2023-06-27 19:33:20 +02:00
|
|
|
.\" $OpenBSD: rpki-client.8,v 1.97 2023/06/26 18:39:53 job Exp $
|
2023-04-30 03:15:27 +02:00
|
|
|
.\"
|
|
|
|
.\" Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
|
|
|
|
.\"
|
|
|
|
.\" Permission to use, copy, modify, and distribute this software for any
|
|
|
|
.\" purpose with or without fee is hereby granted, provided that the above
|
|
|
|
.\" copyright notice and this permission notice appear in all copies.
|
|
|
|
.\"
|
|
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
|
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
.\"
|
2023-06-27 19:33:20 +02:00
|
|
|
.Dd $Mdocdate: June 26 2023 $
|
2023-04-30 03:15:27 +02:00
|
|
|
.Dt RPKI-CLIENT 8
|
|
|
|
.Os
|
|
|
|
.Sh NAME
|
|
|
|
.Nm rpki-client
|
|
|
|
.Nd RPKI validator to support BGP routing security
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
.Nm
|
|
|
|
.Op Fl ABcjmnoRrVv
|
|
|
|
.Op Fl b Ar sourceaddr
|
|
|
|
.Op Fl d Ar cachedir
|
|
|
|
.Op Fl e Ar rsync_prog
|
|
|
|
.Op Fl H Ar fqdn
|
|
|
|
.Op Fl S Ar skiplist
|
|
|
|
.Op Fl s Ar timeout
|
|
|
|
.Op Fl T Ar table
|
|
|
|
.Op Fl t Ar tal
|
|
|
|
.Op Ar outputdir
|
|
|
|
.Nm
|
|
|
|
.Op Fl Vv
|
|
|
|
.Op Fl d Ar cachedir
|
|
|
|
.Op Fl j
|
|
|
|
.Op Fl t Ar tal
|
|
|
|
.Fl f
|
|
|
|
.Ar
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
utility queries the RPKI repository system with
|
|
|
|
a built-in HTTPS client and
|
|
|
|
.Xr openrsync 1
|
|
|
|
to fetch all X.509 certificates, manifests, and revocation lists under a given
|
|
|
|
.Em Trust Anchor .
|
|
|
|
.Nm
|
|
|
|
subsequently validates each
|
|
|
|
.Em Signed Object
|
|
|
|
by constructing and verifying a certification path for the certificate
|
|
|
|
associated with the Object (including checking relevant CRLs).
|
|
|
|
.Nm
|
|
|
|
produces lists of the
|
|
|
|
.Em Validated ROA Payloads Pq VRPs ,
|
|
|
|
.Em BGPsec Router Keys Pq BRKs ,
|
|
|
|
and
|
|
|
|
.Em Validated ASPA Payloads Pq VAPs
|
|
|
|
in various formats.
|
|
|
|
.Pp
|
|
|
|
The options are as follows:
|
|
|
|
.Bl -tag -width Ds
|
|
|
|
.It Fl A
|
2023-04-30 21:16:28 +02:00
|
|
|
Exclude the ASPA-set from the output files that support it (JSON and
|
|
|
|
OpenBGPD).
|
2023-04-30 03:15:27 +02:00
|
|
|
.It Fl B
|
|
|
|
Create output in the files
|
|
|
|
.Pa bird1v4 ,
|
|
|
|
.Pa bird1v6 ,
|
|
|
|
and
|
|
|
|
.Pa bird
|
|
|
|
(for bird2)
|
|
|
|
in the output directory which is suitable for the BIRD internet routing daemon.
|
|
|
|
.It Fl b Ar sourceaddr
|
|
|
|
Tell the HTTP and rsync clients to use
|
|
|
|
.Ar sourceaddr
|
|
|
|
as the source address for connections, which is useful on machines
|
|
|
|
with multiple interfaces.
|
|
|
|
.It Fl c
|
|
|
|
Create output in the file
|
|
|
|
.Pa csv
|
|
|
|
in the output directory as comma-separated values of the
|
|
|
|
.Em Autonomous System ,
|
|
|
|
the prefix in slash notation, the maximum prefix length, an abbreviation for
|
|
|
|
the
|
|
|
|
.Em Trust Anchor
|
|
|
|
the entry is derived from, and the moment the VRP will expire derived from
|
|
|
|
the chain of X.509 certificates and CRLs in seconds since the Epoch, UTC.
|
|
|
|
.It Fl d Ar cachedir
|
|
|
|
The directory where
|
|
|
|
.Nm
|
|
|
|
will store the cached repository data.
|
|
|
|
Defaults to
|
|
|
|
.Pa /var/cache/rpki-client .
|
|
|
|
.It Fl e Ar rsync_prog
|
|
|
|
Use
|
|
|
|
.Ar rsync_prog
|
|
|
|
instead of
|
|
|
|
.Xr openrsync 1
|
|
|
|
to fetch repositories.
|
|
|
|
It must accept the
|
|
|
|
.Fl rt
|
|
|
|
and
|
|
|
|
.Fl -address
|
|
|
|
flags and connect with rsync-protocol locations.
|
|
|
|
.It Fl f Ar
|
|
|
|
Decode the
|
|
|
|
.Em TAL
|
|
|
|
or validate the
|
|
|
|
.Em Signed Object
|
|
|
|
in
|
|
|
|
.Ar file
|
|
|
|
against the RPKI cache stored in
|
|
|
|
.Ar cachedir
|
|
|
|
and print human-readable information about the object.
|
|
|
|
If
|
|
|
|
.Ar file
|
|
|
|
is an rsync:// URI, the corresponding file from the cache will be used.
|
|
|
|
This option implies
|
|
|
|
.Fl n ,
|
|
|
|
and can be combined with
|
|
|
|
.Fl j
|
|
|
|
to emit a stream of
|
|
|
|
.Em Concatenated JSON .
|
|
|
|
.It Fl H Ar fqdn
|
|
|
|
Create a shortlist and add
|
|
|
|
.Ar fqdn
|
|
|
|
to the shortlist.
|
|
|
|
.Nm
|
|
|
|
only connects to shortlisted hosts.
|
|
|
|
The shortlist filter is enforced during processing of the
|
|
|
|
.Em Subject Information Access Pq SIA
|
|
|
|
extension in CA certificates, thus applies to both RSYNC and RRDP connections.
|
|
|
|
This option can be used multiple times.
|
|
|
|
.It Fl j
|
|
|
|
Create output in the file
|
|
|
|
.Pa json
|
|
|
|
in the output directory as JSON object.
|
|
|
|
See
|
|
|
|
.Fl c
|
|
|
|
for a description of the fields.
|
|
|
|
.It Fl m
|
|
|
|
Create output in the file
|
|
|
|
.Pa metrics
|
|
|
|
in the output directory in OpenMetrics format.
|
|
|
|
.It Fl n
|
|
|
|
Offline mode.
|
|
|
|
Validate the contents of
|
|
|
|
.Ar cachedir
|
|
|
|
and write to
|
|
|
|
.Ar outputdir
|
|
|
|
without synchronizing via RRDP or RSYNC.
|
|
|
|
.It Fl o
|
|
|
|
Create output in the file
|
|
|
|
.Pa openbgpd
|
|
|
|
in the output directory as
|
|
|
|
.Xr bgpd 8
|
|
|
|
compatible input.
|
|
|
|
If the
|
|
|
|
.Fl B ,
|
|
|
|
.Fl c ,
|
|
|
|
and
|
|
|
|
.Fl j
|
|
|
|
options are not specified this is the default.
|
|
|
|
.It Fl P Ar posix-seconds
|
|
|
|
Specify the time for the evaluation in
|
|
|
|
.Ar posix-seconds
|
|
|
|
seconds from the unix epoch.
|
|
|
|
This overrides the default of using the current system time.
|
|
|
|
.It Fl R
|
|
|
|
Synchronize via RSYNC only.
|
|
|
|
.It Fl r
|
|
|
|
Synchronize via RRDP.
|
|
|
|
If RRDP fails, RSYNC will be used.
|
|
|
|
This is the default.
|
|
|
|
Mutually exclusive with
|
|
|
|
.Fl n .
|
|
|
|
.It Fl S Ar skiplist
|
|
|
|
Do not connect to hosts listed in the
|
|
|
|
.Ar skiplist
|
|
|
|
file.
|
|
|
|
Entries in the
|
|
|
|
.Ar skiplist
|
|
|
|
are newline separated
|
|
|
|
.Em Fully Qualified Domain Names Pq FQDNs .
|
|
|
|
A
|
|
|
|
.Ql #
|
|
|
|
indicates the beginning of a comment; characters up to the end of the line are
|
|
|
|
not interpreted.
|
|
|
|
The skip filter is enforced during processing of the
|
|
|
|
.Em Subject Information Access Pq SIA
|
|
|
|
extension in CA certificates, thus applies to both RSYNC and RRDP connections.
|
|
|
|
By default load entries from
|
|
|
|
.Pa /etc/rpki/skiplist .
|
|
|
|
.It Fl s Ar timeout
|
|
|
|
Terminate after
|
|
|
|
.Ar timeout
|
|
|
|
seconds of runtime, because normal practice will restart from
|
|
|
|
.Xr cron 8 .
|
|
|
|
Disable by specifying 0.
|
|
|
|
Defaults to 1 hour.
|
|
|
|
Individual RSYNC/RRDP repositories are timed out after one fourth of
|
|
|
|
.Em timeout .
|
|
|
|
All network synchronisation tasks are aborted after seven eights of
|
|
|
|
.Em timeout .
|
|
|
|
.It Fl T Ar table
|
|
|
|
For BIRD output generated with the
|
|
|
|
.Fl B
|
|
|
|
option use
|
|
|
|
.Ar table
|
|
|
|
as roa table name instead of the default 'ROAS'.
|
|
|
|
.It Fl t Ar tal
|
|
|
|
Specify a
|
|
|
|
.Em Trust Anchor Location Pq TAL
|
|
|
|
file to be used.
|
|
|
|
This option can be used multiple times to load multiple TALs.
|
|
|
|
By default
|
|
|
|
.Nm
|
|
|
|
will load all TAL files in
|
|
|
|
.Pa /etc/rpki .
|
|
|
|
TAL are small files containing a public key and URL endpoint address.
|
|
|
|
.It Fl V
|
|
|
|
Show the version and exit.
|
|
|
|
.It Fl v
|
|
|
|
Increase verbosity.
|
|
|
|
Specify once for synchronisation status, twice to print the name of each file
|
|
|
|
as it's processed.
|
|
|
|
If
|
|
|
|
.Fl f
|
|
|
|
is given, specify once to print more information about the encapsulated X.509
|
|
|
|
certificate, twice to print the certificate in PEM format.
|
|
|
|
.It Ar outputdir
|
|
|
|
The directory where
|
|
|
|
.Nm
|
|
|
|
will write the output files.
|
|
|
|
Defaults to
|
|
|
|
.Pa /var/db/rpki-client/ .
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
By default
|
|
|
|
.Nm
|
|
|
|
outputs validated payloads in
|
|
|
|
.Fl o
|
|
|
|
(OpenBGPD compatible) format.
|
|
|
|
.Pp
|
|
|
|
.Nm
|
|
|
|
should be run hourly by
|
|
|
|
.Xr cron 8 :
|
|
|
|
use
|
|
|
|
.Xr crontab 1
|
|
|
|
to uncomment the entry in root's crontab.
|
|
|
|
.Sh ENVIRONMENT
|
|
|
|
.Nm
|
|
|
|
utilizes the following environment variables:
|
|
|
|
.Bl -tag -width "http_proxy"
|
|
|
|
.It Ev http_proxy
|
|
|
|
URL of HTTP proxy to use.
|
|
|
|
.El
|
|
|
|
.Sh FILES
|
|
|
|
.Bl -tag -width "/var/db/rpki-client/openbgpd" -compact
|
|
|
|
.It Pa /etc/rpki/*.tal
|
|
|
|
default TAL files used unless
|
|
|
|
.Fl t Ar tal
|
|
|
|
is specified.
|
|
|
|
.It Pa /etc/rpki/skiplist
|
|
|
|
default skiplist file, unless
|
|
|
|
.Fl S Ar skiplist
|
|
|
|
is specified.
|
|
|
|
.It Pa /var/cache/rpki-client
|
|
|
|
cached repository data.
|
|
|
|
.It Pa /var/db/rpki-client/openbgpd
|
|
|
|
default roa-set output file.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
All the top-level TAL are included, except the ARIN TAL which is not
|
|
|
|
made available with terms compatible with open source.
|
|
|
|
That public key is treated as a proprietary object in a lengthy legal
|
|
|
|
agreement regarding ARIN service restrictions.
|
|
|
|
.Sh EXIT STATUS
|
|
|
|
.Ex -std
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr openrsync 1 ,
|
|
|
|
.Xr bgpd.conf 5
|
|
|
|
.Sh STANDARDS
|
|
|
|
.Rs
|
|
|
|
.%T X.509 Extensions for IP Addresses and AS Identifiers
|
|
|
|
.%R RFC 3779
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
|
|
|
|
.%R RFC 5280
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T Cryptographic Message Syntax (CMS)
|
|
|
|
.%R RFC 5652
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T The rsync URI Scheme
|
|
|
|
.%R RFC 5781
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T \&An Infrastructure to Support Secure Internet Routing
|
|
|
|
.%R RFC 6480
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T A Profile for Resource Certificate Repository Structure
|
|
|
|
.%R RFC 6481
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI)
|
|
|
|
.%R RFC 6485
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T A Profile for X.509 PKIX Resource Certificates
|
|
|
|
.%R RFC 6487
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T Signed Object Template for the Resource Public Key Infrastructure (RPKI)
|
|
|
|
.%R RFC 6488
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T The Resource Public Key Infrastructure (RPKI) Ghostbusters Record
|
|
|
|
.%R RFC 6493
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Certificates
|
|
|
|
.%R RFC 7318
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure
|
|
|
|
.%R RFC 7935
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T The RPKI Repository Delta Protocol (RRDP)
|
|
|
|
.%R RFC 8182
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests
|
|
|
|
.%R RFC 8209
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T Resource Public Key Infrastructure (RPKI) Trust Anchor Locator
|
|
|
|
.%R RFC 8630
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T Finding and Using Geofeed Data
|
|
|
|
.%R RFC 9092
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T Manifests for the Resource Public Key Infrastructure (RPKI)
|
|
|
|
.%R RFC 9286
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T RPKI Signed Object for Trust Anchor Key
|
|
|
|
.%U https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-signed-tal
|
|
|
|
.%D Oct, 2022
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T A Profile for RPKI Signed Checklists (RSCs)
|
|
|
|
.%R RFC 9323
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T A Profile for Route Origin Authorizations (ROAs)
|
|
|
|
.%U https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rfc6482bis
|
|
|
|
.%D Nov, 2022
|
|
|
|
.Re
|
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T A Profile for Autonomous System Provider Authorization (ASPA)
|
|
|
|
.%U https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile
|
2023-06-27 19:33:20 +02:00
|
|
|
.%D Jun, 2023
|
2023-04-30 03:15:27 +02:00
|
|
|
.Re
|
2023-06-07 23:20:56 +02:00
|
|
|
.Pp
|
|
|
|
.Rs
|
|
|
|
.%T On the use of the CMS signing-time attribute in RPKI Signed Objects
|
|
|
|
.%U https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-cms-signing-time
|
|
|
|
.%D June, 2023
|
|
|
|
.Re
|
2023-04-30 03:15:27 +02:00
|
|
|
.Sh HISTORY
|
|
|
|
.Nm
|
|
|
|
first appeared in
|
|
|
|
.Ox 6.7 .
|
|
|
|
.Sh AUTHORS
|
|
|
|
.An -nosplit
|
|
|
|
.An Kristaps Dzonsons Aq Mt kristaps@bsd.lv ,
|
|
|
|
.An Claudio Jeker Aq Mt claudio@openbsd.org ,
|
|
|
|
.An Theo Buehler Aq Mt tb@openbsd.org ,
|
|
|
|
and
|
|
|
|
.An Job Snijders Aq Mt job@openbsd.org .
|
|
|
|
.\" .Sh CAVEATS
|
|
|
|
.\" .Sh BUGS
|