NIST BGP-SRx is an open source reference implementation and research platform for investigating emerging BGP security and robustness extensions and supporting protocols such as RPKI Origin Validation, BGPsec Path Validation and Route Leak Detection and Mitigation schemes. These tools are contributions from NIST's Robust Inter-Domain Routing Project (see site for other products).
The SRx Crypto API is used to provide a mechanism to exchange BGPsec cryptographic implementations without the need to recompile the software. Once installed, it provides a configuration file that is used to select the appropriate BGPsec algorithm implementation. The implementation MUST follow the API's specification outlined in the header file srxcryptoapi.h.
The SRx-Server provides the validation engine for BGPsec Path Validation, BGP Route Origin Validation, and also ASPA path validation. The SRx-Server communicates with RPKI validation caches using the cache to router protocol RFC8210 and RFC8610. For communication with routers the SRx-Server implementation provides a proxy API that hides the communication complexities to the client. In case the router does not want to use the proxy, the SRx-Server provides a TCP based protocol to communicate validation requests and validations.
This package provides a validation server test harness that emulates a Resource PKI (RPKI) validation cache that is providing Route Origination Authorization (ROA) objects, BGPsec keys, and also ASPA Objects to be sent to the routers. This emulator can be controlled using scripts or through a CLI.
The BGPsec-IO (BIO) is a traffic generator that can generate regular BGP-4 updates as well as scripted multi-hop end to end signed BGPsec update traffic. It can pre-generate traffic to be replayed at a later time as well as generate traffic while receiving text-based update commands (prefix-as-path list) via CLI or file to control test traffic streams sent to a connected BGP/BGPsec router instance.
The Quagga-SRx (QSRx) implementation is based on Quagga 0.99. It implements the capability to process BGP Origin Validation, BGP Path Validation, as well as with version 6.0 ASPA path validation.
This implementation modified the decision process of the BGP routing engine. It allows to either perform BGP Origin Validation (BGP-OV) or BGP-OV combined with BGPsec Path Validation (BGP-PV). Therefore, the policies are tailored to a single final validation outcome.
Version 6 does not touch the decision process anymore. Also, the validation results are no longer combined to calculate a cumulative result. Policies can be crafted around each validation separately.
The experiments folder contains experimentation for each validation mode and one combining all three mechanisms (BGP-OV, BGP-PV, ASPA). Each experiment can be run in a "Sandbox" environment.
ExaBGPsec uses NIST SRxCrypto library to facilitate cryptographic calculations which is able to deal with X.509 objects for BGPsec path validation. This software is based on Exabgp BGP implementation and added codes for implementing BGPsec protocol (RFC 8205).
GoBGPsec uses NIST SRxCrypto library to facilitate crypto calculations which is able to sign and verify X.509 objects for BGPsec path validation. This software is based on Gobgp BGP implementation and added codes for implementing BGPsec protocol (RFC 8205).
The table below summarizes the specific features and capabilities of the various prototypes implementations above.
Features | ||||||
Prototypes | SRx-Crypto-API | SRx-Proxy | SRx-Server | BGP-OV | BGP-PV | ASPA |
BGP-Srx v6 | Y | Y | Y - TCP | Y | Y | Y |
BGP-SRx v5 | Y | Y | Y- TCP | Y | Y | |
ExaBGPsec | Y | Y-TCP | Y | Y | ||
GoBGPsec | Y | Y- gRPC/TCP | Y | Y |
Question about these tools can be sent to itrg-contact [at] list.nist.gov (subject: BGP-SRx%20web%20feedback%3A%20) (itrg-contact[at]list[dot]nist[dot]gov).
This software suite was developed to: