1RPKI-CLIENT(8)            BSD System Manager's Manual           RPKI-CLIENT(8)
2

NAME

4     rpki-client — RPKI validator to support BGP routing security
5

SYNOPSIS

7     rpki-client [-BcjnoRrVv] [-b sourceaddr] [-d cachedir] [-e rsync_prog]
8                 [-H fqdn] [-S skiplist] [-s timeout] [-T table] [-t tal]
9                 [outputdir]
10     rpki-client [-Vv] [-d cachedir] [-j] [-t tal] -f file ...
11

DESCRIPTION

13     The rpki-client utility queries the RPKI repository system with a built-
14     in HTTPS client and rsync(1) to fetch all X.509 certificates, manifests,
15     and revocation lists under a given Trust Anchor.  rpki-client subse‐
16     quently validates each Signed Object by constructing and verifying a cer‐
17     tification path for the certificate associated with the Object (including
18     checking relevant CRLs).  rpki-client produces lists of the Validated ROA
19     Payloads (VRPs), BGPsec Router Keys (BRKs), and Validated ASPA Payloads
20     (VAPs) in various formats.
21
22     The options are as follows:
23
24     -B      Create output in the files bird1v4, bird1v6, and bird (for bird2)
25             in the output directory which is suitable for the BIRD internet
26             routing daemon.
27
28     -b sourceaddr
29             Tell the HTTP and rsync clients to use sourceaddr as the source
30             address for connections, which is useful on machines with multi‐
31             ple interfaces.
32
33     -c      Create output in the file csv in the output directory as comma-
34             separated values of the Autonomous System, the prefix in slash
35             notation, the maximum prefix length, an abbreviation for the
36             Trust Anchor the entry is derived from, and the moment the VRP
37             will expire derived from the chain of X.509 certificates and CRLs
38             in seconds since the Epoch, UTC.
39
40     -d cachedir
41             The directory where rpki-client will store the cached repository
42             data.  Defaults to /var/cache/rpki-client.
43
44     -e rsync_prog
45             Use rsync_prog instead of rsync(1) to fetch repositories.  It
46             must accept the -rt and --address flags and connect with rsync-
47             protocol locations.
48
49     -f file ...
50             Decode the TAL or validate the Signed Object in file against the
51             RPKI cache stored in cachedir and print human-readable informa‐
52             tion about the object.  If file is an rsync:// URI, the corre‐
53             sponding file from the cache will be used.  This option implies
54             -n, and can be combined with -j to emit a stream of Concatenated
55             JSON.
56
57     -H fqdn
58             Create a shortlist and add fqdn to the shortlist.  rpki-client
59             only connects to shortlisted hosts.  The shortlist filter is en‐
60             forced during processing of the Subject Information Access (SIA)
61             extension in CA certificates, thus applies to both RSYNC and RRDP
62             connections.  This option can be used multiple times.
63
64     -j      Create output in the file json in the output directory as JSON
65             object.  See -c for a description of the fields.
66
67     -n      Offline mode.  Validate the contents of cachedir and write to
68             outputdir without synchronizing via RRDP or RSYNC.
69
70     -o      Create output in the file openbgpd in the output directory as
71             bgpd(8) compatible input.  If the -B, -c, and -j options are not
72             specified this is the default.
73
74     -R      Synchronize via RSYNC only.
75
76     -r      Synchronize via RRDP.  If RRDP fails, RSYNC will be used.  This
77             is the default.  Mutually exclusive with -n.
78
79     -S skiplist
80             Do not connect to hosts listed in the skiplist file.  Entries in
81             the skiplist are newline separated Fully Qualified Domain Names
82             (FQDNs).  A ‘#’ indicates the beginning of a comment; characters
83             up to the end of the line are not interpreted.  The skip filter
84             is enforced during processing of the Subject Information Access
85             (SIA) extension in CA certificates, thus applies to both RSYNC
86             and RRDP connections.  By default load entries from
87             /etc/rpki/skiplist.
88
89     -s timeout
90             Terminate after timeout seconds of runtime, because normal prac‐
91             tice will restart from cron(8).  Disable by specifying 0.  De‐
92             faults to 1 hour.  Individual RSYNC/RRDP repositories are timed
93             out after one fourth of timeout.  All network synchronisation
94             tasks are aborted after seven eights of timeout.
95
96     -T table
97             For BIRD output generated with the -B option use table as roa ta‐
98             ble name instead of the default 'ROAS'.
99
100     -t tal  Specify a Trust Anchor Location (TAL) file to be used.  This op‐
101             tion can be used multiple times to load multiple TALs.  By de‐
102             fault rpki-client will load all TAL files in /etc/pki/tals.
103
104     -V      Show the version and exit.
105
106     -v      Increase verbosity.  Specify once for synchronisation status,
107             twice to print the name of each file as it's processed.  If -f is
108             given, specify once to print more information about the encapsu‐
109             lated X.509 certificate, twice to print the certificate in PEM
110             format.
111
112     outputdir
113             The directory where rpki-client will write the output files.  De‐
114             faults to /var/lib/rpki-client.
115
116     By default rpki-client produces a list of unique VRPs in -joBc JSON,
117     OpenBGPD, BIRD and CSV compatible output.
118
119     rpki-client should be run hourly by cron(8): use crontab(1) to uncomment
120     the entry in root's crontab.
121

ENVIRONMENT

123     rpki-client utilizes the following environment variables:
124
125     http_proxy  URL of HTTP proxy to use.
126

FILES

128     /etc/pki/tals/*.tal            default TAL files used unless -t tal is
129                                    specified.
130     /etc/pki/tals/skiplist         default skiplist file, unless -S skiplist
131                                    is specified.
132     /var/cache/rpki-client         cached repository data.
133     /var/lib/rpki-client/openbgpd  default roa-set output file.
134

EXIT STATUS

136     The rpki-client utility exits 0 on success, and >0 if an error occurs.
137

SEE ALSO

139     rsync(1), bgpd.conf(5)
140

STANDARDS

142     The following standards are used or referenced in rpki-client:
143
144     RFC 3370
145          Cryptographic Message Syntax (CMS) Algorithms.
146
147     RFC 3779
148          X.509 Extensions for IP Addresses and AS Identifiers.
149
150     RFC 4291
151          IP Version 6 Addressing Architecture.
152
153     RFC 4631
154          Classless Inter-domain Routing (CIDR): The Internet Address Assign‐
155          ment and Aggregation Plan.
156
157     RFC 5280
158          Internet X.509 Public Key Infrastructure Certificate and Certificate
159          Revocation List (CRL) Profile.
160
161     RFC 5652
162          Cryptographic Message Syntax (CMS).
163
164     RFC 5781
165          The rsync URI Scheme.
166
167     RFC 5952
168          A Recommendation for IPv6 Address Text Representation.
169
170     RFC 6480
171          An Infrastructure to Support Secure Internet Routing.
172
173     RFC 6482, draft-ietf-sidrops-rfc6482bis-01
174          A Profile for Route Origin Authorizations (ROAs).
175
176     RFC 6485
177          The Profile for Algorithms and Key Sizes for Use in the Resource
178          Public Key Infrastructure (RPKI).
179
180     RFC 6486
181          Manifests for the Resource Public Key Infrastructure (RPKI).
182
183     RFC 6487
184          A Profile for X.509 PKIX Resource Certificates.
185
186     RFC 6488
187          Signed Object Template for the Resource Public Key Infrastructure
188          (RPKI).
189
190     RFC 6493
191          The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
192
193     RFC 7318
194          Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Cer‐
195          tificates.
196
197     RFC 8182
198          The RPKI Repository Delta Protocol (RRDP).
199
200     RFC 8209
201          A Profile for BGPsec Router Certificates, Certificate Revocation
202          Lists, and Certification Requests.
203
204     RFC 8630
205          Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
206
207     RFC 9092
208          Finding and Using Geofeed Data.
209
210     RFC 9323
211          A Profile for RPKI Signed Checklists (RSCs).
212
213     draft-ietf-sidrops-aspa-profile-10
214          A Profile for Autonomous System Provider Authorization (ASPA).
215
216     draft-ietf-sidrops-signed-tal-12
217          RPKI Signed Object for Trust Anchor Key.
218

HISTORY

220     rpki-client first appeared in OpenBSD 6.7.
221

AUTHORS

223     The rpki-client utility was written by Kristaps Dzonsons
224     <kristaps@bsd.lv>.
225
226BSD                            November 26, 2022                           BSD
Impressum