U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

SOFTWARE

NIST-BRIO

Synthetic Traffic Generation for Testing RPKI-based BGP Security and Resilience Mechanisms

NIST BGP RPKI IO (BRIO) is an open-source tool designed to support test and experimentation with emerging Border Gateway Protocol (BGP) security and resilience mechanisms that leverage the Resource Public Key Infrastructure (RPKI). It is designed to help researchers, developers, and network engineers test and validate the implementation of Autonomous System Provider Authorization (ASPA), Route Origin Validation (ROV), and Path Validation (BPGsec) technologies in BGP routers. BRIO supports synthetic traffic generation for BGP, BGPsec, and RPKI-to-Router traffic in controlled experiments.

NIST BRIO use cases

The software components in BRIO consist of tools created initially as reference implementations while developing various IETF RFCs and bundled as part of the NIST-BGP-SRx prototype and other projects. 

To simplify the usage of these tools for general research and experimentation, the tools were extracted and bundled in this independent project. Over time, more experiments and tools will be added to extend the collection.

BRIO currently consists of two main components: the BRIO Traffic Generator (brio_tg) and the BRIO RPKI Cache (brio_rc). Additionally, the ASPA Test Framework Generator, which was initially developed during the IETF 112 Hackathon, is included in the experiment section of BRIO. 

BRIO's intent is to provide the community with a test framework that is not reliant on specific router implementations and can be used to test and experiment with any router platform.

NIST Communications Technology Laboratory logo

BRIO Components

NIST BRIO ASPA test scenarios

BRIO Traffic Generator (brio_tg): The brio_tg is a flexible tool for generating synthetic BGP updates as specified in RFC 4271 and synthetic end-to-end cryptographically signed BGPsec updates as specified in RFC 8205. The internal signing engine uses the signing algorithm specified in RFC 8208.

Furthermore, the traffic generator allows testing BGPsec validation algorithm implementations outside router platforms using the SRx Crypto API. This functionality allows debugging of crypto algorithm implementations and performance tests.

NIST BRIO RPKI chache synthetic traffic

BRIO RPKI Cache Simulator (brio_rc): A synthetic RPKI cache that delivers synthetic data (ROAs, BGPsec Router Keys, and ASPA objects) to routers and validators via the RPKI-Router Protocol (RFC 8210), accurately simulating the behavior of a live RPKI validation system.

BRIO Examples: BRIO provides a set of carefully curated tests, currently focused on ASPA path verification scenarios. Existing examples testing ROV and BPV will be converted from the NIST BGP-SRx framework over time and added to the system. The BRIO examples also include the ASPA Test Generation Framework, which allows for generating large-scale ASPA experiments using CAIDA-generated topologies and RouteViews BGP traces.

Supported Standards and RFCs

StandardTitle
RFC 4271A Border Gateway Protocol 4 (BGP-4)
RFC 8205BGPsec Protocol Specification
RFC 8208BGPsec Algorithms, Key Formats, and Signature Formats
RFC 8210The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1
draft-ietf-sidrops-8210bis-17The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 2, draft-ietf-sidrops-8210bis-17
draft-ietf-sidrops-aspa-verification-22BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects

 

Uses

NIST-BRIO  supports synthetic traffic generation for BGP, BGPsec, and RPKI-to-Router traffic in controlled experiments.  BRIO's intent is to provide the community with a test framework that is not reliant on specific router implementations and can be used to test and experiment with any router platform.  This package does not provide a BGP router implementation, only the tools to test a BGP router implementation that provides  support for emerging security / resilience capabilities: ASPA, ROA/ROV, BGPsec.

Overview diagram of BGP ASPA route leak mitigation

BRIO Example Test Scenarios

  • demo-aspa-downstream: Five separate experiments scripted to test the downstream verification and results.
  • demo-aspa-upstream: Five separate experiments scripted to test the upstream verification and results.
BGP ASPA Test Cases
Example test cases for ASPA verification algorithm.

Additional Test Scenarios and Tools

The following scenarios and tools were developed using a previous, but similar, test tool that was part of the BGP-SRx software suite.  We are in the process of updating these scenarios to use this NIST BRIO tool release.

  • tfg-aspa: The ASPA Test Framework Generator, originally developed during IETF112 Hackathon, allows the generation of ASPA tests using RouteViews traffic data and CAIDA’s AS relationship data. *
  • simple/aspa: Demonstrates ASPA validation with compliant and non-compliant AS paths. **
  • simple/rov: Shows Route Origin Validation based on ROA presence. **
  • simple/bgpsec: Focuses on BGPsec path signing and validation. **
  • combined/rov-bgpsec: Combines ROV and BGPsec mechanisms. **
  • combined/rov-bgpsec-aspa: Full-stack example integrating ASPA, ROV, and BGPsec. **

* The test systems used in this framework use the QuaggaSRx router and SRx-Server validator of the NIST-BGP-SRx framework.

** These examples are in the process of being transferred from the BGP-SRx archive.

Licensing Information

NIST-developed software is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the software.   See full NIST Software Disclaimer for further details.

Disclaimers

NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.

See full NIST Software Disclaimer.

 

Related Publications

BGP Secure Routing Extension (BGP-SRx): Reference Implementation and Test Tools for Emerging BGP Security Standards
Advanced communications, Information technology, Cybersecurity, Trustworthy networks, Networking, Network security and robustness, Network test and measurement and Protocol design and standardization
Created July 22, 2025, Updated August 7, 2025
Was this page helpful?