BGP Secure Routing Extension (BGP-SRx)
  Horizontal rule

Please read the NIST disclaimer regarding the software of this project, the information it provides and the other resources it uses. In particular note that these software prototypes are expressly provided "as is" and are intended for research and development purposes only.

SRx is an open source reference implementation and research platform for investigating emerging BGP security extensions and supporting protocols.

The current focus in the BGP-SRx prototype is on origin validation, although it is designed to be be extended to path validation in the future (some stub functionality is already included in this version).

The current release implements:

The RPKI/Router Protocol and a variety of BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed from RPKI validating caches. Also included in the release are test client/server test harnesses for RPKI/Router.

For those wanting an easy way to experiment with BGP-SRx, we provide the BRITE system (See Test and Debug section below). For more information see out video about Quagga SRx and BRITE.

BGP-SRx Architecture:

BGP-SRx has three parts:

  • SRx Server
  • SRx API
  • Quagga SRx (integrates SRx API into Quagga router):




BGP-SRx is designed in such to minimize the dependencies on and the impact to specific router implementations. As a result much functionality is provided by the stand alone SRx server module. The prototype is also designed to support experimentation with various deployment architectures. As a result the SRx module can run on the router, the validating cache, or on a complete separate platform.

Documentation:

Install binaries using "yum"

Since SRx-server version 0.3.0.2 and QuaggaSRx version 0.3.1.0 (based on Quagga 0.99.22) we offer SRx as installable binaries using yum. Please download the yum repository which is available in the downloads section below. The repository file needs to be copied into the /etc/yum.repos.d folder. Once this is done you can install the binaries using yum install srx quaggasrx. The configuration files for both, the BGP daemon and the SRx server are located in the folder /etc.
Be aware that the quaggasrx software is based upon quagga and both software packages should not be installed at the same time.

Test and Debug

You can use BRITE to run BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.

To facilitate test and evaluation of BGP-SRx (or any other BGP secutiry implementation) we have developed the BRITE (BGPSEC / RPKI Interoperability Test & Evaluation) system. Brite is available at http://brite.antd.nist.gov/

You can use the BRITE on-line test system to put BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.

See Also

Alpha Releases

For certain projects we provide early-bird releases a.k.a. pre-alpha and alpha releases. This software packages are not extensively tested and do not provide full functionality. They are intended for early interoperability testing and are updated on a more regular basis. In generel alpha relases are only offered as binaries using the yum repository package YUM_ALPAHAREPO0 listed below in the Download section.

Currently the following software is in ALPHA release:

  • Quagga SRx - BGPSEC Aplha: This realease mainly offered as an early interoperability tester for BGPSEC session negotiation and BGPSEC path attribute generation and validation. Router keys are self-signed and stored in a local file. (i.e., no rpki-to-router support for router keys yet). For now, there is just a binary release and an instruction file explaining how to operate the prototype as interoperability test tool. Router diagnostic commands have been extended to display BGPSEC information, e.g.:
    
      bgpd# show ip bgp 10.40.0.0/16
    
      BGP routing table entry for 10.40.0.0/16
    
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
    
        Not advertised to any peer
    
        2030 40
    
          SRx Information:
    
            Update ID: 0.09A2630D
    
            Validation:
    
              prefix-origin: valid
    
              path:   valid
    
              bgpsec: valid (combination of prefix-origin and path validation)
    
            PathType: BGPSEC-Path ( 1 signature blocks, each with 2 path segments)
    
              signature block #1: algorithm suite id 1
    
              path segment 1: as=2030; pcount=1
    
                signature segment [1]: block 1, ski=97E8EEC56E7C8AE22866D218B0E4D40416EC4EFA
    
              path segment 2: as=40; pcount=1
    
                signature segment [1]: block 1, ski=A509AE9ED377CC31AED01E820670DF9CC781DA9F
    
          10.0.1.2 from 10.0.1.2 (10.0.1.2)
    
            Origin IGP, localpref 100, valid, external, best
    
            Last Update: Wed Mar  5 20:42:37 2014  
    
          

    For quesitions or comments regarding this software please contact bgpsrx-dev@nist.gov..

Horizontal rule

Downloads:

To download the software, select one of the available packages below.

Package YUM_REPOSITORY0: The srx repository file to allow installing the binaries using the yum installer!

Package YUM_ALPHAREPO0: This latest repository provides a stub-alpha release of SRx with BGPSEC path validation. This release has not been tested extensively. Updates will be posted frequently as we continue to test and refine this capability.
This release mainly offered as an early interoperability tester for BGPSEC session negotiation and validation. Router keys are self-signed and stored in a local file (i.e., no rpki-to-router support for router keys yet).

Package BUNDLE22000301: A Bundle of all software and documentation for origin validation. This is the preferred download. The downloads below are a'La Carte.

Package QSRX22000301: QuaggaSRx - This is Quagga-0.99.22 with SRx Proxy 0.3.1.0 embedded.

Package SRX000300: BGP-SRx server V0.3.0.2 implementation. This prototype of the reference implementation for origin evaluation. This software is developed under Fedora Linux FC14 and CentOS 6.4, tested on both, 32 and 64 bit. Please report any problems to the development team at bgpsrx-dev@nist.gov!

Package BUNDLE22000300: This Bundle contains QuaggaSRx V0.3.0.1 and SRx-server V0.3.0.1 with all software and documentation - newer version available-

Package BUNDLE16000300: A Bundle of all software and documentation based on Quagga 0.99.16 - deprecated -

Horizontal rule

Acknowledgements

This software and test tools were developed by the Advanced Network Technologies Division (ANTD) at the National Institute of Standards and Technology (NIST) as part of the collaborative effort between NIST and The Department of Homeland Security, Science and Technology Directorate's Secure Protocols for the Routing Infrastructure Project.

Horizontal rule

Project Contact

For inquiries regarding this project, contact bgpsrx-dev@nist.gov.
 

Horizontal rule

w3.antd.nist.gov
Back to NIST Home