SRx is an open source reference implementation and research platform for investigating emerging BGP security extensions and supporting protocols.
The current focus in the BGP-SRx prototype is on origin validation, although it is designed to be be extended to path validation in the future (some stub functionality is already included in this version).
The current release implements:
The RPKI/Router Protocol and a variety of BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed from RPKI validating caches. Also included in the release are test client/server test harnesses for RPKI/Router and WireShark modules for debugging.
For those wanting an easy way to experiment with BGP-SRx, in June we made an announcement about BRITE (BGPSEC/RPKI Interoperability Test &Evaluation): http://mailman.nanog.org/pipermail/nanog/2011-June/038063.html
BGP-SRx has three parts:
BGP-SRx is designed in such to minimize the dependencies on and the impact to specific router implementations. As a result much functionality is provided by the stand alone SRx server module. The prototype is also designed to support experimentation with various deployment architectures. As a result the SRx module can run on the router, the validating cache, or on a complete separate platform.
Install binaries using "yum"
Since SRx-server version 0.3.0.2 and QuaggaSRx version 0.3.1.0
(based on Quagga 0.99.22) we offer SRx as installable binaries using yum.
Please download the yum repository which is available in the downloads
section below. The repository file needs to be copied into the
/etc/yum.repos.d folder. Once this is done you can install the binaries
using yum install srx quaggasrx. The configuration files for both,
the BGP daemon and the SRx server are located in the folder /etc.
The usage of the software in binary format or self compiled is on your own risk!
Test and Debug
You can use BRITE to run BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.
Included in the distribution below are wireshark modules for the rpki-rtr protocol (RFC6810) and the SRx-Proxy-Server protocol (version 1.0).
In addition, those wanting an easy way to experiment with BGP-SRx, in June we made an announcement about
our BRITE system (http://brite.antd.nist.gov/):
Package YUM_REPOSITORY0: The srx repository file to allow installing the binaries using the yum installer!
Package YUM_ALPHAREPO0: This latest repository provides an alpha repository for the SRx software - BGPSEC path validation. This software is unstable and might crash once a while. Updates will be posted frequently. The software is offered as a first look and allows interoperability tests!
Package BUNDLE22000301: A Bundle of all software and documentation. This is be the preferred download. The downloads below are a'La Carte.
Package QSRX22000301: QuaggaSRx - This is Quagga-0.99.22 with SRx Proxy 0.3.1.0 embedded.
Package SRX000300: BGP-SRx server V0.3.0.2 implementation. This prototype of the reference implementation for origin evaluation. This software is developed under Fedora Linux FC14 and CentOS 6.4, tested on both, 32 and 64 bit. Please report any problems to the development team at firstname.lastname@example.org!
Package WSRPKI6810: Wireshark plugin for the RPKI-RTR protocol (rfc6810). This plugin filters clear text TCP traffic.
Package WSSRXPX010000: Wireshark plugin that allows to monitor the configuration between an BGP-SRx proxy API and the BGP-SRx server. This plugin monitors protocol draft version 1.0.0
Package BUNDLE22000300: This Bundle contains QuaggaSRx V0.3.0.1 and SRx-server V0.3.0.1 with all software and documentation - newer version available-
Package BUNDLE16000300: A Bundle of all software and documentation based on Quagga 0.99.16 - deprecated -
This software and test tools were developed by the Advanced Network Technologies Division (ANTD) at the National Institute of Standards and Technology (NIST) as part of the collaborative effort between NIST and The Department of Homeland Security, Science and Technology Directorate's Secure Protocols for the Routing Infrastructure Project.
For inquiries regarding this project, contact email@example.com.