1. 16

  2. 3

    Despite this being from the OpenBSD project, that’s the portable version, which is why I did not attach the tag. I hope this is the correct way to do this.

    1. 3

      Interesting to see this pop up today, shortly after Cloudfare’s launch of https://isbgpsafeyet.com/

      That was my first introduction to RPKI. Interestingly, it seems very similar to SHAKEN/STIR. From what I can tell, both are protocols for using certificates to validate routing information asserted by peers. RPKI secures BGP and SHAKEN/STIR secures POTS.

      The US passed the TRACE Act in January to mandate telcos support SHAKEN/STIR. Previous voluntary compliance efforts were unsuccessful. I wonder if we’ll eventually see something similar with RPKI. I’m not confident we will, if only because Robocalls are much more visible to the general public than BGP hijacks.

      1. 1

        If I understood the manual page correctly, this generates a config file for OpenBGPd, BIRD and others, but what I didn’t find any documentation for is how often to run the binary. I guess the program should run on an interval in order to get fresh certificates in the config file.

        1. 4

          I recommend running rpki-client from cron(8) at least once an hour. See this example crontab entry: https://github.com/openbsd/src/blob/master/etc/crontab#L22

          I’ll work to update the man page to hint at once an hour. Thanks

          1. 1

            Thank you! :)