aboutsummaryrefslogtreecommitdiff
path: root/doc/05.RPKI.RP.md
blob: f92c68af96e6b0a645f4624d531b80bf19b8d5e4 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70


   

RPKI Relying Party Tools


These tools implements the "relying party" role of the RPKI system, that is,
the entity which retrieves RPKI objects from repositories, validates them, and
uses the result of that validation process as input to other processes, such
as BGP security.


See the CA tools for programs to help you generate RPKI objects, if you need
to do that.


The RP main tools are rcynic and rpki-rtr, each of which is discussed below.


The installation process sets up everything you need for a basic RPKI
validation installation. You will, however, need to think at least briefly
about which RPKI trust anchors you are using, and may need to change these
from the defaults.


The installation process sets up a cron job running running rcynic-cron as
user "rcynic" once per hour at a randomly-selected minute.


rcynic


rcynic is the primary validation tool. It does the actual work of RPKI
validation: checking syntax, signatures, expiration times, and conformance to
the profiles for RPKI objects. The other relying party programs take rcynic's
output as their input.


The installation process sets up a basic rcynic configuration. See the rcynic
documentation if you need to know more.


See the discussion of trust anchors.


rpki-rtr


rpki-rtr is an implementation of the rpki-rtr protocol, using rcynic's output
as its data source. rpki-rtr includes the rpki-rtr server, a test client, and
a utiltity for examining the content of the database rpki-rtr generates from
the data supplied by rcynic.


See the rpki-rtr documentation for further details.


rcynic-cron


rcynic-cron is a small script to run the most common set of relying party
tools under cron. See the discussion of running relying party tools under cron
for further details.


Selecting trust anchors


As in any PKI system, validation in the RPKI system requires a set of "trust
anchors" to use as a starting point when checking certificate chains. By
definition, trust anchors can only be selected by you, the relying party.


As with most other PKI software, we supply a default set of trust anchors
which you are welcome to use if they suit your needs. These are installed as
part of the normal installation process, so if you don't do anything, you'll
get these. You can, however, override this if you need something different;
see the rcynic documentation for details.


Remember: It's only a trust anchor if you trust it. We can't make that
decision for you.


Also note that, at least for now, ARIN's trust anchor locator is absent from
the default set of trust anchors. This is not an accident: it's the direct
result of a deliberate policy decision by ARIN to require anyone using their
trust anchor to jump through legal
hoops. If you have a
problem with this, complain to ARIN. If and when ARIN changes this policy, we will be happy to include
their trust anchor locator along with those of the other RIRs.
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-10 09:12:08 +0000