From 14a9628f0552d3818cd58fb085e7544cdbb3b5eb Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 3 Aug 2016 18:27:49 +0000 Subject: Dump of rpki.net Wiki, to capture content not linked into the manual. --- doc/wiki-dump/doc%2FRPKI%2FRP | 81 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 doc/wiki-dump/doc%2FRPKI%2FRP (limited to 'doc/wiki-dump/doc%2FRPKI%2FRP') diff --git a/doc/wiki-dump/doc%2FRPKI%2FRP b/doc/wiki-dump/doc%2FRPKI%2FRP new file mode 100644 index 00000000..a05cb2ab --- /dev/null +++ b/doc/wiki-dump/doc%2FRPKI%2FRP @@ -0,0 +1,81 @@ +[[TracNav(doc/RPKI/TOC)]] +[[PageOutline]] + += RPKI Relying Party Tools = + +These tools implements the "relying party" role of the RPKI system, +that is, the entity which retrieves RPKI objects from repositories, +validates them, and uses the result of that validation process as +input to other processes, such as BGP security. + +See the [[CA|CA tools]] for programs to help you generate RPKI +objects, if you need to do that. + +The RP main tools are [[#rcynic|rcynic]] and +[[#rpki-rtr|rpki-rtr]], each of which is discussed below. + +The installation process sets up everything you need for a basic RPKI +validation installation. You will, however, need to think at least +briefly about which [[#trust-anchors|RPKI trust anchors]] you are +using, and may need to change these from the defaults. + +The installation process sets up a cron job running running +[[#rcynic-cron|rcynic-cron]] as user "`rcynic`" once per hour at a +randomly-selected minute. + +== rcynic == + +rcynic is the primary validation tool. It does the actual work of +RPKI validation: checking syntax, signatures, expiration times, and +conformance to the profiles for RPKI objects. The other relying party +programs take rcynic's output as their input. + +The installation process sets up a basic rcynic configuration. See +the [[wiki:doc/RPKI/RP/rcynic|rcynic documentation]] if you need to +know more. + +See the [[#trust-anchors|discussion of trust anchors]]. + +== rpki-rtr == + +rpki-rtr is an implementation of the rpki-rtr protocol, using +rcynic's output as its data source. rpki-rtr includes the rpki-rtr +server, a test client, and a utiltity for examining the content of the +database rpki-rtr generates from the data supplied by rcynic. + +See the [[wiki:doc/RPKI/RP/rpki-rtr|rpki-rtr documentation]] for +further details. + +== rcynic-cron == + +rcynic-cron is a small script to run the most common set of relying +party tools under cron. See the +[[wiki:doc/RPKI/RP/RunningUnderCron|discussion of running relying party tools under cron]] +for further details. + +== Selecting trust anchors == #trust-anchors + +As in any PKI system, validation in the RPKI system requires a set of +"trust anchors" to use as a starting point when checking certificate +chains. By definition, trust anchors can only be selected by you, the +relying party. + +As with most other PKI software, we supply a default set of trust +anchors which you are welcome to use if they suit your needs. These +are installed as part of the normal installation process, so if you +don't do anything, you'll get these. You can, however, override this +if you need something different; see +[[wiki:doc/RPKI/RP/rcynic|the rcynic documentation]] for details. + +Remember: It's only a trust anchor if **you** trust it. We can't make +that decision for you. + +Also note that, at least for now, ARIN's trust anchor locator is +absent from the default set of trust anchors. This is not an +accident: it's the direct result of a deliberate policy decision by +ARIN to require anyone using their trust anchor to +[[https://www.arin.net/resources/rpki/faq.html#tal|jump through legal hoops]]. +If you have a problem with this, +[[http://lists.arin.net/mailman/listinfo/arin-ppml|complain to ARIN]]. +If and when ARIN changes this policy, we will be happy to include +their trust anchor locator along with those of the other RIRs. -- cgit v1.2.3