Provided by: rpki-client_9.0-1build3_amd64 bug

NAME

     rpki-client — RPKI validator to support BGP routing security

SYNOPSIS

     rpki-client [-ABcjmnoRrVvx] [-b sourceaddr] [-d cachedir] [-e rsync_prog] [-H fqdn]
                 [-S skiplist] [-s timeout] [-T table] [-t tal] [outputdir]
     rpki-client [-Vv] [-d cachedir] [-j] [-t tal] -f file ...

DESCRIPTION

     The rpki-client utility queries the RPKI repository system with a built-in HTTPS client and
     rsync(1) to fetch all X.509 certificates, manifests, and revocation lists under a given
     Trust Anchor.  rpki-client subsequently validates each Signed Object by constructing and
     verifying a certification path for the certificate associated with the Object (including
     checking relevant CRLs).  rpki-client produces lists of the Validated ROA Payloads (VRPs),
     BGPsec Router Keys (BRKs), and Validated ASPA Payloads (VAPs) in various formats.

     The options are as follows:

     -A      Exclude the ASPA-set from the output files that support it (JSON and OpenBGPD).

     -B      Create output in the files bird1v4, bird1v6, and bird (for bird2) in the output
             directory which is suitable for the BIRD internet routing daemon.

     -b sourceaddr
             Tell the HTTP and rsync clients to use sourceaddr as the source address for
             connections, which is useful on machines with multiple interfaces.

     -c      Create output in the file csv in the output directory as comma-separated values of
             the Autonomous System, the prefix in slash notation, the maximum prefix length, an
             abbreviation for the Trust Anchor the entry is derived from, and the moment the VRP
             will expire derived from the chain of X.509 certificates and CRLs in seconds since
             the Epoch, UTC.

     -d cachedir
             The directory where rpki-client will store the cached repository data.  Defaults to
             /var/lib/rpki-client/cache.

     -e rsync_prog
             Use rsync_prog instead of rsync(1) to fetch repositories.  It must accept the -rt
             and --address flags and connect with rsync-protocol locations.

     -f file ...
             Decode the TAL or validate the Signed Object in file against the RPKI cache stored
             in cachedir and print human-readable information about the object.  If file is an
             rsync:// URI, the corresponding file from the cache will be used.  This option
             implies -n, and can be combined with -j to emit a stream of Concatenated JSON.

     -H fqdn
             Create a shortlist and add fqdn to the shortlist.  rpki-client only connects to
             shortlisted hosts.  The shortlist filter is enforced during processing of the
             Subject Information Access (SIA) extension in CA certificates, thus applies to both
             RSYNC and RRDP connections.  This option can be used multiple times.

     -j      Create output in the file json in the output directory as JSON object.  See -c for a
             description of the fields.

     -m      Create output in the file metrics in the output directory in OpenMetrics format.

     -n      Offline mode.  Validate the contents of cachedir and write to outputdir without
             synchronizing via RRDP or RSYNC.

     -o      Create output in the file openbgpd in the output directory as bgpd(8) compatible
             input.  If the -B, -c, and -j options are not specified this is the default.

     -P posix-seconds
             Specify the time for the evaluation in posix-seconds seconds from the unix epoch.
             This overrides the default of using the current system time.

     -R      Synchronize via RSYNC only.

     -r      Synchronize via RRDP.  If RRDP fails, RSYNC will be used.  This is the default.
             Mutually exclusive with -n.

     -S skiplist
             Do not connect to hosts listed in the skiplist file.  Entries in the skiplist are
             newline separated Fully Qualified Domain Names (FQDNs).  A ‘#’ indicates the
             beginning of a comment; characters up to the end of the line are not interpreted.
             The skip filter is enforced during processing of the Subject Information Access
             (SIA) extension in CA certificates, thus applies to both RSYNC and RRDP connections.
             By default load entries from /etc/tals/skiplist.

     -s timeout
             Terminate after timeout seconds of runtime, because normal practice will restart
             from the systemd.timer(5) unit rpki.timer.  Disable by specifying 0.  Defaults to 1
             hour.  Individual RSYNC/RRDP repositories are timed out after one fourth of timeout.
             All network synchronisation tasks are aborted after seven eights of timeout.

     -T table
             For BIRD output generated with the -B option use table as roa table name instead of
             the default 'ROAS'.

     -t tal  Specify a Trust Anchor Location (TAL) file to be used.  This option can be used
             multiple times to load multiple TALs.  By default rpki-client will load all TAL
             files in /etc/tals.  TAL are small files containing a public key and URL endpoint
             address.

     -V      Show the version and exit.

     -v      Increase verbosity.  Specify once for synchronisation status, twice to print the
             name of each file as it's processed.  If -f is given, specify once to print more
             information about the encapsulated X.509 certificate, twice to print the certificate
             in PEM format.

     -x      Enable processing of experimental file formats.  This option is implied by -f.

     outputdir
             The directory where rpki-client will write the output files.  Defaults to
             /var/lib/rpki-client.

     By default rpki-client outputs validated payloads in -joBcm (JSON, OpenBGPD, BIRD, CSV and
     OpenMetric) formats.

     rpki-client by default is run every 15 minutes by the systemd.timer(5) unit rpki.timer.

TRUST ANCHOR CONSTRAINTS

     rpki-client can impose locally configured constraints on cryptographic products subordinate
     to publicly-trusted Trust Anchors.

     Constraining a Trust Anchor's effective signing authority to a limited set of Internet
     Number Resources allows Relying Parties to take advantage of the potential benefits of
     assuming trust, while deriving trust within a bounded scope.

     Each .constraints file imposes constraints on the Trust Anchor reachable via the same-named
     .tal file.  One entry per line.  Entries can be IP prefixes, IP address ranges, AS
     identifiers, or AS identifier ranges.  Ranges are a minimum and maximum separated by a
     hyphen (‘-’).  Comments can be put anywhere in the file using a hash mark (‘#’), and extend
     to the end of the current line.  deny entries may not overlap with other deny entries.
     allow entries may not overlap with other allow entries.

     A given EE certificate's resources may not overlap with any deny entry, and must be fully
     contained within the allow entries.

ENVIRONMENT

     rpki-client utilizes the following environment variables:

     http_proxy  URL of HTTP proxy to use.

FILES

     /etc/tals/*.tal                default TAL files used unless -t tal is specified.
     /etc/tals/*.constraints        files containing registry-specific constraints to restrict
                                    what IP addresses and AS identifiers may or may not appear in
                                    EE certificates subordinate to the same-named Trust Anchor.
     /etc/tals/skiplist             default skiplist file, unless -S skiplist is specified.
     /var/lib/rpki-client/cache     cached repository data.
     /var/lib/rpki-client/openbgpd  default roa-set output file.

     All the top-level TAL are included, except the ARIN TAL which is not made available with
     terms compatible with open source.  That public key is treated as a proprietary object in a
     lengthy legal agreement regarding ARIN service restrictions.

EXIT STATUS

     The rpki-client utility exits 0 on success, and >0 if an error occurs.

SEE ALSO

     rsync(1), bgpd.conf(5)

STANDARDS

     X.509 Extensions for IP Addresses and AS Identifiers, RFC 3779.

     Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
     Profile, RFC 5280.

     Cryptographic Message Syntax (CMS), RFC 5652.

     The rsync URI Scheme, RFC 5781.

     An Infrastructure to Support Secure Internet Routing, RFC 6480.

     A Profile for Resource Certificate Repository Structure, RFC 6481.

     The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure
     (RPKI), RFC 6485.

     A Profile for X.509 PKIX Resource Certificates, RFC 6487.

     Signed Object Template for the Resource Public Key Infrastructure (RPKI), RFC 6488.

     The Resource Public Key Infrastructure (RPKI) Ghostbusters Record, RFC 6493.

     Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Certificates, RFC 7318.

     The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure,
     RFC 7935.

     The RPKI Repository Delta Protocol (RRDP), RFC 8182.

     A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification
     Requests, RFC 8209.

     Resource Public Key Infrastructure (RPKI) Trust Anchor Locator, RFC 8630.

     Finding and Using Geofeed Data, RFC 9092.

     Manifests for the Resource Public Key Infrastructure (RPKI), RFC 9286.

     RPKI Signed Object for Trust Anchor Key, https://datatracker.ietf.org/doc/html/draft-ietf-
     sidrops-signed-tal, Oct, 2022.

     A Profile for RPKI Signed Checklists (RSCs), RFC 9323.

     A Profile for Route Origin Authorizations (ROAs),
     https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rfc6482bis, Nov, 2022.

     A Profile for Autonomous System Provider Authorization (ASPA),
     https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile, Jun, 2023.

     On the use of the CMS signing-time attribute in RPKI Signed Objects,
     https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-cms-signing-time, Jan, 2024.

     Constraining RPKI Trust Anchors, https://datatracker.ietf.org/doc/html/draft-snijders-
     constraining-rpki-trust-anchors, September, 2023.

     Detecting RRDP Session Desynchronization, https://datatracker.ietf.org/doc/html/draft-
     spaghetti-sidrops-rrdp-desynchronization-00, Jan, 2024.

     A profile for Signed Prefix Lists for Use in the Resource Public Key Infrastructure (RPKI),
     https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist-02, Jan, 2024.

HISTORY

     rpki-client first appeared in OpenBSD 6.7.

AUTHORS

     Kristaps Dzonsons <kristaps@bsd.lv>, Claudio Jeker <claudio@openbsd.org>, Theo Buehler
     <tb@openbsd.org>, and Job Snijders <job@openbsd.org>.