BGP Secure Routing Extension (BGP‑SRx)

Please read the NIST disclaimer regarding the software of this project, the information it provides and the other resources it uses. In particular note that these software prototypes are expressly provided "as is" and are intended for research and development purposes only.

SRx is an open source reference implementation and research platform for investigating emerging BGP security extensions and supporting protocols such as RPKI Origin Validation and BGPSec Path Validation.

The current release includes:

  • RPKI Route Origin Validation including the RPKI/Router Protocol and a variety of BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed from RPKI validating caches.

  • BGPSec Path Validation with a modular crypto engine that allows crypto engine plugins to test different implementations without the need of recompiling the code.

  • Router key distribution using the RPKI/Router Protocol.

  • Transfer of RPKI validation results using the extended community string.

  • Support for Extended Message Capability for sending BGP UPDATE messages larger than 4K.

  • A BGPsec traffic generator that allows to generate multi hop BGPsec traffic using simple configuration files as well as as piped in traffic.

  • A set of test harnesses that can easily be extended for test and research purpose.

  • The software is open source and well documented!

For those wanting an easy way to experiment with BGP-SRx, we provide the BRITE system (See Test and Debug section below). For more information see out video about Quagga SRx and BRITE.

BGP-SRx Architecture:

BGP-SRx has three parts:

  • SRx Server
  • SRx API
  • Quagga SRx (integrates SRx API into Quagga router):

BGP-SRx is designed in such to minimize the dependencies on and the impact to specific router implementations. As a result much functionality is provided by the stand alone SRx server module. The prototype is also designed to support experimentation with various deployment architectures. As a result the SRx module can run on the router, the validating cache, or on a complete separate platform.


Test and Debug

You can use BRITE to run BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.

To facilitate test and evaluation of BGP-SRx (or any other BGP secutiry implementation) we have developed the BRITE (BGPSEC / RPKI Interoperability Test & Evaluation) system. Brite is available at

You can use the BRITE on-line test system to put BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.

See Also

QuaggaSRx - BGPSec Path Validation

Within the previous version, all crypto processing was performed by QuaggaSRx using the SRxCryptoAPI
We finally allow the crypto validation to take place in the SRx-Server. The SRx-Server is able to receive router keys via the RPKI to Cache Protocol and monitors modification within the key storage. Srx-Server notifies the router if validation results changed due to key and ROA changes. In contrary to previous versions, we dampened the ROA validation change by not sending validation result state changes due to modification of changes in the RPKI up until the complete cache update is received and processed. This reduces churn in the routing engine due to possible repeditive restarting of the decission process as it happened in previous versions.
Path signing is still performed on the router side, not within the SRx-Server.

The current implementation still needs work. We updated the code to use the IANA assigned values for capability and BGPsec_PATH attribute. To be backwards compatible with other implementations if is possilbe to pass other values during the configuration stage to QuaggaSRx and BGPSEC-IP. Please see the ChangeLog for more informationon that.

Router diagnostic commands have been extended to display basic BGPSEC information, such as:

  bgpd# show ip bgp

  BGP routing table entry for

  Paths: (1 available, best #1, table Default-IP-Routing-Table)

    Not advertised to any peer

    2030 40

      SRx Information:

        Update ID: 0.09A2630D


          prefix-origin: valid

          path:   valid

          bgpsec: valid (combination of prefix-origin and path validation)

        PathType: BGPSEC-Path ( 1 signature blocks, each with 2 path segments)

          signature block #1: algorithm suite id 1

          path segment 1: as=2030; pcount=1

            signature segment [1]: block 1, ski=97E8EEC56E7C8AE22866D218B0E4D40416EC4EFA

          path segment 2: as=40; pcount=1

            signature segment [1]: block 1, ski=A509AE9ED377CC31AED01E820670DF9CC781DA9F from (

        Origin IGP, localpref 100, valid, external, best

        Last Update: Wed Mar  5 20:42:37 2014  


For quesitions or comments regarding this software please contact

The BGP-SRx Software Suite is developed and tested using CentOS 6 and CentOS 7 systems. All binaries provided are compiled on this system as well. This does not mean we endorse CentOS over any other linux distribution, it just means we did not test the BGP-SRx Software Suite on any other system.


To download the software, select one of the available packages below.

Package BGPSRX500: SRx Software Suite Version 5.0.0. This software package is developed and tested on CentOS 6 and CentOS 7. .
The software bundle contains the following implementations:
* NIST BGPSEC-IO V0.2.0.8, a BGPsec traffic generator that allows to generate BGPsec traffic and play it against BGPsec routers.
* NIST QuaggaSRx V0.4.2.4, a BGPsec capable BGP router based on Quagga 0.99.22.
* NIST SRx-Server V0.5.0.0, a BGP/BGPsec UPDATE validation server that performs Route Origin Validation and BGPsec Path Validation. It monitors the validation state of each registered update and notifies the router of changes dues to changes within the RPKI. SRx-Server provides an RPKI cache test harness, a lightweight server that allows to simulate an RPKI validation cache and provides ROA and router key information to the SRx-Server via the RPKI-to-Router Protocol.
* NIST SRxCryptoAPI V0.2.0.3, a library that allows to install custom crypto modules for BGPsec path validation.
For more information please see the README files as well as the Quick Installation Guide.
.All documentation is bundled within this release.

Package BUNDLE22040202: A Bundle of all software and documentation for origin validation.The downloads below are a'La Carte.

Package BUNDLE22040103: A Bundle of all software and documentation for origin validation.The downloads below are a'La Carte.

Package BUNDLE22000301: This Bundle contains QuaggaSRx V0.3.1.0 and SRx-server V0.3.0.4 with all software and documentation - newer version available-

Package BUNDLE22000300: This Bundle contains QuaggaSRx V0.3.0.1 and SRx-server V0.3.0.1 with all software and documentation - newer version available-

Package BUNDLE16000300: ABundle of all software and documentation based on Quagga 0.99.16 - deprecated -


This software and test tools were developed by the Advanced Network Technologies Division (ANTD) at the National Institute of Standards and Technology (NIST) as part of the collaborative effort between NIST and The Department of Homeland Security, Science and Technology Directorate's Secure Protocols for the Routing Infrastructure Project.

Project Contact

For inquiries regarding this project, contact
Back to NIST Home