GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
RPKI-CLIENT(8) FreeBSD System Manager's Manual RPKI-CLIENT(8)

rpki-client
RPKI validator to support BGP Origin Validation

rpki-client [-BcjnoRrVv] [-b sourceaddr] [-d cachedir] [-e rsync_prog] [-s timeout] [-T table] [-t tal] [outputdir]

rpki-client [-Vv] [-d cachedir] [-t tal] -f file ...

The rpki-client utility queries the RPKI repository system with a built-in HTTP client and rsync(1) to fetch all X.509 certificates, manifests, and revocation lists under a given Trust Anchor. rpki-client subsequently validates each Signed Object by constructing and verifying a certification path for the certificate associated with the Object (including checking relevant CRLs). rpki-client produces lists of the Validated ROA Payloads (VRPs) and BGPsec Router Keys (BRKs) in various formats.

The options are as follows:

Create output in the files bird1v4, bird1v6, and bird (for bird2) in the output directory which is suitable for the BIRD internet routing daemon.
sourceaddr
Tell the HTTP and rsync clients to use sourceaddr as the source address for connections, which is useful on machines with multiple interfaces.
Create output in the file csv in the output directory as comma-separated values of the Autonomous System, the prefix in slash notation, the maximum prefix length, an abbreviation for the Trust Anchor the entry is derived from, and the moment the VRP will expire derived from the chain of X.509 certificates and CRLs in seconds since the Epoch, UTC.
cachedir
The directory where rpki-client will store the cached repository data. Defaults to /var/cache/rpki-client.
rsync_prog
Use rsync_prog instead of rsync(1) to fetch repositories. It must accept the -rt and --address flags and connect with rsync-protocol locations.
file ...
Validate the Signed Object in file against the RPKI cache stored in cachedir and print human-readable information about the object. If file is an rsync:// URI the corresponding file from the cache will be used. This option implies -n.
Create output in the file json in the output directory as JSON object. See -c for a description of the fields.
Offline mode. Validate the contents of cachedir and write to outputdir without synchronizing via RRDP or RSYNC.
Create output in the file openbgpd in the output directory as bgpd(8) compatible input. If the -B, -c, and -j options are not specified this is the default.
Synchronize via RSYNC only.
Synchronize via RRDP. If RRDP fails, RSYNC will be used. This is the default. Mutually exclusive with -n.
timeout
Terminate after timeout seconds of runtime, because normal practice will restart from cron(8). Disable by specifying 0. Defaults to 1 hour. Individual Publication Points are timed out after one fourth of timeout.
table
For BIRD output generated with the -B option use table as roa table name instead of the default 'ROAS'.
tal
Specify a Trust Anchor Location (TAL) file to be used. This option can be used multiple times to load multiple TALs. By default rpki-client will load all TAL files in /usr/local/etc/rpki.
Show the version and exit.
Specified once, prints information about status. Twice, prints each filename as it's processed.
outputdir
The directory where rpki-client will write the output files. Defaults to /var/db/rpki-client.

By default rpki-client produces a list of unique VRPs in -joBc JSON, OpenBGPD, BIRD and CSV compatible output.

rpki-client should be run hourly by cron(8): use crontab(1) to uncomment the entry in root's crontab.

rpki-client utilizes the following environment variables:
URL of HTTP proxy to use.

/usr/local/etc/rpki/*.tal
default TAL files used unless -t tal is specified.
/var/cache/rpki-client
cached repository data.
/var/db/rpki-client/openbgpd
default roa-set output file.

The rpki-client utility exits 0 on success, and >0 if an error occurs.

rsync(1), bgpd.conf(5)

The following standards are used or referenced in rpki-client:
RFC 3370
Cryptographic Message Syntax (CMS) Algorithms.
RFC 3779
X.509 Extensions for IP Addresses and AS Identifiers.
RFC 4291
IP Version 6 Addressing Architecture.
RFC 4631
Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan.
RFC 5280
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
RFC 5652
Cryptographic Message Syntax (CMS).
RFC 5781
The rsync URI Scheme.
RFC 5952
A Recommendation for IPv6 Address Text Representation.
RFC 6480
An Infrastructure to Support Secure Internet Routing.
RFC 6482
A Profile for Route Origin Authorizations (ROAs).
RFC 6485
The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI).
RFC 6486
Manifests for the Resource Public Key Infrastructure (RPKI).
RFC 6487
A Profile for X.509 PKIX Resource Certificates.
RFC 6488
Signed Object Template for the Resource Public Key Infrastructure (RPKI).
RFC 6493
The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
RFC 8182
The RPKI Repository Delta Protocol (RRDP).
RFC 8209
A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests.
RFC 8630
Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.

rpki-client first appeared in OpenBSD 6.7.

The rpki-client utility was written by Kristaps Dzonsons <kristaps@bsd.lv>.
January 26, 2022 FreeBSD 13.1-RELEASE
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.