1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
[[TracNav(doc/RPKI/TOC)]]
[[PageOutline]]
= RPKI Relying Party Tools =
These tools implements the "relying party" role of the RPKI system,
that is, the entity which retrieves RPKI objects from repositories,
validates them, and uses the result of that validation process as
input to other processes, such as BGP security.
See the [[CA|CA tools]] for programs to help you generate RPKI
objects, if you need to do that.
The RP main tools are [[#rcynic|rcynic]] and
[[#rpki-rtr|rpki-rtr]], each of which is discussed below.
The installation process sets up everything you need for a basic RPKI
validation installation. You will, however, need to think at least
briefly about which [[#trust-anchors|RPKI trust anchors]] you are
using, and may need to change these from the defaults.
The installation process sets up a cron job running running
[[#rcynic-cron|rcynic-cron]] as user "`rcynic`" once per hour at a
randomly-selected minute.
== rcynic ==
rcynic is the primary validation tool. It does the actual work of
RPKI validation: checking syntax, signatures, expiration times, and
conformance to the profiles for RPKI objects. The other relying party
programs take rcynic's output as their input.
The installation process sets up a basic rcynic configuration. See
the [[wiki:doc/RPKI/RP/rcynic|rcynic documentation]] if you need to
know more.
See the [[#trust-anchors|discussion of trust anchors]].
== rpki-rtr ==
rpki-rtr is an implementation of the rpki-rtr protocol, using
rcynic's output as its data source. rpki-rtr includes the rpki-rtr
server, a test client, and a utiltity for examining the content of the
database rpki-rtr generates from the data supplied by rcynic.
See the [[wiki:doc/RPKI/RP/rpki-rtr|rpki-rtr documentation]] for
further details.
== rcynic-cron ==
rcynic-cron is a small script to run the most common set of relying
party tools under cron. See the
[[wiki:doc/RPKI/RP/RunningUnderCron|discussion of running relying party tools under cron]]
for further details.
== Selecting trust anchors == #trust-anchors
As in any PKI system, validation in the RPKI system requires a set of
"trust anchors" to use as a starting point when checking certificate
chains. By definition, trust anchors can only be selected by you, the
relying party.
As with most other PKI software, we supply a default set of trust
anchors which you are welcome to use if they suit your needs. These
are installed as part of the normal installation process, so if you
don't do anything, you'll get these. You can, however, override this
if you need something different; see
[[wiki:doc/RPKI/RP/rcynic|the rcynic documentation]] for details.
Remember: It's only a trust anchor if **you** trust it. We can't make
that decision for you.
Also note that, at least for now, ARIN's trust anchor locator is
absent from the default set of trust anchors. This is not an
accident: it's the direct result of a deliberate policy decision by
ARIN to require anyone using their trust anchor to
[[https://www.arin.net/resources/rpki/faq.html#tal|jump through legal hoops]].
If you have a problem with this,
[[http://lists.arin.net/mailman/listinfo/arin-ppml|complain to ARIN]].
If and when ARIN changes this policy, we will be happy to include
their trust anchor locator along with those of the other RIRs.
|
