These tools implements the "relying party" role of the RPKI system, that is, the entity which retrieves RPKI objects from repositories, validates them, and uses the result of that validation process as input to other processes, such as BGP security.
See the CA tools for programs to help you generate RPKI objects, if you need to do that.
The RP main tools are rcynic and rpki-rtr, each of which is discussed below.
The installation process sets up everything you need for a basic RPKI validation installation. You will, however, need to think at least briefly about which RPKI trust anchors you are using, and may need to change these from the defaults.
The installation process sets up a cron job running running rcynic-cron
as user "rcynic" once per hour at a randomly-selected minute.
rcynic is the primary validation tool. It does the actual work of RPKI validation: checking syntax, signatures, expiration times, and conformance to the profiles for RPKI objects. The other relying party programs take rcynic's output as their input.
The installation process sets up a basic rcynic configuration. See the rcynic documentation if you need to know more.
See the discussion of trust anchors.
rpki-rtr is an implementation of the rpki-rtr protocol, using rcynic's output as its data source. rpki-rtr includes the rpki-rtr server, a test client, and a utiltity for examining the content of the database rpki-rtr generates from the data supplied by rcynic.
See the rpki-rtr documentation for further details.
rcynic-cron is a small script to run the most common set of relying party tools under cron. See the discussion of running relying party tools under cron for further details.
As in any PKI system, validation in the RPKI system requires a set of "trust anchors" to use as a starting point when checking certificate chains. By definition, trust anchors can only be selected by you, the relying party.
As with most other PKI software, we supply a default set of trust anchors which you are welcome to use if they suit your needs. These are installed as part of the normal installation process, so if you don't do anything, you'll get these. You can, however, override this if you need something different; see the rcynic documentation for details.
Remember: It's only a trust anchor if you trust it. We can't make that decision for you.
Also note that, at least for now, ARIN's trust anchor locator is absent from the default set of trust anchors. This is not an accident: it's the direct result of a deliberate policy decision by ARIN to require anyone using their trust anchor to jump through legal hoops. If you have a problem with this, complain to ARIN. If and when ARIN changes this policy, we will be happy to include their trust anchor locator along with those of the other RIRs.