{"id":13581524,"url":"https://github.com/cloudflare/cfrpki","last_synced_at":"2025-04-06T10:32:40.745Z","repository":{"id":35073015,"uuid":"170715385","full_name":"cloudflare/cfrpki","owner":"cloudflare","description":"Cloudflare's RPKI Toolbox","archived":true,"fork":false,"pushed_at":"2024-02-29T14:57:11.000Z","size":14973,"stargazers_count":175,"open_issues_count":38,"forks_count":44,"subscribers_count":25,"default_branch":"master","last_synced_at":"2025-03-25T19:21:16.499Z","etag":null,"topics":["afrinic","apnic","arin","certificate","cloudflare","crypto","cryptography","docker","go","golang","hacktoberfest","internet","key","lacnic","pki","ripe","roa","rpki","rtr","validator"],"latest_commit_sha":null,"homepage":"https://rpki.cloudflare.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudflare.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-14T15:41:52.000Z","updated_at":"2025-02-11T10:05:16.000Z","dependencies_parsed_at":"2024-02-29T15:55:09.222Z","dependency_job_id":"54386cb5-57ca-4d8d-98de-1e1e3dcb40af","html_url":"https://github.com/cloudflare/cfrpki","commit_stats":null,"previous_names":[],"tags_count":31,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fcfrpki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fcfrpki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fcfrpki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fcfrpki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudflare","download_url":"https://codeload.github.com/cloudflare/cfrpki/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247470369,"owners_count":20944146,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["afrinic","apnic","arin","certificate","cloudflare","crypto","cryptography","docker","go","golang","hacktoberfest","internet","key","lacnic","pki","ripe","roa","rpki","rtr","validator"],"created_at":"2024-08-01T15:02:04.387Z","updated_at":"2025-04-06T10:32:35.727Z","avatar_url":"https://github.com/cloudflare.png","language":"Go","readme":"# Cloudflare RPKI Validator Tools and Libraries\n\n## DEPRECATION NOTICE\n**This software is no longer maintained. We advise replacing your production use of this software with the swap-in replacement [rpki-client](https://rpki-client.org/)**\n\n[![Build Status](https://github.com/cloudflare/cfrpki/workflows/Go/badge.svg)](https://github.com/cloudflare/cfrpki/actions?query=workflow%3AGo)\n\n\u003cimg align=\"left\" src=\"resources/octorpki.png\" alt=\"Cloudflare OctoRPKI logo\"\u003e\n\n_cfrpki_ is a collection of tools and libraries to perform RPKI relying party software\noperations.\n\nThis is the home of the **OctoRPKI validator**.\n\nTo get started with Cloudflare's Relying Party software, go to the section **[OctoRPKI](#octorpki)** 🐙.\n\n\u003cbr\u003e\n\n## Disclaimer\n\n_This software comes with no warranties._\n\n## Getting started\n\n### Introduction\n\nA RPKI validator performs cryptographic validation on the RPKI data provided\nby the Regional Internet Registries (RIR).\nEvery network can verify that the routing information data (prefixes and ASN)\nwas not tampered with.\n\nCloudflare develops and uses OctoRPKI. It is the data provider behind\n\u003chttps://rpki.cloudflare.com/\u003e (including the [rpki.json](https://rpki.cloudflare.com/rpki.json)).\nIt is also used in production by multiple networks.\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://rpki.cloudflare.com/?view=bgp\u0026prefix=1.1.1.0%2F24\"\u003e\n    \u003cimg src=\"resources/rpki_dashboard.png\" alt=\"Cloudflare RPKI Dashboard\" width=\"600px\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n### OctoRPKI\n\nOctoRPKI requires bootstrap file in order to fetch the RPKI data.\nThe Trust Anchor Location (TAL) indicates endpoints (rsync/https) hosted\nby Internet Resources holders (IP addresses and ASN), the RIRs.\nBy default, ARIN, _Afrinic, APNIC, LACNIC and RIPE_ TALs are [shipped with this\nsoftware](https://github.com/cloudflare/cfrpki/tree/master/cmd/octorpki/tals).\n\nThis application periodically refreshes the data provided by the RIRs and the delegated organizations.\nIt keeps exploring the RPKI repositories until it reaches a stable state (no new endpoints added).\nBy default, when unstable, the server will return `503` in order to avoid distributing partial data.\n\nThe initial cold start require a few iterations which take 5 to 10 minutes (around 500MB are downloaded).\nA refresh is much faster.\n\n- Fetching root certificate listed in TAL\n- Fetching repositories listed in the root certificates (RRDP and rsync)\n- Fetching sub-repositories (National Internet Registries and delegated organizations)\n\nOnce it reaches a stable state, it generates a JSON list of Route Object Authorization (ROA).\nA ROA associates an IP prefix with an ASN that is allowed to announce the route via BGP.\nBy default it is available on `http://localhost:8081/output.json`.\nThe current file size is around 20MB.\n\nTo use this tool with your network devices, you need to connect a RTR server\nwhich will read the JSON.\nIt is officially supported by [GoRTR](https://github.com/cloudflare/gortr).\n\nThe list can be signed using ECDSA signatures to be redistributed more securely\n(via a CDN or caches).\n\nMetrics are provided on `/metrics` Prometheus endpoint.\n\nTo install the validator, you have multiple options:\n\n- Fetch a binary/packages on the [Releases page](https://github.com/cloudflare/cfrpki/releases)\n- Use Docker\n- Compile it\n\n#### Binaries/packages\n\nFirst, go to the [Releases](https://github.com/cloudflare/cfrpki/releases) tab,\ndownload the latest version matching your platform.\n\nTo install the Linux deb package and start it:\n\n```bash\n$ sudo dpkg -i octorpki_1.1.4_amd64.deb\n$ sudo systemctl start octorpki\n```\n\nYou can get the logs using:\n\n```bash\n$ sudo journalctl -fu octorpki\n```\n\nPlease note the configuration parameters are in `/etc/default/octorpki`.\nThey match the CLI arguments (`$ octorpki -h` to list them).\n\nFor instance, if you want to change the port:\n\n```bash\nsudo echo OCTORPKI_ARGS=-http.addr :8081 | sudo tee /etc/default/octorpki\n```\n\nDo not forget to add the ARIN TAL: `/usr/share/octorpki/tals/arin.tal`\n\nIf you fetch a standalone binary (eg: `octorpki-v1.1.4-linux-x86_64`),\nby default, it will fetch the TALs in `./tals` folder and use `./cache`\nto store the RPKI repository data.\nMake sure you download put all the TALs in the correct folder.\n\nOnce OctoRPKI completed its first validation, you can access the\nROAs list at the following address: \u003chttp://localhost:8081/output.json\u003e.\n\nBy default, the validator is configured to sign the output.\nWe advise that you generate an ECDSA key. Follow the instructions in the\n[GoRTR](#GoRTR) section.\nYou can disable the signature by passing `-output.sign=false` to the program.\n\n#### Docker\n\nOctoRPKI is available a docker container. Add the TAL files in the `tals/` folder.\n\n```bash\n$ mkdir tals \u0026\u0026 mkdir cache \u0026\u0026 touch cache/rrdp.json\n$ chmod 770 -R tals \u0026\u0026 chmod 770 -R cache \u0026\u0026 chmod 770 cache/rrdp.json\n$ docker run -ti --net=host -v $PWD/tals:/tals -v $PWD/cache:/cache -p 8081:8081 cloudflare/octorpki\n```\n\nDepending on your Docker configuration, you may need to specify `--net=host`\nand set permissions for the files in order to avoid errors.\n\nUsing the default settings, you can access the generated ROAs list on\n\u003chttp://localhost:8081/output.json\u003e.\n\n#### Compile\n\nThe source of OctoRPKI is in the folder `cmd/octorpki`.\nMake sure you have the [Go toolkit installed](https://golang.org/doc/install).\n\nYou can then build using `go build`\n\n```\n$ cd cmd/octorpki \u0026\u0026 go build\n```\n\nThe binary is now available in the same directory.\n\nHave a look at the Makefile for more targets\nto compile or generate a Docker image.\n\n#### [GoRTR](https://github.com/cloudflare/gortr)\n\nIn order to send the computed list of ROAs to the router, the router must be\nconnected to a cache using RTR protocol.\n\nOctoRPKI does not embed a RTR server. Since generating list of ROAs takes a lot of compute time,\nit was designed separate the distribution of files from the cryptographic operations.\n\n[GoRTR](https://github.com/cloudflare/gortr) was created by Cloudflare to use a list of ROAs\nfrom either OctoRPKI or similar validators able to produce a JSON file.\n\nTo connect with GoRTR **securely**, you will need to setup a private key.\n\n```bash\n$ openssl ecparam -genkey -name prime256v1 -noout -outform pem \u003e private.pem\n```\n\nYou can force OctoRPKI to use the key by passing `-output.sign.key private.pem`.\n\nThen extract the public key\n\n```bash\n$ openssl ec -in private.pem -pubout -outform pem \u003e public.pem\n```\n\nIf OctoRPKI is running locally using the default port and file (\u003chttp://localhost:8081/output.json\u003e), you can connect GoRTR:\n\n```bash\n$ gortr -verify.key public.pem -cache http://localhost:8081/output.json\n```\n\nTo disable signing, use the following flag on OctoRPKI `-output.sign=false` and `-verify=false` on GoRTR.\n\nThe [repository's page](https://github.com/cloudflare/gortr) gives more details on how to configure network devices to use GoRTR.\n\n## Monitor\n\nCheck [Monitoring.md](Monitoring.md) page to see how you can setup dashboards, distributed tracing and error logging.\n\n## Develop\n\n### Libraries\n\n`ov` origin validation library. You can pass prefixes and it will match against ROAs.\n\n`sync/lib` can synchronize RRDP and rsync repositories.\n\n`validator/pki` maintains a certificate store and performs validation.\n\n`validator/lib` decode and encode RPKI resources.\n\n### Applications\n\n`cmd/localrpki` performs validation against locally stored files\nand generate a JSON prefix list.\n\n`cmd/ctrpki` performs simple validation against files and send them\nto a [Certificate Transparency Log](https://ct.cloudflare.com/logs/cirrus).\n\n`cmd/octorpki` complete validator software, with RRDP and rsync.\nSee the section below for more information.\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudflare%2Fcfrpki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudflare%2Fcfrpki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudflare%2Fcfrpki/lists"}