SRx is an open source reference implementation and research platform for investigating emerging BGP security extensions and supporting protocols such as RPKI Origin Validation and BGPSec Path Validation.
The current release includes:
For those wanting an easy way to experiment with BGP-SRx, we provide the BRITE system (See Test and Debug section below). For more information see our video about Quagga SRx and BRITE.
BGP-SRx has three parts:
BGP-SRx is designed in such to minimize the dependencies on and the impact on specific router implementations. As a result, much functionality is provided by the stand-alone SRx server module. The prototype is also designed to support experimentation with various deployment architectures. As a result, the SRx module can run on the router, the validating cache, or on a completely separate platform.
QuaggaSRx - BGPSec Path Validation
Within the previous version, all crypto processing was performed by QuaggaSRx using the SRxCryptoAPI. We now support the crypto validation to take place in the SRx-Server. The SRx-Server is able to receive router keys via the RPKI to Cache Protocol and monitors modification within the key storage. Srx-Server notifies the router if validation results changed due to key and ROA changes. In contrary to previous versions, we dampened the ROA validation change by not sending validation result state changes due to modification of changes in the RPKI up until the complete cache update is received and processed. This reduces churn in the routing engine due to possible repetitive restarting of the decision process as it happened in previous versions. Path signing is still performed on the router side, not within the SRx-Server.
The current implementation still needs work. We updated the code to use the IANA assigned values for capability and BGPsec_PATH attribute. To be backward compatible with other implementations it is possible to pass other values during the configuration stage to QuaggaSRx and BGPSEC-IP. Please see the ChangeLog for more information on that.
Router diagnostic commands have been extended to display basic BGPSEC information, such as:
bgpd# show ip bgp 10.40.0.0/16
BGP routing table entry for 10.40.0.0/16
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Update ID: 0.09A2630D
bgpsec: valid (combination of prefix-origin and path validation)
PathType: BGPSEC-Path ( 1 signature blocks, each with 2 path segments)
signature block #1: algorithm suite id 1
path segment 1: as=2030; pcount=1
signature segment : block 1, ski=97E8EEC56E7C8AE22866D218B0E4D40416EC4EFA
path segment 2: as=40; pcount=1
signature segment : block 1, ski=A509AE9ED377CC31AED01E820670DF9CC781DA9F
10.0.1.2 from 10.0.1.2 (10.0.1.2)
Origin IGP, localpref 100, valid, external, best
Last Update: Wed Mar 5 20:42:37 2014
For questions or comments regarding this software please contact to=bgpsrx-dev [at] nist.gov">bgpsrx-dev [at] nist.gov.