rpki-client — RPKI
validator to support BGP Origin Validation
rpki-client |
[-Bcjnov] [-b
sourceaddr] [-d
cachedir] [-e
rsync_prog] [-s
timeout] [-T
table] [-t
tal] [outputdir] |
The rpki-client utility queries the RPKI
repository system with rsync(1) to fetch all X.509
certificates, manifests, and revocation lists under a given
Trust Anchor. rpki-client
subsequently validates each
Route Origin
Authorization (ROA) by constructing and verifying a certification
path for the certificate associated with the ROA (including checking
relevant CRLs). rpki-client produces lists of the
Validated
ROA Payloads (VRPs) in various formats.
The options are as follows:
-B- Create output in the file bird in the output
directory which is suitable for the BIRD internet routing daemon.
-b
sourceaddr- Tell the rsync client to use sourceaddr as the
source address for connections, which is useful on machines with multiple
interfaces.
-c- Create output in the file csv in the output
directory as comma-separated values of the prefix in slash notation, the
maximum prefix length, the autonomous system number, and an abbreviation
for the trust anchor the entry is derived from.
-d
cachedir- The directory where
rpki-client will store the
cached repository data. Defaults to
/var/cache/rpki-client.
-e
rsync_prog- Use rsync_prog instead of rsync(1)
to fetch repositories. It must accept the
-rt and
--address flags and connect with rsync-protocol
locations.
-j- Create output in the file json in the output
directory as JSON object. This format is identical to that produced by the
RIPE NCC RPKI Validator and NLnet Labs routinator.
-n- Assume that all requested repositories exist: don't update.
-o- Create output in the file openbgpd in the output
directory as bgpd(8) compatible input. If the
-B, -c, and
-j options are not specified this is the
default.
-T
table- For BIRD output generated with the
-B option use
table as roa table name instead of the default
'ROAS'.
-s
timeout- Terminate after timeout seconds of runtime, because
normal practice will restart from cron(8). Disable by
specifying 0. Defaults to 1 hour.
-t
tal- Specify a Trust Anchor Location (TAL) file to be used.
This option can be used multiple times to load multiple TALs. By default
rpki-client will load all TAL files in
/etc/tals.
-v- Specified once, prints information about status. Twice, prints each
filename as it's processed.
- outputdir
- The directory where
rpki-client will write the
output files. Defaults to
/var/lib/rpki-client.
By default rpki-client produces a list of
unique roa-set statements in
-o (OpenBGPD compatible) output.
rpki-client should be run hourly by
cron(8): use crontab(1) to uncomment the
entry in root's crontab.
- /etc/tals/*.tal
- default TAL files used unless
-t
tal is specified.
- /var/cache/rpki-client
- cached repository data.
- /var/lib/rpki-client/openbgpd
- default roa-set output file.
The rpki-client utility exits 0 on
success, and >0 if an error occurs.
The following standards are used or referenced in
rpki-client:
- RFC 3370
- Cryptographic Message Syntax (CMS) Algorithms.
- RFC 3779
- X.509 Extensions for IP Addresses and AS Identifiers.
- RFC 4291
- IP Version 6 Addressing Architecture.
- RFC 4631
- Classless Inter-domain Routing (CIDR): The Internet Address Assignment and
Aggregation Plan.
- RFC 5280
- Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile.
- RFC 5652
- Cryptographic Message Syntax (CMS).
- RFC 5781
- The rsync URI Scheme.
- RFC 5952
- A Recommendation for IPv6 Address Text Representation.
- RFC 6480
- An Infrastructure to Support Secure Internet Routing.
- RFC 6482
- A Profile for Route Origin Authorizations (ROAs).
- RFC 6485
- The Profile for Algorithms and Key Sizes for Use in the Resource Public
Key Infrastructure (RPKI).
- RFC 6486
- Manifests for the Resource Public Key Infrastructure (RPKI).
- RFC 6487
- A Profile for X.509 PKIX Resource Certificates.
- RFC 6488
- Signed Object Template for the Resource Public Key Infrastructure
(RPKI).
- RFC 7730
- Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
The rpki-client utility was written by
Kristaps Dzonsons
<kristaps@bsd.lv>.