SRx is an open source reference implementation and research platform for investigating emerging BGP security extensions and supporting protocols such as RPKI Origin Validation and BGPSec Path Validation.
The current release includes:
- RPKI Route Origin Validation including the RPKI/Router Protocol and a variety of BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed from RPKI validating caches.
- Transfer of RPKI validation results using the extended community string.
- BGPSec Path Validation with a modular crypto engine that allows crypto engine plugins to test different implementations without the need of recompiling the code.
- A set of test harnesses that can easily be extended for test and research purpose.
- The software is open source!
For those wanting an easy way to experiment with BGP-SRx, we provide the BRITE system (See Test and Debug section below). For more information see out video about Quagga SRx and BRITE.
BGP-SRx has three parts:
- SRx Server
- SRx API
- Quagga SRx (integrates SRx API into Quagga router):
BGP-SRx is designed in such to minimize the dependencies on and the impact to specific router implementations. As a result much functionality is provided by the stand alone SRx server module. The prototype is also designed to support experimentation with various deployment architectures. As a result the SRx module can run on the router, the validating cache, or on a complete separate platform.
QuaggaSRx - BGPSec Path Validation
Until now the BGPSec release implementation was in ALPHA stage. We worked hard to bring it to a stage where we can release the code. Within the alhpa version, all crypto processing was performed as part of the QuaggaSRx code base. We changed the design in such that we introduced the SRxCryptoAPI which is a wrapper that allows to exchange the crypto engine between runs. This allows for more flexible crypto prototype upgrades and testing without the need of recompiling all code.
The current implementation still needs work, such as key roll-over, receiving keys using the router to cache protocol. Currently router keys are self-signed and stored in local files. Also the SRxCryptoAPI functions are called by QuaggaSRx. This function will be moved to the SRx-Server.
Router diagnostic commands have been extended to display basic BGPSEC information, such as:
bgpd# show ip bgp 10.40.0.0/16
BGP routing table entry for 10.40.0.0/16
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Update ID: 0.09A2630D
bgpsec: valid (combination of prefix-origin and path validation)
PathType: BGPSEC-Path ( 1 signature blocks, each with 2 path segments)
signature block #1: algorithm suite id 1
path segment 1: as=2030; pcount=1
signature segment : block 1, ski=97E8EEC56E7C8AE22866D218B0E4D40416EC4EFA
path segment 2: as=40; pcount=1
signature segment : block 1, ski=A509AE9ED377CC31AED01E820670DF9CC781DA9F
10.0.1.2 from 10.0.1.2 (10.0.1.2)
Origin IGP, localpref 100, valid, external, best
Last Update: Wed Mar 5 20:42:37 2014
For quesitions or comments regarding this software please contact firstname.lastname@example.org..