1RPKI-CLIENT(8)            BSD System Manager's Manual           RPKI-CLIENT(8)
2

NAME

4     rpki-client — RPKI validator to support BGP Origin Validation
5

SYNOPSIS

7     rpki-client [-BcjnoRrVv] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8                 [-s timeout] [-T table] [-t tal] [outputdir]
9

DESCRIPTION

11     The rpki-client utility queries the RPKI repository system with a built-
12     in HTTP client and rsync(1) to fetch all X.509 certificates, manifests,
13     and revocation lists under a given Trust Anchor.  rpki-client subse‐
14     quently validates each Route Origin Authorization (ROA) by constructing
15     and verifying a certification path for the certificate associated with
16     the ROA (including checking relevant CRLs).  rpki-client produces lists
17     of the Validated ROA Payloads (VRPs) in various formats.
18
19     The options are as follows:
20
21     -B      Create output in the files bird1v4, bird1v6, and bird (for bird2)
22             in the output directory which is suitable for the BIRD internet
23             routing daemon.
24
25     -b sourceaddr
26             Tell the HTTP and rsync clients to use sourceaddr as the source
27             address for connections, which is useful on machines with multi‐
28             ple interfaces.
29
30     -c      Create output in the file csv in the output directory as comma-
31             separated values of the Autonomous System, the prefix in slash
32             notation, the maximum prefix length, an abbreviation for the
33             Trust Anchor the entry is derived from, and the moment the VRP
34             will expire derived from the chain of X.509 certificates and CRLs
35             in seconds since the Epoch, UTC.
36
37     -d cachedir
38             The directory where rpki-client will store the cached repository
39             data.  Defaults to /var/cache/rpki-client.
40
41     -e rsync_prog
42             Use rsync_prog instead of rsync(1) to fetch repositories.  It
43             must accept the -rt and --address flags and connect with rsync-
44             protocol locations.
45
46     -j      Create output in the file json in the output directory as JSON
47             object.  See -c for a description of the fields.
48
49     -n      Offline mode.  Validate the contents of cachedir and write to
50             outputdir without synchronizing via RRDP or RSYNC.
51
52     -o      Create output in the file openbgpd in the output directory as
53             bgpd(8) compatible input.  If the -B, -c, and -j options are not
54             specified this is the default.
55
56     -R      Synchronize via RSYNC only.
57
58     -r      Synchronize via RRDP.  If RRDP fails, RSYNC will be used.  This
59             is the default.  Mutually exclusive with -n.
60
61     -s timeout
62             Terminate after timeout seconds of runtime, because normal prac‐
63             tice will restart from cron(8).  Disable by specifying 0.  De‐
64             faults to 1 hour.
65
66     -T table
67             For BIRD output generated with the -B option use table as roa ta‐
68             ble name instead of the default 'ROAS'.
69
70     -t tal  Specify a Trust Anchor Location (TAL) file to be used.  This op‐
71             tion can be used multiple times to load multiple TALs.  By de‐
72             fault rpki-client will load all TAL files in /etc/pki/tals.
73
74     -V      Show the version and exit.
75
76     -v      Specified once, prints information about status.  Twice, prints
77             each filename as it's processed.
78
79     outputdir
80             The directory where rpki-client will write the output files.  De‐
81             faults to /var/lib/rpki-client.
82
83     By default rpki-client produces a list of unique VRPs in -joBc JSON,
84     OpenBGPD, BIRD and CSV compatible output.
85
86     rpki-client should be run hourly by cron(8): use crontab(1) to uncomment
87     the entry in root's crontab.
88

ENVIRONMENT

90     rpki-client utilizes the following environment variables:
91
92     http_proxy  URL of HTTP proxy to use.
93

FILES

95     /etc/pki/tals/*.tal            default TAL files used unless -t tal is
96                                    specified.
97     /var/cache/rpki-client         cached repository data.
98     /var/lib/rpki-client/openbgpd  default roa-set output file.
99

EXIT STATUS

101     The rpki-client utility exits 0 on success, and >0 if an error occurs.
102

SEE ALSO

104     rsync(1), bgpd.conf(5)
105

STANDARDS

107     The following standards are used or referenced in rpki-client:
108
109     RFC 3370
110          Cryptographic Message Syntax (CMS) Algorithms.
111
112     RFC 3779
113          X.509 Extensions for IP Addresses and AS Identifiers.
114
115     RFC 4291
116          IP Version 6 Addressing Architecture.
117
118     RFC 4631
119          Classless Inter-domain Routing (CIDR): The Internet Address Assign‐
120          ment and Aggregation Plan.
121
122     RFC 5280
123          Internet X.509 Public Key Infrastructure Certificate and Certificate
124          Revocation List (CRL) Profile.
125
126     RFC 5652
127          Cryptographic Message Syntax (CMS).
128
129     RFC 5781
130          The rsync URI Scheme.
131
132     RFC 5952
133          A Recommendation for IPv6 Address Text Representation.
134
135     RFC 6480
136          An Infrastructure to Support Secure Internet Routing.
137
138     RFC 6482
139          A Profile for Route Origin Authorizations (ROAs).
140
141     RFC 6485
142          The Profile for Algorithms and Key Sizes for Use in the Resource
143          Public Key Infrastructure (RPKI).
144
145     RFC 6486
146          Manifests for the Resource Public Key Infrastructure (RPKI).
147
148     RFC 6487
149          A Profile for X.509 PKIX Resource Certificates.
150
151     RFC 6488
152          Signed Object Template for the Resource Public Key Infrastructure
153          (RPKI).
154
155     RFC 6493
156          The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
157
158     RFC 8182
159          The RPKI Repository Delta Protocol (RRDP).
160
161     RFC 8209
162          A Profile for BGPsec Router Certificates, Certificate Revocation
163          Lists, and Certification Requests.
164
165     RFC 8630
166          Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
167

AUTHORS

169     The rpki-client utility was written by Kristaps Dzonsons
170     <kristaps@bsd.lv>.
171
172BSD                            October 26, 2021                            BSD
Impressum