rpki-client — RPKI validator to support BGP routing security

       Kristaps  Dzonsons <kristaps@bsd.lv>, Claudio Jeker <claudio@openbsd.org>, Theo Buehler <tb@openbsd.org>,
       and Job Snijders <job@openbsd.org>.

Debian                                          January 17, 2025                                  RPKI-CLIENT(8)

       The rpki-client utility queries the ResourcePublicKeyInfrastructure (RPKI) repository  system  with  a
       built-in HTTPS client and rsync(1) to fetch all X.509 certificates, manifests, and revocation lists under
       a  given  TrustAnchor.   rpki-client  subsequently  validates  each  SignedObject by constructing and
       verifying a certification path for  the  certificate  associated  with  the  Object  (including  checking
       relevant  CRLs).   rpki-client  produces  lists  of the ValidatedROAPayloads (VRPs), BGPsecRouterKeys
       (BRKs), and ValidatedASPAPayloads (VAPs) in various formats.

       The options are as follows:

       -0      Include hazardous AS0 TALs in the output files.  AS0  TALs  are  not  recommended  for  automatic
               filtering of BGP routes.  The default is not to include them.

       -A      Exclude the ASPA-set from the output files that support it (BIRD, JSON, and OpenBGPD).

       -B      Create  output in the file bird in the output directory suitable for BIRD internet routing daemon
               version 2.16 and up.  For compatibility with earlier versions, use  -A.   The  validated  payload
               table names are ROAS4, ROAS6, and ASPAS.

       -bsourceaddr
               Tell the HTTP and rsync clients to use sourceaddr as the source address for connections, which is
               useful on machines with multiple interfaces.

       -c      Create output in the file csv in the output directory as comma-separated values of the AutonomousSystem,  the  prefix  in slash notation, the maximum prefix length, an abbreviation for the TrustAnchor the entry is derived from, and the moment the VRP will expire derived from  the  chain  of
               X.509 certificates and CRLs in seconds since the Epoch, UTC.

       -dcachedir
               The   directory   where   rpki-client  will  store  the  cached  repository  data.   Defaults  to
               /var/lib/rpki-client/cache.

       -ersync_prog
               Use rsync_prog instead of rsync(1) to fetch repositories.  It must accept the -rt  and  --address
               flags and connect with rsync-protocol locations.

       -ffile...
               Decode  the  TAL  or validate the SignedObject in file against the RPKI cache stored in cachedir
               and print human-readable information  about  the  object.   If  file  is  an  rsync://  URI,  the
               corresponding file from the cache will be used.  This option implies -n, and can be combined with
               -j to emit a stream of ConcatenatedJSON.

       -Hfqdn
               Create  a  shortlist  and  add  fqdn  to the shortlist.  rpki-client only connects to shortlisted
               hosts.  The shortlist filter is enforced during processing  of  the  SubjectInformationAccess
               (SIA) extension in CA certificates, thus applies to both RSYNC and RRDP connections.  This option
               can be used multiple times.

       -j      Create  output in the file json in the output directory as JSON object.  See -c for a description
               of the fields.

       -m      Create output in the file metrics in the output directory in OpenMetrics format.

       -n      Offline mode.  Validate the contents of cachedir and write to outputdir without synchronizing via
               RRDP or RSYNC.

       -o      Create output in the file openbgpd in the output directory as bgpd(8) compatible input.   If  the
               -B, -c, and -j options are not specified this is the default.

       -Pposix-seconds
               Specify the time for the evaluation in posix-seconds seconds from the unix epoch.  This overrides
               the default of using the current system time.

       -R      Disable RRDP, synchronize only via RSYNC.

       -Sskiplist
               Do  not  connect  to  hosts  listed  in  the  skiplist file.  Entries in the skiplist are newline
               separated FullyQualifiedDomainNames (FQDNs).  A ‘#’ indicates  the  beginning  of  a  comment;
               characters  up  to  the  end of the line are not interpreted.  The skip filter is enforced during
               processing of the SubjectInformationAccess (SIA) extension in CA certificates, thus applies  to
               both RSYNC and RRDP connections.  By default load entries from /etc/tals/skiplist.

       -stimeout
               Terminate  after  timeout  seconds  of  runtime,  because  normal  practice will restart from the
               systemd.timer(5) unit rpki.timer.  Disable by specifying 0.   Defaults  to  1  hour.   Individual
               RSYNC/RRDP  repositories  are timed out after one fourth of timeout.  All network synchronisation
               tasks are aborted after seven eights of timeout.

       -ttal  Specify a TrustAnchorLocation (TAL) file to be used.  This option can be used multiple times to
               load multiple TALs.  By default rpki-client will load all TAL files in /etc/tals.  TAL are  small
               files containing a public key and URL endpoint address.

       -V      Show the version and exit.

       -v      Increase  verbosity.   Specify  once  for synchronisation status, twice to print the name of each
               file as it's processed.  If -f is given,  specify  once  to  print  more  information  about  the
               encapsulated X.509 certificate, twice to print the certificate in PEM format.

       -x      Enable processing of experimental file formats.  This option is implied by -f.

       outputdir
               The directory where rpki-client will write the output files.  Defaults to /var/lib/rpki-client.

       By  default  rpki-client  outputs validated payloads in -joBcm (JSON, OpenBGPD, BIRD, CSV and OpenMetric)
       formats.

       rpki-client by default is run every 15 minutes by the systemd.timer(5) unit rpki.timer.

rpki-client utilizes the following environment variables:

       http_proxy  URL of HTTP proxy to use.

       The rpki-client utility exits 0 on success, and >0 if an error occurs.

/etc/tals/*.tal                default TAL files used unless -ttal is specified.  The TAL files  of  the
                                      five Regional Internet Registries are included.
       /etc/tals/*.constraints        files   containing  registry-specific  constraints  to  restrict  what  IP
                                      addresses and AS identifiers may or may  not  appear  in  EE  certificates
                                      subordinate to the same-named Trust Anchor.
       /etc/tals/skiplist             default skiplist file, unless -Sskiplist is specified.
       /var/lib/rpki-client/cache     cached repository data.
       /var/lib/rpki-client/openbgpd  default roa-set output file.

rpki-client first appeared in OpenBSD 6.7.

       rpki-client — RPKI validator to support BGP routing security

rsync(1), bgpd.conf(5)

X.509ExtensionsforIPAddressesandASIdentifiers, RFC 3779.

       InternetX.509PublicKeyInfrastructureCertificateandCRLProfile, RFC 5280.

       CryptographicMessageSyntax(CMS), RFC 5652.

       ThersyncURIScheme, RFC 5781.

       AnInfrastructuretoSupportSecureInternetRouting, RFC 6480.

       AProfileforResourceCertificateRepositoryStructure, RFC 6481.

       AProfileforX.509PKIXResourceCertificates, RFC 6487.

       SignedObjectTemplatefortheRPKI, RFC 6488.

       TheRPKIGhostbustersRecord, RFC 6493.

       PolicyQualifiersinRPKICertificates, RFC 7318.

       TheProfileforAlgorithmsandKeySizesforUseintheRPKI, RFC 7935.

       TheRPKIRepositoryDeltaProtocol(RRDP), RFC 8182.

       AProfileforBGPsecRouterCertificates,CertificateRevocationLists,andCertificationRequests, RFC
       8209.

       RPKITrustAnchorLocator, RFC 8630.

       ManifestsfortheRPKI, RFC 9286.

       AProfileforRPKISignedChecklists(RSCs), RFC 9323.

       AProfileforRouteOriginAuthorizations(ROAs), RFC 9582.

       OntheuseoftheCMSSigning-TimeAttributeinRPKISignedObjects, RFC 9589.

       FindingandUsingGeofeedData, RFC 9632.

       Same-OriginPolicyfortheRRDP, RFC 9674.

       AProfileforRPKITrustAnchorKeys, RFC 9691.

       DetectingRRDPSessionDesynchronization, RFC 9697.

       AProfileforAutonomousSystemProviderAuthorization(ASPA),
       https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile, Jun, 2023.

       ConstrainingRPKITrustAnchors, https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-
       trust-anchors, September, 2023.

       AprofileforSignedPrefixListsforUseintheRPKI,  https://datatracker.ietf.org/doc/html/draft-ietf-
       sidrops-rpki-prefixlist-02, Jan, 2024.

       RelyingPartyHandlingofRPKICRLNumberExtensions, https://datatracker.ietf.org/doc/html/draft-ietf-
       sidrops-rpki-crl-numbers, May, 2024.

       RPKIManifestNumberHandling, https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers,
       June, 2024.

       TiebreakingRPKITrustAnchors,   https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-ta-
       tiebreaker, June, 2024.

rpki-client  [-0ABcjmnoRVvx]  [-bsourceaddr]  [-dcachedir]  [-ersync_prog]  [-Hfqdn] [-Sskiplist]
                   [-stimeout] [-ttal] [outputdir]
       rpki-client [-Vv] [-dcachedir] [-j] [-ttal] -ffile...

rpki-client can impose locally configured constraints on cryptographic products subordinate to  publicly-
       trusted TrustAnchors.

       Constraining  a  Trust Anchor's effective signing authority to a limited set of InternetNumberResources
       allows Relying Parties to take advantage of the potential benefits  of  assuming  trust,  while  deriving
       trust within a bounded scope.

       Each  .constraints  file  imposes constraints on the Trust Anchor reachable via the same-named .tal file.
       One entry per line.  Entries can be IP prefixes, IP address ranges,  AS  identifiers,  or  AS  identifier
       ranges.   Ranges  are a minimum and maximum separated by a hyphen (‘-’).  Comments can be put anywhere in
       the file using a hash mark (‘#’), and extend to the end of  the  current  line.   deny  entries  may  not
       overlap with other deny entries.  allow entries may not overlap with other allow entries.

       A  given  EE  certificate's  resources  may  not overlap with any deny entry, and must be fully contained
       within the allow entries.