1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
$Id$ -*- Text -*-
Preliminary operation instructions for rpkid et al. These are the
production-side RPKI tools, for Internet Registries (RIRs, LIRs, etc).
See ../rcynic/README for relying party tools.
See INSTALLATION for how to install the software.
At present the package is intended to be run out of the scripts
directory.
In addition to the library routines in the scripts/rpki/ directory,
the package includes the following programs:
rpkid.py The main RPKI engine daemon
rootd.py A separate daemon for handling the root of an RPKI
certificate tree. This is essentially a stripped down
version of rpkid with no SQL database, no left-right
protocol implementation, and only the parent side of
the up-down protocol. It's separate because the root
is a special case in several ways and it was simpler
to keep the special cases out of the main daemon.
irdbd.py A sample implementation of an IR database daemon.
rpkid calls into this to perform lookups via the
left-right protocol.
irbe-cli.py A command-line client for the left-right control
protocol.
irbe-setup.py An example of a script to set up the mappings between
the IRDB and rpkid's own database, using the
left-right control protocol.
cronjob.py A trivial HTTP client used to drive rpkid cron events.
testbed.py A test tool for running a collection of rpkid and irdb
instances under common control, driven by a unified
test script.
testpoke.py A simple client for the up-down protocol, mostly
compatable with APNIC's rpki_poke.pl tool.
Most of these programs take configuration files in a common format
similar to that used by the OpenSSL command line tool. The test
programs also take input in YAML format to drive the tests.
Basic operation consists of creating the appropriate MySQL databases,
starting rpkid, rootd, and irdbd, using the left-right control
protocol to set up rpkid's internal state, and setting up a cron job
to invoke rpkid's cron action at regular intervals. All other
operations should occur either as a result of cron events or as a
result of incoming left-right and up-down protocol requests.
Note that the publication protocol isn't fully specified yet, much
less implmenented. At the moment rpkid just writes its outputs to a
local directory tree.
Note that the full event-driven model for rpkid hasn't yet been
implemented. The design is intended to allow an arbitrary number of
hosted RPKI engines to run in a single rpkid instance, but without the
event-driven tasking model one has to set up a separate rpkid instance
for each hosted RPKI engine.
At present the daemon programs all run in foreground, that is, if one
wants them to run in background one must do so manually, eg, using
Bourne shell syntax:
$ python whatever.py &
$ echo >whatever.pid "$!"
All of the daemons use syslog. At present they all set LOG_PERROR, so
all logging also goes to stderr.
----------------------------------------------------------------
rpkid.py config file:
The default config file is rpkid.conf, start rpkid with "-c filename"
to choose a different config file. All options are in the section
"[rpkid]". Certificates, keys, and trust anchors may be in either DER
or PEM format.
Options:
startup-message: String to log on startup, useful when
debugging a collection of rpkid instances at
once.
sql-username: Username to hand to MySQL when connecting to
rpkid's database.
sql-database: MySQL's database name for rpkid's database.
sql-password: Password to hand to MySQL when connecting to
rpkid's database.
cms-ta-irdb: Name of file containing CMS trust anchor to
use when authenticating messages from irdbd.
cms-ta-irdb: Name of file containing CMS trust anchor to
use when authenticating control messages from
IRBE.
cms-key: Name of file containing RSA key to use when
signing CMS messages to IRBE or irdbd.
cms-certs: Name(s) of file(s) containing certificate(s)
to include in CMS wrapper when signing
messages to IRBE or irdbd. You can specify
more than one certificate using OpenSSL-style
subscripts: cms-certs.0, cms-certs.1, etc.
https-key: Name of file containing RSA key to use, both
in the HTTPS server role (for both up-down and
left-right protocols) and in the HTTPS client
role (left-right protocol only).
https-certs: Name(s) of file(s) containing certificate(s)
to use in same contexts where https-key is
used. You can specify more than one
certificate using OpenSSL-style subscripts:
https-certs.0, https-certs.1, etc.
https-ta: Name of file containing trust anchor to use
when verifying irdbd's HTTPS server
certificate.
irdb-url: Service URL for irdbd. Must be a https// URL.
https-server-host: Hostname or IP address on which to listen for
HTTPS connections. Default is localhost.
https-server-port: TCP port on which to listen for HTTPS
connections.
publication-kludge-base: [TEMPORARY] Local directory under which
generated certificates etc should be
published. This is a temporary expedient
until the publication protocol is defined and
implemented. Default is "publication/"
----------------------------------------------------------------
rootd.py config file:
The default config file is rootd.conf, start rpkid with "-c filename"
to choose a different config file. All options are in the section
"[rootd]". Certificates, keys, and trust anchors may be in either DER
or PEM format.
Options:
cms-ta: Name of file containing trust anchor to use
when verifying CMS up-down queries.
cms-key: Name of file containing RSA key to use when
signing CMS up-down replies.
cms-certs: Name(s) of file(s) containing certificate(s)
to include in CMS wrapper when signing up-down
replies. You can specify more than one
certificate using OpenSSL-style subscripts:
cms-certs.0, cms-certs.1, etc.
https-key: Name of file containing RSA key to use in the
HTTPS server role for the up-down protocol.
https-certs: Name(s) of file(s) containing certificate(s)
to use in the HTTPS server role for the
up-down protocol. You can specify more than
one certificate using OpenSSL-style
subscripts: https-certs.0, https-certs.1,
etc.
https-server-host: Hostname or IP address on which to listen for
HTTPS connections. Default is localhost.
https-server-port: TCP port on which to listen for HTTPS
connections.
rpki-key: Name of file containing RSA key to use in
signing resource certificates.
rpki-issuer: Name of file containing self-signed root
resource certificate corresponding to
rpki-key.
rpki-subject-filename: Name of file that rootd should use to save the
one and only certificate it issues.
rpki-pkcs10-filename: Name of file that rootd should use when saving
a copy of the received PKCS #10 request for a
resource certificate. This is only used for
debugging. Default is not to save the PKCS
#10 request.
----------------------------------------------------------------
irdbd.py
----------------------------------------------------------------
irbe-cli.py
----------------------------------------------------------------
irbe-setup.py
----------------------------------------------------------------
cronjob.py
----------------------------------------------------------------
testbed.py
----------------------------------------------------------------
testpoke.py
|
