Software

BGP Secure Routing Extension (BGP‑SRx) Prototype

Version

V0.4.1

Type of Software

Prototype Reference Implementation of Emerging Standard

NIST Authors

SRx is an open source reference implementation and research platform for investigating emerging BGP security extensions and supporting protocols such as RPKI Origin Validation and BGPSec Path Validation.

The current release includes:

  • RPKI Route Origin Validation including the RPKI/Router Protocol and a variety of BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed from RPKI validating caches.
  • Transfer of RPKI validation results using the extended community string.
  • BGPSec Path Validation with a modular crypto engine that allows crypto engine plugins to test different implementations without the need of recompiling the code.
  • A set of test harnesses that can easily be extended for test and research purpose.
  • The software is open source!

For those wanting an easy way to experiment with BGP-SRx, we provide the BRITE system (See Test and Debug section below). For more information see out video about Quagga SRx and BRITE.

BGP-SRx Architecture:

BGP-SRx has three parts:

  • SRx Server
  • SRx API
  • Quagga SRx (integrates SRx API into Quagga router):


BGP-SRx is designed in such to minimize the dependencies on and the impact to specific router implementations. As a result much functionality is provided by the stand alone SRx server module. The prototype is also designed to support experimentation with various deployment architectures. As a result the SRx module can run on the router, the validating cache, or on a complete separate platform.

QuaggaSRx - BGPSec Path Validation

Until now the BGPSec release implementation was in ALPHA stage. We worked hard to bring it to a stage where we can release the code. Within the alhpa version, all crypto processing was performed as part of the QuaggaSRx code base. We changed the design in such that we introduced the SRxCryptoAPI which is a wrapper that allows to exchange the crypto engine between runs. This allows for more flexible crypto prototype upgrades and testing without the need of recompiling all code.

The current implementation still needs work, such as key roll-over, receiving keys using the router to cache protocol. Currently router keys are self-signed and stored in local files. Also the SRxCryptoAPI functions are called by QuaggaSRx. This function will be moved to the SRx-Server.

Router diagnostic commands have been extended to display basic BGPSEC information, such as:

bgpd# show ip bgp 10.40.0.0/16
BGP routing table entry for 10.40.0.0/16
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  2030 40
    SRx Information:
      Update ID: 0.09A2630D
      Validation:
        prefix-origin: valid
        path:   valid
        bgpsec: valid (combination of prefix-origin and path validation)
      PathType: BGPSEC-Path ( 1 signature blocks, each with 2 path segments)
        signature block #1: algorithm suite id 1
        path segment 1: as=2030; pcount=1
          signature segment [1]: block 1, ski=97E8EEC56E7C8AE22866D218B0E4D40416EC4EFA
        path segment 2: as=40; pcount=1
          signature segment [1]: block 1, ski=A509AE9ED377CC31AED01E820670DF9CC781DA9F
    10.0.1.2 from 10.0.1.2 (10.0.1.2)
      Origin IGP, localpref 100, valid, external, best
      Last Update: Wed Mar  5 20:42:37 2014  

For quesitions or comments regarding this software please contact bgpsrx-dev@nist.gov..

Cybersecurity, Networking and Next generation networks

Organizations

System/Platform Requirements

The BGP-SRx Software Suite is developed and tested using CentOS 6.5 systems. All binaries provided are compiled on this system as well. This does not mean we endorse CentOS over any other linux distribution, it just means we did not test the BGP-SRx Software Suite on any other system.

Download Information

To download the software, select one of the available packages below. 

Package YUM_REPOSITORY0: The srx repository file to allow installing the binaries using the yum installer! 

Package BUNDLE22040200: A Bundle of the latest SRx Software Suite. This software package is tested on CentOS 6 and implements the latest draft of the bgpsec protocol. At this point we still consider it in BETA but it should run without any problems on the above specified OS. At this time we do not provide rpm for this version. PLease send possible bug reports to the developers bgpsec-dev@antd.nist.gov list. 
In addition we added a new software called BGPSEC-IO. This siftware is a BGPSEC traffic generator that allows to generate BGPSEC traffic and play it against bgpsec routers. It also allows to test custom implementations of the NIST SRxCryptoAPI and performs simple statustics.
For more information please see the README files as well as the Quick Installation Guide. 

Package BUNDLE22040103: A Bundle of all software and documentation for origin validation. This is the preferred download. The downloads below are a'La Carte. 

Package QSRX22000401: QuaggaSRx - This is Quagga-0.99.22-0.4.1.3 with SRx Proxy 0.3.0.8 embedded. 

Package SRX000300: BGP-SRx server V0.3.0.8 implementation. This prototype of the reference implementation for origin evaluation. This software is developed under CentOS 6.6, tested on both, 32 and 64 bit. Please report any problems to the development team at bgpsrx-dev@nist.gov

Package SRXCRYPTO000101: SRxCryptoAPI v0.1.1.1 - This is the crypto engine for QuaggaSRx and SRx server. The SRxCryptoAPI allows to plug in different crypto implementations for BGPSec path validation. 

Package BUNDLE22000301: This Bundle contains QuaggaSRx V0.3.1.0 and SRx-server V0.3.0.4 with all software and documentation - newer version available- 

Package BUNDLE22000300: This Bundle contains QuaggaSRx V0.3.0.1 and SRx-server V0.3.0.1 with all software and documentation - newer version available- 

Package BUNDLE16000300: ABundle of all software and documentation based on Quagga 0.99.16- deprecated - 

Documentation/User Guide

Documentation:

Install binaries using "yum"

Since SRx-server version 0.3.0.2 and QuaggaSRx version 0.3.1.0 (based on Quagga 0.99.22) we offer SRx as installable binaries using yum. Please download the yum repository which is available in the downloads section below. The repository file needs to be copied into the /etc/yum.repos.d folder. Once this is done you can install the binaries using yum install srxcryptoapi srx quaggasrx. The configuration files for are located in the folder /etc.
Be aware that the quaggasrx software is based upon quagga and both software packages should not be installed at the same time.

Test and Debug

You can use BRITE to run BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.

To facilitate test and evaluation of BGP-SRx (or any other BGP secutiry implementation) we have developed the BRITE (BGPSEC / RPKI Interoperability Test & Evaluation) system. Brite is available at http://brite.antd.nist.gov/

You can use the BRITE on-line test system to put BGP-SRx (or any other implementation) through a series of test scripts that exercise numerous interesting scenarios for BGP ROA processing under different policy assumptions.

See Also

References/Credits/Disclaimers

Please read the NIST disclaimer regarding the software of this project, the information it provides and the other resources it uses. In particular note that these software prototypes are expressly provided "as is" and are intended for research and development purposes only.

Acknowledgements

This software and test tools were developed by the Advanced Network Technologies Division (ANTD) at the National Institute of Standards and Technology (NIST) as part of the collaborative effort between NIST and The Department of Homeland Security, Science and Technology Directorate'sSecure Protocols for the Routing Infrastructure Project.

Related Project

Contact

Created August 15, 2016, Updated September 21, 2016