1RPKI-CLIENT(8) BSD System Manager's Manual RPKI-CLIENT(8)
2
4 rpki-client — RPKI validator to support BGP Origin Validation
5
7 rpki-client [-BcjnoRrVv] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8 [-s timeout] [-T table] [-t tal] [outputdir]
9
11 The rpki-client utility queries the RPKI repository system with a built-
12 in HTTP client and rsync(1) to fetch all X.509 certificates, manifests,
13 and revocation lists under a given Trust Anchor. rpki-client subse‐
14 quently validates each Route Origin Authorization (ROA) by constructing
15 and verifying a certification path for the certificate associated with
16 the ROA (including checking relevant CRLs). rpki-client produces lists
17 of the Validated ROA Payloads (VRPs) in various formats.
18
19 The options are as follows:
20
21 -B Create output in the files bird1v4, bird1v6, and bird (for bird2)
22 in the output directory which is suitable for the BIRD internet
23 routing daemon.
24
25 -b sourceaddr
26 Tell the HTTP and rsync clients to use sourceaddr as the source
27 address for connections, which is useful on machines with multi‐
28 ple interfaces.
29
30 -c Create output in the file csv in the output directory as comma-
31 separated values of the Autonomous System, the prefix in slash
32 notation, the maximum prefix length, an abbreviation for the
33 Trust Anchor the entry is derived from, and the moment the VRP
34 will expire derived from the chain of X.509 certificates and CRLs
35 in seconds since the Epoch, UTC.
36
37 -d cachedir
38 The directory where rpki-client will store the cached repository
39 data. Defaults to /var/cache/rpki-client.
40
41 -e rsync_prog
42 Use rsync_prog instead of rsync(1) to fetch repositories. It
43 must accept the -rt and --address flags and connect with rsync-
44 protocol locations.
45
46 -j Create output in the file json in the output directory as JSON
47 object. See -c for a description of the fields.
48
49 -n Offline mode. Validate the contents of cachedir and write to
50 outputdir without synchronizing via RRDP or RSYNC.
51
52 -o Create output in the file openbgpd in the output directory as
53 bgpd(8) compatible input. If the -B, -c, and -j options are not
54 specified this is the default.
55
56 -R Synchronize via RSYNC only.
57
58 -r Synchronize via RRDP. If RRDP fails, RSYNC will be used. This
59 is the default. Mutually exclusive with -n.
60
61 -s timeout
62 Terminate after timeout seconds of runtime, because normal prac‐
63 tice will restart from cron(8). Disable by specifying 0. De‐
64 faults to 1 hour.
65
66 -T table
67 For BIRD output generated with the -B option use table as roa ta‐
68 ble name instead of the default 'ROAS'.
69
70 -t tal Specify a Trust Anchor Location (TAL) file to be used. This op‐
71 tion can be used multiple times to load multiple TALs. By de‐
72 fault rpki-client will load all TAL files in /etc/pki/tals.
73
74 -V Show the version and exit.
75
76 -v Specified once, prints information about status. Twice, prints
77 each filename as it's processed.
78
79 outputdir
80 The directory where rpki-client will write the output files. De‐
81 faults to /var/lib/rpki-client.
82
83 By default rpki-client produces a list of unique VRPs in -joBc JSON,
84 OpenBGPD, BIRD and CSV compatible output.
85
86 rpki-client should be run hourly by cron(8): use crontab(1) to uncomment
87 the entry in root's crontab.
88
90 rpki-client utilizes the following environment variables:
91
92 http_proxy URL of HTTP proxy to use.
93
95 /etc/pki/tals/*.tal default TAL files used unless -t tal is
96 specified.
97 /var/cache/rpki-client cached repository data.
98 /var/lib/rpki-client/openbgpd default roa-set output file.
99
101 The rpki-client utility exits 0 on success, and >0 if an error occurs.
102
104 rsync(1), bgpd.conf(5)
105
107 The following standards are used or referenced in rpki-client:
108
109 RFC 3370
110 Cryptographic Message Syntax (CMS) Algorithms.
111
112 RFC 3779
113 X.509 Extensions for IP Addresses and AS Identifiers.
114
115 RFC 4291
116 IP Version 6 Addressing Architecture.
117
118 RFC 4631
119 Classless Inter-domain Routing (CIDR): The Internet Address Assign‐
120 ment and Aggregation Plan.
121
122 RFC 5280
123 Internet X.509 Public Key Infrastructure Certificate and Certificate
124 Revocation List (CRL) Profile.
125
126 RFC 5652
127 Cryptographic Message Syntax (CMS).
128
129 RFC 5781
130 The rsync URI Scheme.
131
132 RFC 5952
133 A Recommendation for IPv6 Address Text Representation.
134
135 RFC 6480
136 An Infrastructure to Support Secure Internet Routing.
137
138 RFC 6482
139 A Profile for Route Origin Authorizations (ROAs).
140
141 RFC 6485
142 The Profile for Algorithms and Key Sizes for Use in the Resource
143 Public Key Infrastructure (RPKI).
144
145 RFC 6486
146 Manifests for the Resource Public Key Infrastructure (RPKI).
147
148 RFC 6487
149 A Profile for X.509 PKIX Resource Certificates.
150
151 RFC 6488
152 Signed Object Template for the Resource Public Key Infrastructure
153 (RPKI).
154
155 RFC 6493
156 The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
157
158 RFC 8182
159 The RPKI Repository Delta Protocol (RRDP).
160
161 RFC 8209
162 A Profile for BGPsec Router Certificates, Certificate Revocation
163 Lists, and Certification Requests.
164
165 RFC 8630
166 Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
167
169 The rpki-client utility was written by Kristaps Dzonsons
170 <kristaps@bsd.lv>.
171
172BSD October 26, 2021 BSD