BGP Secure Routing Extension (BGP‑SRx) Software Suite

NIST BGP-SRx is an open source reference implementation and research platform for investigating emerging BGP security and robustness extensions and supporting protocols such as RPKI Origin Validation, BGPsec Path Validation and Route Leak Detection and Mitigation schemes.  These tools are contributions from NIST's Robust Inter-Domain Routing Project (see site for other products).

• Note that all software described on this page is covered by the  NIST software disclaimer.
• Question or comments about these tools can be sent to itrg-contact [at] list.nist.gov (subject: BGP-SRx%20web%20feedback%3A%20) (itrg-contact[at]list[dot]nist[dot]gov).

The BGP-SRx suite includes:

• Quagga-SRx, GoBGPsec, ExaBGPsec - three distinct reference implementations built on different open source routers with support for: 
  • BGP Origin Validation (BGP-OV) (RFC 6811):
    • BGP-OV validation state signaling (RFC 8097)
  • ASPA route leak detection (ASPA Internet Draft, algorithm enhancement)
  • BGPsec Path Validation (BGP-PV) (RFC 8205):
    • SRx-Crypto-API - providing a common interface for BGPsec signing and validation implementations.

      

      • Demonstrated support for alternative cryptographic implementations.
    • SRx-Proxy - that supports communication between a router and the SRx-Server.
  • Extensions to router configuration and monitoring tools to support BGP-OV, BGP-PV and ASPA validation policies.
• SRx-Server - a distributed server capable of providing BGP origin validation, path validation and ASPA validation services to multiple routers.

  

  • Distributed architecture allows off-loading compute intensive validation and RPKI data management tasks from individual routers.
  • A single SRx-Server can provide validation services for multiple routers.
  • Centralized validation engine ensures consistent results among all connected routers.
• BGPsec-IO (BIO) - a test tool and experimentation framework that enables testing router implementations at scale in a laboratory setting.  BIO supports:  
  • Emulation of an RPKI validation cache and RPKI data repositories.
    • Simple scripted text files for RPKI ROA and router key, and ASPA data.
    • Support for RPKI-to-Router protocol (RFC8210) for distribution of RPKI data to live router implementations.
      • RPKI-to-Router support for ASPA Objects (draft-ietf-sidrops-8210bis) 

  • 

    Controlled experiments with dynamic RPKI changes
    • Time-based scenario scripting of when RPKI data will be pushed to router, or
    • CLI based event control to support interactive scenarios.
  • BGP/BGPsec Traffic generator with support for:
    • Emulation of one or more BGP peers operating live BGP-4 and/or BGPsec sessions with a router under test.
      • BGP traffic data from simple configuration files or from real BGP traffic captures.
    • Protocol analyzer traces of  BGP/BGPsec traffic on sender and receiver side.
      • BIO can be used as a traffic generator or a traffic monitor.
    • Special BGPsec testing modes, including:
      • Support for deterministic ECDSA signatures using specified k-value.
      • Ability to use pre-scripted signature value to test validation algorithm.

• 

  Extensive Documentation
  • NIST Technical Note 2060 - BGP Secure Routing Extension (BGP-SRx): Reference Implementation and Test Tools for Emerging BGP Security Standards - provides extensive documentation on each of the software tools mentioned above as well as results from performance and scaling testing experiments.
  • Each software repository provides extensive documentation of the code and instructions for obtaining, installing and using the software.

Software Module Details:

SRx Crypto API

The SRx Crypto API  is used to provide a mechanism to exchange BGPsec cryptographic implementations without the need to recompile the software. Once installed, it provides a configuration file that is used to select the appropriate BGPsec algorithm implementation. The implementation MUST follow the API's specification outlined in the header file srxcryptoapi.h.

SRx-Server

The SRx-Server provides the validation engine for BGPsec Path Validation, BGP Route Origin Validation, and also ASPA path validation. The SRx-Server communicates with RPKI validation caches using the cache to router protocol RFC8210 and RFC8610. For communication with routers the SRx-Server implementation provides a proxy API that hides the communication complexities to the client. In case the router does not want to use the proxy, the SRx-Server provides a TCP based protocol to communicate validation requests and validations.

Utilities

This package provides a validation server test harness that emulates a Resource PKI (RPKI) validation cache that is providing Route Origination Authorization (ROA) objects, BGPsec keys, and also  ASPA Objects to be sent to the routers. This emulator can be controlled using scripts or through a CLI.

BGPsec-IO

The BGPsec-IO (BIO) is a traffic generator that can generate regular BGP-4 updates as well as scripted multi-hop end to end signed BGPsec update traffic. It can pre-generate traffic to be replayed at a later time as well as generate traffic while receiving text-based update commands (prefix-as-path list) via CLI or file to control test traffic streams sent to a connected BGP/BGPsec router instance.

Quagga-SRx

The Quagga-SRx (QSRx) implementation is based on Quagga 0.99. It implements the capability to process BGP Origin Validation, BGP Path Validation, as well as with version 6.0 ASPA path validation.

Version 5

This implementation modified the decision process of the BGP routing engine. It allows to either perform BGP Origin Validation (BGP-OV) or BGP-OV combined with BGPsec Path Validation (BGP-PV). Therefore, the policies are tailored to a single final validation outcome.

Version 6

Version 6 does not touch the decision process anymore. Also, the validation results are no longer combined to calculate a cumulative result. Policies can be crafted around each validation separately.

Experiments

The experiments folder contains experimentation for each validation mode and one combining all three mechanisms (BGP-OV, BGP-PV, ASPA). Each experiment can be run in a "Sandbox" environment.

ExaBGPsec

ExaBGPsec uses NIST SRxCrypto library to facilitate cryptographic calculations which is able to deal with X.509 objects for BGPsec path validation. This software is based on Exabgp BGP implementation and added codes for implementing BGPsec protocol (RFC 8205).

GoBGPsec

GoBGPsec uses NIST SRxCrypto library to facilitate crypto calculations which is able to sign and verify X.509 objects for BGPsec path validation. This software is based on Gobgp BGP implementation and added codes for implementing BGPsec protocol (RFC 8205).

Software Versions and Capabilities:

The table below summarizes the specific features and capabilities of the various prototypes implementations above.

Question about these tools can be sent to itrg-contact [at] list.nist.gov (subject: BGP-SRx%20web%20feedback%3A%20) (itrg-contact[at]list[dot]nist[dot]gov).