Despite this being from the OpenBSD project, that’s the portable version, which is why I did not attach the tag. I hope this is the correct way to do this.
Interesting to see this pop up today, shortly after Cloudfare’s launch of https://isbgpsafeyet.com/
That was my first introduction to RPKI. Interestingly, it seems very similar to SHAKEN/STIR. From what I can tell, both are protocols for using certificates to validate routing information asserted by peers. RPKI secures BGP and SHAKEN/STIR secures POTS.
The US passed the TRACE Act in January to mandate telcos support SHAKEN/STIR. Previous voluntary compliance efforts were unsuccessful. I wonder if we’ll eventually see something similar with RPKI. I’m not confident we will, if only because Robocalls are much more visible to the general public than BGP hijacks.
If I understood the manual page correctly, this generates a config file for OpenBGPd, BIRD and others, but what I didn’t find any documentation for is how often to run the binary. I guess the program should run on an interval in order to get fresh certificates in the config file.
I recommend running rpki-client from cron(8) at least once an hour. See this example crontab entry: https://github.com/openbsd/src/blob/master/etc/crontab#L22
I’ll work to update the man page to hint at once an hour. Thanks
Thank you! :)