Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

BGP Secure Routing Extension (BGP‑SRx) Software Suite

NIST BGP-SRx is an open source reference implementation and research platform for investigating emerging BGP security and robustness extensions and supporting protocols such as RPKI Origin Validation, BGPsec Path Validation and Route Leak Detection and Mitigation schemes.  These tools are contributions from NIST's Robust Inter-Domain Routing Project (see site for other products).

  • Note that all software described on this page is covered by the  NIST software disclaimer.
  • Question or comments about these tools can be sent to itrg-contact [at] list.nist.gov (subject: BGP-SRx%20web%20feedback%3A%20) (itrg-contact[at]list[dot]nist[dot]gov).

The BGP-SRx suite includes:

BGP-SRx router software architecture
Quagga-SRx software architecture.
  • Quagga-SRx, GoBGPsec, ExaBGPsec - three distinct reference implementations built on different open source routers with support for: 
    • BGP Origin Validation (BGP-OV) (RFC 6811):
      • BGP-OV validation state signaling (RFC 8097)
    • ASPA route leak detection (ASPA Internet Draft, algorithm enhancement)
    • BGPsec Path Validation (BGP-PV) (RFC 8205):
      • SRx-Crypto-API - providing a common interface for BGPsec signing and validation implementations.
        BGP-SRx-proxy-architecture
        SRx-Proxy with TCP & gRPC interfaces
        • Demonstrated support for alternative cryptographic implementations.
      • SRx-Proxy - that supports communication between a router and the SRx-Server.
    • Extensions to router configuration and monitoring tools to support BGP-OV, BGP-PV and ASPA validation policies.
  • SRx-Server - a distributed server capable of providing BGP origin validation, path validation and ASPA validation services to multiple routers.
    BGP-SRx-Sever-architecture
    Distributed SRx-Server deployment options.
    • Distributed architecture allows off-loading compute intensive validation and RPKI data management tasks from individual routers.
    • A single SRx-Server can provide validation services for multiple routers.
    • Centralized validation engine ensures consistent results among all connected routers.
  • BGPsec-IO (BIO) - a test tool and experimentation framework that enables testing router implementations at scale in a laboratory setting.  BIO supports:  
    • Emulation of an RPKI validation cache and RPKI data repositories.
      • Simple scripted text files for RPKI ROA and router key, and ASPA data.
      • Support for RPKI-to-Router protocol (RFC8210) for distribution of RPKI data to live router implementations.
    • BGP-SRx-BGSEC-IO
      BGPSec-IO test and experimentation framework.
      Controlled experiments with dynamic RPKI changes
      • Time-based scenario scripting of when RPKI data will be pushed to router, or
      • CLI based event control to support interactive scenarios.
    • BGP/BGPsec Traffic generator with support for:
      • Emulation of one or more BGP peers operating live BGP-4 and/or BGPsec sessions with a router under test.
        • BGP traffic data from simple configuration files or from real BGP traffic captures.
      • Protocol analyzer traces of  BGP/BGPsec traffic on sender and receiver side.
        • BIO can be used as a traffic generator or a traffic monitor.
      • Special BGPsec testing modes, including:
        • Support for deterministic ECDSA signatures using specified k-value.
        • Ability to use pre-scripted signature value to test validation algorithm.
  • Example graphs from performance analysis results.
    Example results from performance analysis of BGPsec prototypes.
    Extensive Documentation

Software Module Details:

SRx Crypto API

The SRx Crypto API  is used to provide a mechanism to exchange BGPsec cryptographic implementations without the need to recompile the software. Once installed, it provides a configuration file that is used to select the appropriate BGPsec algorithm implementation. The implementation MUST follow the API's specification outlined in the header file srxcryptoapi.h.

SRx-Server

BGP-SRx-Server software architecture.
SRx-Server software architecture.

The SRx-Server provides the validation engine for BGPsec Path Validation, BGP Route Origin Validation, and also ASPA path validation. The SRx-Server communicates with RPKI validation caches using the cache to router protocol RFC8210 and RFC8610. For communication with routers the SRx-Server implementation provides a proxy API that hides the communication complexities to the client. In case the router does not want to use the proxy, the SRx-Server provides a TCP based protocol to communicate validation requests and validations.

Utilities

This package provides a validation server test harness that emulates a Resource PKI (RPKI) validation cache that is providing Route Origination Authorization (ROA) objects, BGPsec keys, and also  ASPA Objects to be sent to the routers. This emulator can be controlled using scripts or through a CLI.

BGPsec-IO

The BGPsec-IO (BIO) is a traffic generator that can generate regular BGP-4 updates as well as scripted multi-hop end to end signed BGPsec update traffic. It can pre-generate traffic to be replayed at a later time as well as generate traffic while receiving text-based update commands (prefix-as-path list) via CLI or file to control test traffic streams sent to a connected BGP/BGPsec router instance.

Quagga-SRx

The Quagga-SRx (QSRx) implementation is based on Quagga 0.99. It implements the capability to process BGP Origin Validation, BGP Path Validation, as well as with version 6.0 ASPA path validation.

BGP-SRx policy configuration and validation results.
Quagga-Srx Policy configuration and validation results.

Version 5

This implementation modified the decision process of the BGP routing engine. It allows to either perform BGP Origin Validation (BGP-OV) or BGP-OV combined with BGPsec Path Validation (BGP-PV). Therefore, the policies are tailored to a single final validation outcome.

Version 6

Version 6 does not touch the decision process anymore. Also, the validation results are no longer combined to calculate a cumulative result. Policies can be crafted around each validation separately.

Experiments

The experiments folder contains experimentation for each validation mode and one combining all three mechanisms (BGP-OV, BGP-PV, ASPA). Each experiment can be run in a "Sandbox" environment.

ExaBGPsec

ExaBGPsec software architecture.
Exa-BGPsec software architecture.

ExaBGPsec uses NIST SRxCrypto library to facilitate cryptographic calculations which is able to deal with X.509 objects for BGPsec path validation. This software is based on Exabgp BGP implementation and added codes for implementing BGPsec protocol (RFC 8205).

GoBGPsec

BGP-SRx GoBGPsec architecture
GoBGPsec software architecture.

GoBGPsec uses NIST SRxCrypto library to facilitate crypto calculations which is able to sign and verify X.509 objects for BGPsec path validation. This software is based on Gobgp BGP implementation and added codes for implementing BGPsec protocol (RFC 8205).

 

Software Versions and Capabilities:

The table below summarizes the specific features and capabilities of the various prototypes implementations above.

  Features
Prototypes SRx-Crypto-API SRx-Proxy SRx-Server BGP-OV BGP-PV ASPA
BGP-Srx v6 Y Y Y - TCP Y Y Y
BGP-SRx v5 Y Y- TCP Y Y  
ExaBGPsec   Y Y-TCP Y Y  
GoBGPsec   Y- gRPC/TCP Y Y  

Question about these tools can be sent to itrg-contact [at] list.nist.gov (subject: BGP-SRx%20web%20feedback%3A%20) (itrg-contact[at]list[dot]nist[dot]gov).

 

Uses

This software suite was developed to:

  • improve the quality and expedite the development of consensus standards by providing rapid prototypes of protocols designs while their specifications are still under development;
  • provide a platform for research and experimentation with alternative implementation architectures and techniques; and,
  • foster the availability of commercial products  by providing reference implementations and test tools that can be used to improve the quality of emerging industry implementations.

 

Contact

For questions or comments about this project, contact:

Created August 15, 2016, Updated April 5, 2022