diff options
Diffstat (limited to 'doc/05.RPKI.RP.md')
| -rw-r--r-- | doc/05.RPKI.RP.md | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/doc/05.RPKI.RP.md b/doc/05.RPKI.RP.md new file mode 100644 index 00000000..f92c68af --- /dev/null +++ b/doc/05.RPKI.RP.md @@ -0,0 +1,70 @@ +# RPKI Relying Party Tools + +These tools implements the "relying party" role of the RPKI system, that is, +the entity which retrieves RPKI objects from repositories, validates them, and +uses the result of that validation process as input to other processes, such +as BGP security. + +See the CA tools for programs to help you generate RPKI objects, if you need +to do that. + +The RP main tools are rcynic and rpki-rtr, each of which is discussed below. + +The installation process sets up everything you need for a basic RPKI +validation installation. You will, however, need to think at least briefly +about which RPKI trust anchors you are using, and may need to change these +from the defaults. + +The installation process sets up a cron job running running rcynic-cron as +user "`rcynic`" once per hour at a randomly-selected minute. + +## rcynic + +rcynic is the primary validation tool. It does the actual work of RPKI +validation: checking syntax, signatures, expiration times, and conformance to +the profiles for RPKI objects. The other relying party programs take rcynic's +output as their input. + +The installation process sets up a basic rcynic configuration. See the rcynic +documentation if you need to know more. + +See the discussion of trust anchors. + +## rpki-rtr + +rpki-rtr is an implementation of the rpki-rtr protocol, using rcynic's output +as its data source. rpki-rtr includes the rpki-rtr server, a test client, and +a utiltity for examining the content of the database rpki-rtr generates from +the data supplied by rcynic. + +See the rpki-rtr documentation for further details. + +## rcynic-cron + +rcynic-cron is a small script to run the most common set of relying party +tools under cron. See the discussion of running relying party tools under cron +for further details. + +## Selecting trust anchors + +As in any PKI system, validation in the RPKI system requires a set of "trust +anchors" to use as a starting point when checking certificate chains. By +definition, trust anchors can only be selected by you, the relying party. + +As with most other PKI software, we supply a default set of trust anchors +which you are welcome to use if they suit your needs. These are installed as +part of the normal installation process, so if you don't do anything, you'll +get these. You can, however, override this if you need something different; +see the rcynic documentation for details. + +Remember: It's only a trust anchor if **you** trust it. We can't make that +decision for you. + +Also note that, at least for now, ARIN's trust anchor locator is absent from +the default set of trust anchors. This is not an accident: it's the direct +result of a deliberate policy decision by ARIN to require anyone using their +trust anchor to [jump through legal +hoops](https://www.arin.net/resources/rpki/faq.html#tal). If you have a +problem with this, [complain to ARIN](http://lists.arin.net/mailman/listinfo +/arin-ppml). If and when ARIN changes this policy, we will be happy to include +their trust anchor locator along with those of the other RIRs. |