1.\" $OpenBSD: rpki-client.8,v 1.28 2020/06/30 12:52:44 job Exp $ 2.\" 3.\" Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: June 30 2020 $ 18.Dt RPKI-CLIENT 8 19.Os 20.Sh NAME 21.Nm rpki-client 22.Nd RPKI validator to support BGP Origin Validation 23.Sh SYNOPSIS 24.Nm 25.Op Fl Bcjnov 26.Op Fl b Ar sourceaddr 27.Op Fl d Ar cachedir 28.Op Fl e Ar rsync_prog 29.Op Fl T Ar table 30.Op Fl t Ar tal 31.Op Ar outputdir 32.Sh DESCRIPTION 33The 34.Nm 35utility queries the RPKI repository system with 36.Xr openrsync 1 37to fetch all X.509 certificates, manifests, and revocation lists under a given 38.Em Trust Anchor . 39.Nm 40subsequently validates each 41.Em Route Origin Authorization Pq ROA 42by constructing and verifying a certification path for the certificate 43associated with the ROA (including checking relevant CRLs). 44.Nm 45produces lists of the 46.Em Validated ROA Payloads Pq VRPs 47in various formats. 48.Pp 49The options are as follows: 50.Bl -tag -width Ds 51.It Fl B 52Create output in the file 53.Pa bird 54in the output directory which is suitable for the BIRD internet routing daemon. 55.It Fl b Ar sourceaddr 56Tell the rsync client to use 57.Ar sourceaddr 58as the source address for connections, which is useful on machines 59with multiple interfaces. 60.It Fl c 61Create output in the file 62.Pa csv 63in the output directory as comma-separated values of the prefix in slash notation, 64the maximum prefix length, the autonomous system number, and an abbreviation 65for the trust anchor the entry is derived from. 66.It Fl d Ar cachedir 67The directory where 68.Nm 69will store the cached repository data. 70Defaults to 71.Pa /var/cache/rpki-client . 72.It Fl e Ar rsync_prog 73Use 74.Ar rsync_prog 75instead of 76.Xr openrsync 1 77to fetch repositories. 78It must accept the 79.Fl rt , 80.Fl -address 81and 82.Fl -delete 83flags and connect with rsync-protocol locations. 84.It Fl j 85Create output in the file 86.Pa json 87in the output directory as JSON object. 88This format is identical to that 89produced by the RIPE NCC RPKI Validator and NLnet Labs routinator. 90.It Fl n 91Assume that all requested repositories exist: don't update. 92.It Fl o 93Create output in the file 94.Pa openbgpd 95in the output directory as 96.Xr bgpd 8 97compatible input. 98If the 99.Fl B , 100.Fl c , 101and 102.Fl j 103options are not specified this is the default. 104.It Fl T Ar table 105For BIRD output generated with the 106.Fl B 107option use 108.Ar table 109as roa table name instead of the default 'ROAS'. 110.It Fl t Ar tal 111Specify a 112.Em Trust Anchor Location Pq TAL 113file to be used. 114This option can be used multiple times to load multiple TALs. 115By default 116.Nm 117will load all TAL files in 118.Pa /etc/rpki . 119.It Fl v 120Specified once, prints information about status. 121Twice, prints each filename as it's processed. 122.It Ar outputdir 123The directory where 124.Nm 125will write the output files. 126Defaults to 127.Pa /var/db/rpki-client/ . 128.El 129.Pp 130By default 131.Nm 132produces a list of unique 133.Li roa-set 134statements in 135.Fl o 136(OpenBGPD compatible) output. 137.Pp 138.Nm 139should be run hourly by 140.Xr cron 8 : 141use 142.Xr crontab 1 143to uncomment the entry in root's crontab. 144.\" .Sh ENVIRONMENT 145.\" For sections 1, 6, 7, and 8 only. 146.Sh FILES 147.Bl -tag -width "/var/db/rpki-client/openbgpd" -compact 148.It Pa /etc/rpki/*.tal 149default TAL files used unless 150.Fl t Ar tal 151is specified. 152.It Pa /var/cache/rpki-client 153cached repository data. 154.It Pa /var/db/rpki-client/openbgpd 155default roa-set output file. 156.El 157.Sh EXIT STATUS 158.Ex -std 159.\" For sections 1, 6, and 8 only. 160.\" .Sh EXAMPLES 161.\" .Sh DIAGNOSTICS 162.\" For sections 1, 4, 6, 7, 8, and 9 printf/stderr messages only. 163.Sh SEE ALSO 164.Xr openrsync 1 , 165.Xr bgpd.conf 5 166.Sh STANDARDS 167The following standards are used or referenced in 168.Nm : 169.Bl -tag -width -Ds 170.It RFC 3370 171Cryptographic Message Syntax (CMS) Algorithms. 172.It RFC 3779 173X.509 Extensions for IP Addresses and AS Identifiers. 174.It RFC 4291 175IP Version 6 Addressing Architecture. 176.It RFC 4631 177Classless Inter-domain Routing (CIDR): The Internet Address Assignment 178and Aggregation Plan. 179.It RFC 5280 180Internet X.509 Public Key Infrastructure Certificate and Certificate 181Revocation List (CRL) Profile. 182.It RFC 5652 183Cryptographic Message Syntax (CMS). 184.It RFC 5781 185The rsync URI Scheme. 186.It RFC 5952 187A Recommendation for IPv6 Address Text Representation. 188.It RFC 6480 189An Infrastructure to Support Secure Internet Routing. 190.It RFC 6482 191A Profile for Route Origin Authorizations (ROAs). 192.It RFC 6485 193The Profile for Algorithms and Key Sizes for Use in the Resource Public Key 194Infrastructure (RPKI). 195.It RFC 6486 196Manifests for the Resource Public Key Infrastructure (RPKI). 197.It RFC 6487 198A Profile for X.509 PKIX Resource Certificates. 199.It RFC 6488 200Signed Object Template for the Resource Public Key Infrastructure 201(RPKI). 202.It RFC 7730 203Resource Public Key Infrastructure (RPKI) Trust Anchor Locator. 204.El 205.\" .Sh HISTORY 206.Sh AUTHORS 207The 208.Nm 209utility was written by 210.An Kristaps Dzonsons Aq Mt kristaps@bsd.lv . 211.\" .Sh CAVEATS 212.\" .Sh BUGS 213