SRx is an open source reference implementation and research platform for investigating emerging BGP security extensions and supporting protocols.
The current focus in the BGP-SRx prototype is on origin validation, although it is designed to be be extended to path validation in the future (some stub functionality is already included in this version).
The current release implements:
The RPKI/Router Protocol and a variety of BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed from RPKI validating caches. Also included in the release are test client/server test harnesses for RPKI/Router and WireShark modules for debugging.
For those wanting an easy way to experiment with BGP-SRx, in June we made an announcement about BRITE (BGPSEC/RPKI Interoperability Test &Evaluation): http://mailman.nanog.org/pipermail/nanog/2011-June/038063.html
BGP-SRx has three parts:
BGP-SRx was designed to minimize the dependencies on and impact to specific router implementations, as result a much functionality as possible is provided by the stand alone SRx server module. The prototype was also designed to support experimentation with various deployment architectures, as a result the SRx module can run on the router, the validating cache, or on separate platform from either.
Test and Debug
You can use BRITE to run BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.
Included in the distribution below are wireshark modules for the rpki-rtr protocol (RFC6810) and the SRx-Proxy-Server protocol (version 1.0).
In addition, those wanting an easy way to experiment with BGP-SRx, in June we made an announcement about
our BRITE system (http://brite.antd.nist.gov/):
Package BUNDLE000300: A Bundle of all software and documentation. This might be the preferred download. The downloads below are a'La Carte.
Package SRX000300: BGP-SRx server implementation. This prototype of the reference implementation for origin evaluation. This software is developed under Fedora Linux FC14, tested on 32 and 64 bit. Please report any problems to the development team at firstname.lastname@example.org!
Package QSRX16000300: QuaggaSRx - This is Quagga-0.99.16 with SRx Proxy 0.3.0 embedded.
Package QSRX_PATCH16030: Quagga -> QuaggaSRx - This allows to patch the original Quagga-0.99.16 source code to QuaggaSRx-0.99.16-0.3.0
Package WSRPKI6810: Wireshark plugin for the RPKI-RTR protocol (rfc6810). This plugin filters clear text TCP traffic.
Package WSSRXPX010000: Wireshark plugin that allows to monitor the configuration between an BGP-SRx proxy API and the BGP-SRx server. This plugin monitors protocol draft version 1.0.0
This software and test tools were developed by the Advanced Network Technologies Division (ANTD) at the National Institute of Standards and Technology (NIST) as part of the collaborative effort between NIST and The Department of Homeland Security, Science and Technology Directorate's Secure Protocols for the Routing Infrastructure Project.
For inquiries regarding this project, contact email@example.com.