NIST BGP-RPKI-IO (BRIO) is a collection of tools that allows the generation of synthetic BGP and BGPsec traffic as well as RPKI payloads such as ROA, BGPSec Key, and ASPA via the RPKI to Router protocol RFC8210 up to RFC 8210bis-15 to be sent to BGP router clients.
The BRIO RPKI Validation Cache (brio_rc) simulates an RPKI cache that allows to script RPKI payloads for route origin validation, BGPsec path validation and ASPA validation. The BRIO Traffic Generator (brio_tg) simulates a BGP/BGPsec capable router that can generate multi hop BGPsec traffic. In addition to functioning as traffic generator brio_tg can test BGPsec algorithm API's for performance measurements. Furthermore, brio_tg can be used as a BGP Monitor that displays incoming traffic and can redirect it into text files.
The BGP traffic generator brio_tg can produce BGP-4 traffic as well as fully end to end signed BGPsec traffic RFC8205. In addition, brio_tg allows to test BGPsec crypto algorithms as long as they implement the SRxCryproAPI interface. This allows to create performance tests.
BRIO's brio_tg allows to receive BGP and BGPsec UPDATES and dump them into text files for further processing.
The following Modes are supported in this version:
- BGP : This mode generates BGP updates containing the BGPsec path attribute.
- GEN-x: This mode allows to pre-generate BGPsec signed updates for performance testing.
- CAPI : This mode allows to make direct calls into the SRxCryptoAPI (SCA) to perform performance tests of SCA plugins.
The software can be controlled using a configuration file as well as program parameters. The traffic is generated by passing scripted updates of the following form either via command line parameters, piping, or scripted within the configuration file.
For More information on brio_tg, see brio_tg README
The BRIO RPKI Cache Test Harness (brio_rc) allows to produce synthetic RPKI data and timed / event driven data flow. This means that RPKI payloads can be pre-scripted announcements and withdrawals.
For More information on brio_tg, see brio_rc README
BRIO is tested on Rocky 9 Linux and Ubuntu 22 Linux distributions. The OS can be installed as a minimal install since the provided install shell script will install all required libraries using the dnf or apt package managers.
This package does not provide a BGP router implementation, only the tools to test a BGP router implementation that provides the tested capability (ASPA, ROA, BGPsec).
This project provides a set of examples to illustrate how to use BRIO as well as test implementations by providing reproducible test runs with pre-defined outcomes. The audience of BRIO is developers of BGP, BGPsec and RPKI related tools as well as users who want to experiment with routers that have these RPKI related security features enabled.
| Examples | Overview |
|---|---|
| ASPA upstream | The set of examples provide scenarios for ASPA upstream validation |
| ASPA downstream | The set of examples provide scenarios for ASPA downstream validation |
| BGPsec | BGPsec examples are not yet transferred, see NIST BGP SRx for more information. |
| ROA Validation | ROA Validation examples are not yet transferred, see NIST BGP SRx for more information. |
The examples in the above tables are in their Template Form and will be installed with the examples in the sandbox/local/opt/brio-examples folder. Once installed there the template tokens {TOKEN} will be replaced with the actual values for the given example.
| Standard | Title |
|---|---|
| RFC 4271 | A Border Gateway Protocol 4 (BGP-4) |
| RFC 8205 | BGPsec Protocol Specification |
| RFC 8208 | BGPsec Algorithms, Key Formats, and Signature Formats |
| RFC 8210 | The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1 |
| draft-ietf-sidrops-8210bis-17 | The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 2, draft-ietf-sidrops-8210bis-17 |
| draft-ietf-sidrops-aspa-verification-22 | BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects |
To compile and build BRIO just call the included build shell script. This
script allows to specify the folder where the software package will be installed
in. ./buildBRIO.sh -i <sandbox name> will build and install the framework
in the provided folder.
The installed code will be installed in the <sandbox name>/local folder.
Use the Quick Install Guide as guidance.
To generate router configurations the script build-router-config.sh scans through the local/opt/brio/experiments folder and searches for the router configuration markdown documents. It parses through the table and generates the appropriate key value pairs. Using this pairs and the generated router template, a functioning configuration file will be generated. The template for the generation can be easily modified to match other router configurations. Un-used {VARIABLE} sections will be marked out using the '!' symbol. As all tools, the script build-router-config.sh comes with -? integrated help.
In most cases, errors occur for three reasons:
- Missing Libraries: The CONTENT file contains a list of required libraries.
Also the provided shell script
install_dependencies.shcan be used to install the necessary libraries. We want to caution because this script will modify the Linux install. - Automake Framework Outdated: To solve this, you need to install the
automake framework. Then enter the package that could have failed and call
autoreconf -i -f. This forces the automake framework to be refreshed and the install should pass. - Examples Fail due to missing IP addresses: Restart the build file and
pass the parameter -EI. Also it is possible to go into the brio-examples
folder and call
./configure.sh -Ifollowed by./install.sh -I. Alias interfaces can be identified by the brio label (e.g.:ens18:brio0:)
Please familiarize yourself with the shell scripts by using the parameter -?
If the above steps are unsuccessful, then drop us an email. (see below)
- At this time the brio_rc cache does not use encrypted traffic.
- The auto install of IP addresses on docker instances fails.
Please read How To Contribute for details on how to contribute to the project.
- Oliver Borchert (Lead)
- Kotikalapudi Sriram
- Lilia Hannachi
- Kyehwan Lee
- Doug Montgomery
For license information see the LICENSE file.
For information, questions, or comments, contact us by sending an email to [email protected]