![Page 1: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514e2c1550346b0338b5965/html5/thumbnails/1.jpg)
BGP-SRx BGP - Secure Routing Extension
BRITE BGP Security / RPKI Interoperability Test & Evaluation
Doug Montgomery ([email protected])
1IETF 8004/10/23
![Page 2: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514e2c1550346b0338b5965/html5/thumbnails/2.jpg)
BGP SRx Overview BGP SRx Overview • BGP Secure Routing Extension (SRx)
– Software router with extensions for: RPKI Rtr cache maintenance, validation of updates, new BGP route policies.
– SRx – implemented as extension for Quagga routing platform. Designed to support other platforms (e.g., XORP, etc).
– Designed to support experimentation with different architectural configurations of SRx and RPKI components.
• Status– BGP SRx frame work with RPKI cache and ROA processing implemented.
• draft-ietf-sidr-rpki-rtr-11• draft-ietf-sidr-roa-validation-10.txt, draft-ietf-sidr-pfx-validate-01
– TBD• draft-ietf-sidr-origin-validation-signaling-00
RPKI Validating Cache
BGP SRx
BGP Router
RPKI Validating Cache
BGP SRx
BGP Router
RPKI Validating Cache
BGP SRx
BGP Router
2IETF 8004/10/23
![Page 3: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514e2c1550346b0338b5965/html5/thumbnails/3.jpg)
BGP SRx ImplementationBGP SRx Implementation• SRx Server
– Independent process – through proxy shim in router.– Supports asynchronous validation (lazy or blocking).– Supports multiple caches …. and multiple routers.
• Policies– Ignore Invalid– Ignore Unknown– Modify LocPref– Tie Break
04/10/23 IETF 80 3
![Page 4: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514e2c1550346b0338b5965/html5/thumbnails/4.jpg)
SRx Deployment OptionsSRx Deployment Options
AS 1
SRx SupportingMultiple Routers
BGP SRx
RPKIValidation
Cache
AS 2
BGP SRx
RPKIValidation
Cache
BGP SRx
BGP Protocol
SRx Router Prot.
RPKI/RTR Prot.
4IETF 8004/10/23
![Page 5: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514e2c1550346b0338b5965/html5/thumbnails/5.jpg)
BRITE Design OverviewBRITE Design Overview
Collector
Traffic G
enerator
IUT
RPKIValidation
Cache
BRITETest
Controller
White ListCollector /Generator
WEB Interface
BGP Protocol
RPKI/RTR Protocol
RSYNC
5IETF 8004/10/23
![Page 6: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514e2c1550346b0338b5965/html5/thumbnails/6.jpg)
BRITE OverviewBRITE Overview• BGPSEC / RPKI Interoperability Test & Evaluation
– Distributed test and evaluation framework for: • RPKI / BGP Security implementation testing, • Configuration and deployment testing.
– Flexible XML based test / scenario scripting language.– Can test all components / interfaces of BGP security system.
• RPKI Validating Caches.• Cache to Router Protocol.• ROA Processing in BGP Router.
• Online Testing Service.– WWW interface to BRITE.– Multi-user infrastructure.– Real time test monitoring & reporting.– Other diagnostics – log files, traffic traces available for
download.
6IETF 8004/10/23
![Page 7: BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery (dougm@nist.gov) 1IETF 802/12/2014](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514e2c1550346b0338b5965/html5/thumbnails/7.jpg)
BRITE Web InterfaceBRITE Web Interface
Test Timeline
Test Progress
Events: M=Multiple A =Activation B =BGP W=Whitelist
Experiment Log
Goal Tree Finishedsuccessful
Wait to be activated
Currently processing
7IETF 8004/10/23