Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

BGP Secure Routing Extension (BGP‑SRx) Prototype

RIDR logo

SRx is an open source reference implementation and research platform for investigating emerging BGP security extensions and supporting protocols such as RPKI Origin Validation and BGPSec Path Validation.

  • Please read the NIST disclaimer regarding the software of this project, the information it provides and the other resources it uses. In particular, note that these software prototypes are expressly provided "as is" and are intended for research and development purposes only.

The current release includes:

  • RPKI Route Origin Validation including the RPKI/Router Protocol and a variety of BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed from RPKI validating caches.
  • BGPSec Path Validation with a modular crypto engine that allows crypto engine plugins to test different implementations without the need of recompiling the code.
  • Router key distribution using the RPKI/Router Protocol.
  • Transfer of RPKI validation results using the extended community string.
  • Support for Extended Message Capability for sending BGP UPDATE messages larger than 4K.
  • A BGPsec traffic generator that allows generating multi-hop BGPsec traffic using simple configuration files as well as piped in traffic.
  • A set of test harnesses that can easily be extended for test and research purposes.
  • The software is open source and well documented!

For those wanting an easy way to experiment with BGP-SRx, we provide the BRITE system (See Test and Debug section below). For more information see our video about Quagga SRx and BRITE.

BGP-SRx Architecture:

BGP-SRx has three parts:

  • SRx Server
  • SRx API
  • Quagga SRx (integrates SRx API into Quagga router):

BGP-SRx is designed in such to minimize the dependencies on and the impact on specific router implementations. As a result, much functionality is provided by the stand-alone SRx server module. The prototype is also designed to support experimentation with various deployment architectures. As a result, the SRx module can run on the router, the validating cache, or on a completely separate platform.

QuaggaSRx - BGPSec Path Validation

Within the previous version, all crypto processing was performed by QuaggaSRx using the SRxCryptoAPI.  We now support the crypto validation to take place in the SRx-Server. The SRx-Server is able to receive router keys via the RPKI to Cache Protocol and monitors modification within the key storage. Srx-Server notifies the router if validation results changed due to key and ROA changes. In contrary to previous versions, we dampened the ROA validation change by not sending validation result state changes due to modification of changes in the RPKI up until the complete cache update is received and processed. This reduces churn in the routing engine due to possible repetitive restarting of the decision process as it happened in previous versions. Path signing is still performed on the router side, not within the SRx-Server.

The current implementation still needs work. We updated the code to use the IANA assigned values for capability and BGPsec_PATH attribute. To be backward compatible with other implementations it is possible to pass other values during the configuration stage to QuaggaSRx and BGPSEC-IP. Please see the ChangeLog for more information on that.

Router diagnostic commands have been extended to display basic BGPSEC information, such as:

  bgpd# show ip bgp
  BGP routing table entry for
  Paths: (1 available, best #1, table Default-IP-Routing-Table)
    Not advertised to any peer
    2030 40
      SRx Information:
        Update ID: 0.09A2630D
          prefix-origin: valid
          path:   valid
          bgpsec: valid (combination of prefix-origin and path validation)
        PathType: BGPSEC-Path ( 1 signature blocks, each with 2 path segments)
          signature block #1: algorithm suite id 1
          path segment 1: as=2030; pcount=1
            signature segment [1]: block 1, ski=97E8EEC56E7C8AE22866D218B0E4D40416EC4EFA
          path segment 2: as=40; pcount=1
            signature segment [1]: block 1, ski=A509AE9ED377CC31AED01E820670DF9CC781DA9F from (
        Origin IGP, localpref 100, valid, external, best
        Last Update: Wed Mar  5 20:42:37 2014  

For questions or comments regarding this software please contact bgpsrx-dev [at]



For quesitions or comments regarding this software please contact

Created August 15, 2016, Updated November 19, 2019