1RPKI-CLIENT(8) BSD System Manager's Manual RPKI-CLIENT(8)
2
4 rpki-client — RPKI validator to support BGP routing security
5
7 rpki-client [-BcjnoRrVv] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8 [-H fqdn] [-S skiplist] [-s timeout] [-T table] [-t tal]
9 [outputdir]
10 rpki-client [-Vv] [-d cachedir] [-j] [-t tal] -f file ...
11
13 The rpki-client utility queries the RPKI repository system with a built-
14 in HTTPS client and rsync(1) to fetch all X.509 certificates, manifests,
15 and revocation lists under a given Trust Anchor. rpki-client subse‐
16 quently validates each Signed Object by constructing and verifying a cer‐
17 tification path for the certificate associated with the Object (including
18 checking relevant CRLs). rpki-client produces lists of the Validated ROA
19 Payloads (VRPs), BGPsec Router Keys (BRKs), and Validated ASPA Payloads
20 (VAPs) in various formats.
21
22 The options are as follows:
23
24 -B Create output in the files bird1v4, bird1v6, and bird (for bird2)
25 in the output directory which is suitable for the BIRD internet
26 routing daemon.
27
28 -b sourceaddr
29 Tell the HTTP and rsync clients to use sourceaddr as the source
30 address for connections, which is useful on machines with multi‐
31 ple interfaces.
32
33 -c Create output in the file csv in the output directory as comma-
34 separated values of the Autonomous System, the prefix in slash
35 notation, the maximum prefix length, an abbreviation for the
36 Trust Anchor the entry is derived from, and the moment the VRP
37 will expire derived from the chain of X.509 certificates and CRLs
38 in seconds since the Epoch, UTC.
39
40 -d cachedir
41 The directory where rpki-client will store the cached repository
42 data. Defaults to /var/cache/rpki-client.
43
44 -e rsync_prog
45 Use rsync_prog instead of rsync(1) to fetch repositories. It
46 must accept the -rt and --address flags and connect with rsync-
47 protocol locations.
48
49 -f file ...
50 Decode the TAL or validate the Signed Object in file against the
51 RPKI cache stored in cachedir and print human-readable informa‐
52 tion about the object. If file is an rsync:// URI, the corre‐
53 sponding file from the cache will be used. This option implies
54 -n, and can be combined with -j to emit a stream of Concatenated
55 JSON.
56
57 -H fqdn
58 Create a shortlist and add fqdn to the shortlist. rpki-client
59 only connects to shortlisted hosts. The shortlist filter is en‐
60 forced during processing of the Subject Information Access (SIA)
61 extension in CA certificates, thus applies to both RSYNC and RRDP
62 connections. This option can be used multiple times.
63
64 -j Create output in the file json in the output directory as JSON
65 object. See -c for a description of the fields.
66
67 -n Offline mode. Validate the contents of cachedir and write to
68 outputdir without synchronizing via RRDP or RSYNC.
69
70 -o Create output in the file openbgpd in the output directory as
71 bgpd(8) compatible input. If the -B, -c, and -j options are not
72 specified this is the default.
73
74 -R Synchronize via RSYNC only.
75
76 -r Synchronize via RRDP. If RRDP fails, RSYNC will be used. This
77 is the default. Mutually exclusive with -n.
78
79 -S skiplist
80 Do not connect to hosts listed in the skiplist file. Entries in
81 the skiplist are newline separated Fully Qualified Domain Names
82 (FQDNs). A ‘#’ indicates the beginning of a comment; characters
83 up to the end of the line are not interpreted. The skip filter
84 is enforced during processing of the Subject Information Access
85 (SIA) extension in CA certificates, thus applies to both RSYNC
86 and RRDP connections. By default load entries from
87 /etc/rpki/skiplist.
88
89 -s timeout
90 Terminate after timeout seconds of runtime, because normal prac‐
91 tice will restart from cron(8). Disable by specifying 0. De‐
92 faults to 1 hour. Individual RSYNC/RRDP repositories are timed
93 out after one fourth of timeout. All network synchronisation
94 tasks are aborted after seven eights of timeout.
95
96 -T table
97 For BIRD output generated with the -B option use table as roa ta‐
98 ble name instead of the default 'ROAS'.
99
100 -t tal Specify a Trust Anchor Location (TAL) file to be used. This op‐
101 tion can be used multiple times to load multiple TALs. By de‐
102 fault rpki-client will load all TAL files in /etc/pki/tals.
103
104 -V Show the version and exit.
105
106 -v Increase verbosity. Specify once for synchronisation status,
107 twice to print the name of each file as it's processed. If -f is
108 given, specify once to print more information about the encapsu‐
109 lated X.509 certificate, twice to print the certificate in PEM
110 format.
111
112 outputdir
113 The directory where rpki-client will write the output files. De‐
114 faults to /var/lib/rpki-client.
115
116 By default rpki-client produces a list of unique VRPs in -joBc JSON,
117 OpenBGPD, BIRD and CSV compatible output.
118
119 rpki-client should be run hourly by cron(8): use crontab(1) to uncomment
120 the entry in root's crontab.
121
123 rpki-client utilizes the following environment variables:
124
125 http_proxy URL of HTTP proxy to use.
126
128 /etc/pki/tals/*.tal default TAL files used unless -t tal is
129 specified.
130 /etc/pki/tals/skiplist default skiplist file, unless -S skiplist
131 is specified.
132 /var/cache/rpki-client cached repository data.
133 /var/lib/rpki-client/openbgpd default roa-set output file.
134
136 The rpki-client utility exits 0 on success, and >0 if an error occurs.
137
139 rsync(1), bgpd.conf(5)
140
142 The following standards are used or referenced in rpki-client:
143
144 RFC 3370
145 Cryptographic Message Syntax (CMS) Algorithms.
146
147 RFC 3779
148 X.509 Extensions for IP Addresses and AS Identifiers.
149
150 RFC 4291
151 IP Version 6 Addressing Architecture.
152
153 RFC 4631
154 Classless Inter-domain Routing (CIDR): The Internet Address Assign‐
155 ment and Aggregation Plan.
156
157 RFC 5280
158 Internet X.509 Public Key Infrastructure Certificate and Certificate
159 Revocation List (CRL) Profile.
160
161 RFC 5652
162 Cryptographic Message Syntax (CMS).
163
164 RFC 5781
165 The rsync URI Scheme.
166
167 RFC 5952
168 A Recommendation for IPv6 Address Text Representation.
169
170 RFC 6480
171 An Infrastructure to Support Secure Internet Routing.
172
173 RFC 6482, draft-ietf-sidrops-rfc6482bis-01
174 A Profile for Route Origin Authorizations (ROAs).
175
176 RFC 6485
177 The Profile for Algorithms and Key Sizes for Use in the Resource
178 Public Key Infrastructure (RPKI).
179
180 RFC 6486
181 Manifests for the Resource Public Key Infrastructure (RPKI).
182
183 RFC 6487
184 A Profile for X.509 PKIX Resource Certificates.
185
186 RFC 6488
187 Signed Object Template for the Resource Public Key Infrastructure
188 (RPKI).
189
190 RFC 6493
191 The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
192
193 RFC 7318
194 Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Cer‐
195 tificates.
196
197 RFC 8182
198 The RPKI Repository Delta Protocol (RRDP).
199
200 RFC 8209
201 A Profile for BGPsec Router Certificates, Certificate Revocation
202 Lists, and Certification Requests.
203
204 RFC 8630
205 Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
206
207 RFC 9092
208 Finding and Using Geofeed Data.
209
210 RFC 9323
211 A Profile for RPKI Signed Checklists (RSCs).
212
213 draft-ietf-sidrops-aspa-profile-10
214 A Profile for Autonomous System Provider Authorization (ASPA).
215
216 draft-ietf-sidrops-signed-tal-12
217 RPKI Signed Object for Trust Anchor Key.
218
220 rpki-client first appeared in OpenBSD 6.7.
221
223 The rpki-client utility was written by Kristaps Dzonsons
224 <kristaps@bsd.lv>.
225
226BSD November 26, 2022 BSD