1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
****** RPKI Relying Party Tools ******
these tools implements the "relying party" role of the RPKI system, that is,
the entity which retrieves RPKI objects from repositories, validates them, and
uses the result of that validation process as input to other processes, such as
BGP security.
See the CA tools for programs to help you generate RPKI objects, if you need to
do that.
The RP main tools are `rcynic` and `rtr-origin`, each of which is discussed
below.
The installation process sets up everything you need for a basic RPKI
validation installation. You will, however, need to think at least briefly
about which RPKI trust anchors you are using, and may need to change these from
the defaults.
The installation process sets up a cron job running running [#rcynic-
cron|`rcynic-cron` as user "rcynic" once per hour at a randomly-selected
minute.
***** rcynic *****
rcynic is the primary validation tool. It does the actual work of RPKI
validation: checking syntax, signatures, expiration times, and conformance to
the profiles for RPKI objects. The other relying party programs take rcynic's
output as their input.
The installation process sets up a basic rcynic configuration. See the rcynic
documentation if you need to know more.
See the discussion of trust anchors.
***** rtr-origin *****
rtr-origin is an implementation of the rpki-rtr protocol, using rcynic's output
as its data source. rtr-origin includes the rpki-rtr server, a test client, and
a utiltity for examining the content of the database rtr-origin generates from
the data supplied by rcynic.
See the rtr-origin documentation for further details.
***** rcynic-cron *****
rcynic-cron is a small script to run the most common set of relying party tools
under cron. See the discussion of running relying party tools under cron for
further details.
***** Selecting trust anchors *****
As in any PKI system, validation in the RPKI system requires a set of "trust
anchors" to use as a starting point when checking certificate chains. By
definition, trust anchors can only be selected by you, the relying party.
As with most other PKI software, we supply a default set of trust anchors which
you are welcome to use if they suit your needs. These are installed as part of
the normal installation process, so if you don't do anything, you'll get these.
You can, however, override this if you need something different; see the rcynic
documentation for details.
Remember: It's only a trust anchor if you trust it. We can't make that decision
for you.
Also note that, at least for now, ARIN's trust anchor locator is absent from
the default set of trust anchors. This is not an accident: it's the direct
result of a deliberate policy decision by ARIN to require anyone using their
trust anchor to jump through legal hoops. If you have a problem with this,
complain to ARIN. If and when ARIN changes this policy, we will be happy to
include their trust anchor locator along with those of the other RIRs.
|
