SRx is an open source reference implementation and research platform for investigating emerging BGP security extensions and supporting protocols.

The current focus in the BGP-SRx prototype is on origin validation, although it is designed to be be extended to path validation in the future (some stub functionality is already included in this version).

The current release implements:

The RPKI/Router Protocol and a variety of BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed from RPKI validating caches. Also included in the release are test client/server test harnesses for RPKI/Router and WireShark modules for debugging.

For those wanting an easy way to experiment with BGP-SRx, in June we made an announcement about BRITE (BGPSEC/RPKI Interoperability Test &Evaluation): http://mailman.nanog.org/pipermail/nanog/2011-June/038063.html

BGP-SRx Architecture:

BGP-SRx has three parts:

• SRx Server
• SRx API
• Quagga SRx (integrates SRx API into Quagga router):

BGP-SRx was designed to minimize the dependencies on and impact to specific router implementations, as result a much functionality as possible is provided by the stand alone SRx server module. The prototype was also designed to support experimentation with various deployment architectures, as a result the SRx module can run on the router, the validating cache, or on separate platform from either.

Documentation:

• Users Manual for BGP-SRx Server and tools
• Users Manual for QuaggaSRx.
• Protocol description for Proxy to BGP-SRx server communication.

Test and Debug

You can use BRITE to run BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.

Included in the distribution below are wireshark modules for the rpki-rtr protocol (version 14) and the SRx-Proxy-Server protocol (version 7).

In addition, those wanting an easy way to experiment with BGP-SRx, in June we made an announcement about our BRITE system (http://brite.antd.nist.gov/):
http://mailman.nanog.org/pipermail/nanog/2011-June/038063.html. You can use the BRITE on-line test system to put BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.

Downloads:

To download the software, select one of the available versions below. It is required to fill out the download form! Feedback is highly appreceated!

Package BUNDLE000200: A Bundle of all software and documentation. This might be the preferred download. The downloads below are a'La Carte.

Package SRX000200: BGP-SRx server implementation. This prototype of the reference implementation for origin evaluation. This software is developed under Fedora Linux FC14, tested on 32 and 64 bit. Please report any problems to the development team at bgpsrx-dev@nist.gov!

Package QSRX000200: QuaggaSRx - This is is Quagga-0.99.16 with SRx Proxy embedded.

Package WSRPKI001400: Wireshark plugin for the RPKI-RTR protocol (currenlty for draft version 14). This plugin filters clear text TCP traffic.
This plug in can be configured to assign a tcp port to the protocol. Assigning port 0 will disable this feature.

Package WSSRXPX000700: Wireshark plugin that allows to monitor the configuration between an BGP-SRx proxy API and the BGP-SRx server. This plugin monitors protocol draft version 7.
This plug in can be configured to assign a tcp port to the protocol. Assigning port 0 will disable this feature, for BGP-SRx default usage it is recommended to configure it for port 17900.

Sponsors

This software and test tools were developed by the Advanced Network Technologies Division (ANTD) at the National Institute of Standards and Technology (NIST) as part of the collaborative effort between NIST and The Department of Homeland Security, Science and Technology Directorate's Secure Protocols for the Routing Infrastructure Project.

Project Contact

For inquiries regarding this project, contact bgpsrx-dev@nist.gov.