separated values of the Autonomous System, the prefix in slash
32 notation, the maximum prefix length, an abbreviation for the
33 Trust Anchor the entry is derived from, and the moment the VRP
34 will expire derived from the chain of X.509 certificates and CRLs
35 in seconds since the Epoch, UTC.
36 -d cachedir
38 The directory where rpki-client will store the cached repository
39 data. Defaults to /var/cache/rpki-client.
40 -e rsync_prog
42 Use rsync_prog instead of rsync(1) to fetch repositories. It
43 must accept the -rt and --address flags and connect with rsync-
44 protocol locations.
45 -j Create output in the file json in the output directory as JSON
47 object. See -c for a description of the fields.
48 -n Offline mode. Validate the contents of cachedir and write to
50 outputdir without synchronizing via RRDP or RSYNC.
51 -o Create output in the file openbgpd in the output directory as
53 bgpd(8) compatible input. If the -B, -c, and -j options are not
54 specified this is the default.
55 -R Do not synchronize via RRDP. This is the default.
57 -r Attempt to synchronize via RRDP. If RRDP fails, RSYNC will be
59 used. This flag is for testing purposes and will be removed in a
60 future release. Mutually exclusive with -n.
61 -s timeout
63 Terminate after timeout seconds of runtime, because normal prac‐
64 tice will restart from cron(8). Disable by specifying 0. De‐
65 faults to 1 hour.
66 -T table
68 For BIRD output generated with the -B option use table as roa ta‐
69 ble name instead of the default 'ROAS'.
70 -t tal Specify a Trust Anchor Location (TAL) file to be used. This op‐
72 tion can be used multiple times to load multiple TALs. By de‐
73 fault rpki-client will load all TAL files in /etc/pki/tals.
74 -V Show the version and exit.
76 -v Specified once, prints information about status. Twice, prints
78 each filename as it's processed.
79 outputdir
81 The directory where rpki-client will write the output files. De‐
82 faults to /var/lib/rpki-client.
83 By default rpki-client produces a list of unique VRPs in -joBc JSON,
85 OpenBGPD, BIRD and CSV compatible output.
86 rpki-client should be run hourly by cron(8): use crontab(1) to uncomment
88 the entry in root's crontab.
89
91 /etc/pki/tals/*.tal default TAL files used unless -t tal is
92 specified.
93 /var/cache/rpki-client cached repository data.
94 /var/lib/rpki-client/openbgpd default roa-set output file.
95
97 The rpki-client utility exits 0 on success, and >0 if an error occurs.
98
100 rsync(1), bgpd.conf(5)
101
103 The following standards are used or referenced in rpki-client:
104 RFC 3370
106 Cryptographic Message Syntax (CMS) Algorithms.
107 RFC 3779
109 X.509 Extensions for IP Addresses and AS Identifiers.
110 RFC 4291
112 IP Version 6 Addressing Architecture.
113 RFC 4631
115 Classless Inter-domain Routing (CIDR): The Internet Address Assign‐
116 ment and Aggregation Plan.
117 RFC 5280
119 Internet X.509 Public Key Infrastructure Certificate and Certificate
120 Revocation List (CRL) Profile.
121 RFC 5652
123 Cryptographic Message Syntax (CMS).
124 RFC 5781
126 The rsync URI Scheme.
127 RFC 5952
129 A Recommendation for IPv6 Address Text Representation.
130 RFC 6480
132 An Infrastructure to Support Secure Internet Routing.
133 RFC 6482
135 A Profile for Route Origin Authorizations (ROAs).
136 RFC 6485
138 The Profile for Algorithms and Key Sizes for Use in the Resource
139 Public Key Infrastructure (RPKI).
140 RFC 6486
142 Manifests for the Resource Public Key Infrastructure (RPKI).
143 RFC 6487
145 A Profile for X.509 PKIX Resource Certificates.
146 RFC 6488
148 Signed Object Template for the Resource Public Key Infrastructure
149 (RPKI).
150 RFC 6493
152 The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
153 RFC 7730
155 Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
156 RFC 8182
158 The RPKI Repository Delta Protocol (RRDP).
159
161 The rpki-client utility was written by Kristaps Dzonsons
162 <kristaps@bsd.lv>.
163BSD May 6, 2021 BSD