# RPKI RTR Server

Default runtime target: Ubuntu/Linux. Windows is only used during development.

## Tests

```bash
cargo test
```

To show test output:

```bash
cargo test -- --nocapture
```

## RTR Server

The RTR server binary reads its runtime configuration from environment variables.
If an environment variable is not set, the built-in default from `src/main.rs`
is used.

### Environment Variables

| Variable | Description | Example |
| --- | --- | --- |
| `RPKI_RTR_ENABLE_TLS` | Enable TLS listener in addition to TCP. Accepts `true/false`, `1/0`, `yes/no`, `on/off`. | `true` |
| `RPKI_RTR_TCP_ADDR` | TCP bind address. | `0.0.0.0:3323` |
| `RPKI_RTR_TLS_ADDR` | TLS bind address. | `0.0.0.0:3324` |
| `RPKI_RTR_DB_PATH` | RTR RocksDB path. | `./rtr-db` |
| `RPKI_RTR_VRP_FILE` | Input VRP file path. | `./data/vrps.txt` |
| `RPKI_RTR_TLS_CERT_PATH` | TLS server certificate path. | `./certs/server.crt` |
| `RPKI_RTR_TLS_KEY_PATH` | TLS server private key path. | `./certs/server.key` |
| `RPKI_RTR_TLS_CLIENT_CA_PATH` | Client CA certificate path used to verify router certificates. | `./certs/client-ca.crt` |
| `RPKI_RTR_MAX_DELTA` | Maximum retained delta count. | `100` |
| `RPKI_RTR_REFRESH_INTERVAL_SECS` | VRP reload interval in seconds. | `300` |
| `RPKI_RTR_MAX_CONNECTIONS` | Maximum concurrent RTR connections. | `512` |
| `RPKI_RTR_NOTIFY_QUEUE_SIZE` | Broadcast queue size for serial notify events. | `1024` |
| `RPKI_RTR_TCP_KEEPALIVE_SECS` | TCP keepalive time in seconds. Set `0` to disable. | `60` |
| `RPKI_RTR_WARN_INSECURE_TCP` | Emit a warning when plain TCP is enabled. Accepts boolean values. | `true` |
| `RPKI_RTR_REQUIRE_TLS_SERVER_DNS_NAME_SAN` | Strict mode: reject TLS server certificates that do not contain a `subjectAltName dNSName`. Accepts boolean values. | `false` |

### Notes

- Plain TCP should only be used on a trusted and controlled network.
- TLS mode requires client certificate authentication.
- In strict TLS server certificate mode, a server certificate without
  `subjectAltName dNSName` will be rejected during startup.
- `RPKI_RTR_TCP_KEEPALIVE_SECS=0` disables TCP keepalive. Any non-zero value
  enables keepalive for the lifetime of each accepted socket.

## Example Startup

### Bash

```sh
export RPKI_RTR_ENABLE_TLS=true
export RPKI_RTR_TCP_ADDR=0.0.0.0:3323
export RPKI_RTR_TLS_ADDR=0.0.0.0:3324
export RPKI_RTR_DB_PATH=./rtr-db
export RPKI_RTR_VRP_FILE=./data/vrps.txt
export RPKI_RTR_TLS_CERT_PATH=./certs/server-dns.crt
export RPKI_RTR_TLS_KEY_PATH=./certs/server-dns.key
export RPKI_RTR_TLS_CLIENT_CA_PATH=./certs/client-ca.crt
export RPKI_RTR_TCP_KEEPALIVE_SECS=60
export RPKI_RTR_WARN_INSECURE_TCP=true
export RPKI_RTR_REQUIRE_TLS_SERVER_DNS_NAME_SAN=true

cargo run
```

A ready-to-edit example script is provided at
[`scripts/start-rtr-server.sh`](/C:/Users/xuxiu/git_code/rpki/scripts/start-rtr-server.sh).