top of page
Search

rpki-client 8.7 released

rpki-client 8.7 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon.


rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.


See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system.


rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project.


This release includes the following changes to the previous release:


  • Add ability to constrain an RPKI Trust Anchor's effective signing  authority to a limited set of Internet numbers. This allows Relying  Parties to enjoy the potential benefits of assuming trust, but within  a bounded scope. This distribution includes curated constraints files. More information here.

  • Following a 'failed fetch' (described in RFC 9286), emit a warning and continue with a previously cached Manifest file, if present and still valid.

  • Emit a warning when the same manifestNumber is re-used across multiple issuances.

  • Emit a warning when the remote repository presents a Manifest with an  unexpected manifestNumber. Purported new manifests are expected to  have a higher manifestNumber than previously validated manifests. Otherwise fall back to the previously cached manifest, if it is still valid. This warning can be indicative of manifest replays or of out-of-order publishing.

  • Require RPKI object files to be of a minimum of 100 bytes in both the RRDP and RSYNC transports.

  • No longer synchronize directory modtimes in the local cache to align with remote RSYNC repository sources.

  • Improved CRL extension checking.

  • Experimental support for the P-256 signature algorithm.

  • Various refactoring work.


rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, and zlib.


rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD!

Recent Posts

See All

OpenBGPD 8.5 released

We have released OpenBGPD 8.5, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: Include OpenBSD

rpki-client 9.1 released

rpki-client 9.1 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users update to this version for improved reliability.

OpenBGPD 8.4 released

We have released OpenBGPD 8.4, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: Rewrite the inte

Comments


bottom of page