Announcing BGP Secure Router Extension (BGP-SRx) Prototype Implementation

Announcing BGP Secure Router Extension (BGP-SRx) Prototype Implementation

IETF SIDR working group is developing standards for BGP origin validation
and AS path validation to strengthen the inter-domain routing
infrastructure. At the IETF 80 in March 2011, NIST made an introductory
presentation on a prototyping effort called BGP Secure Router Extension
(BGP-SRx). SRx is an open source reference implementation and research
platform for investigating emerging BGP security extensions and supporting

BGP-SRx has three parts: SRx Server, SRx API, and Quagga SRx (integrates
SRx API into Quagga router). The current focus in the BGP-SRx prototype is
on origin validation, although it is designed to be be extended to path
validation in the future (some stub functionality is already included in
this version).

The current release implements: The RPKI/Router Protocol and a variety of
BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed
from RPKI validating caches. Also included in the release are test
client/server test harnesses for RPKI/Router and WireShark modules for

For more information on BGP-SRx, and to download the prototype and tools,

For those wanting an easy way to experiment with BGP-SRx, in June we made
an announcement about the BRITE system (BGPSEC/RPKI Interoperability Test &

You can use BRITE (>/) to run BGP-SRx
(or any other implementation) through aseries of test scripts that exercise
numerous interesting scenarios for BGP ROA processing under different policy

We will make a presentation at NANOG-53 on Monday (9/10/11) in the ISP Security
BoF where we will briefly explain the functionalities of both BGP-SRx and
BRITE and also give demos. Please attend the BoF if you are interested to
learn more.

Comments and feedback about SRx and BRITE are welcome. See the project page
For details.