A few weeks ago the NIST announced the BGP Secure Router Extension (BGP-SRx) Prototype, that basically makes it possible to use Quagga with RPKI 

and origin-validation. So, after playing with the RPKI implementations from Cisco and Juniper we decided to take a look at it.

 
 
 
The BGP-SRx implementation in quagga is a bit different that its counterparts (JunOS and IOS). You need two modules, one stand-alone server (SRx Server) to speaks RTR with the caches and the BGP-Quaggla-Plugin that connects with the SRx Server. Why you need two pieces of code instead of one plugin of RTR/Origin-validatio in Quagga? Well, according to the developers it simplifies the modifications that Quagga needs. It may be true, but it complicates a bit its implementation and troubleshooting.
 
I used CenOS 6, RIPE NCC validator-cache for these tests and our RPKI Demo repository:
 
The first step after getting the code is to compile the SRx Server, check the INSTALL file, there are some flags to set up. You will need to modify the server config (in a file /usr/local/bin/) with your cache parameters. After that you will be able to telnet the server to verify that it has received ROAs.
 
The next step is to compile and configure Quagga. You need to copy some libraries from the SRx Server and compile with some flags to add the origin-validation. After that the configuration is pretty straight forward.
 
 
router bgp 1
 bgp router-id 192.168.56.103
 network 10.0.1.0/24
 neighbor 192.168.56.104 remote-as 20
 !SRx Configuration Settigns
 srx display
 srx connect 127.0.0.1 17900
 srx evaluation roa_only
 srx keep-window 900
 
 
This is very basic, I haven't played with policies to modify local preference according to the route validity but it gives you an idea.
 
The BGP routing table looks like:
 
 
bgpd# sh ip bgg
BGP table version is 0, local router ID is 192.168.56.103
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, R Removed
Validation:    v - valid, u - unknown, i - invalid, ? - undefined
SRx Status:    I - route ignored, D - SRx evaluation deactivated
SRxVal Format: validation result (origin validation, path validation)
Origin codes: i - IGP, e - EGP, ? - incomplete

   Ident    SRxVal SRxLP Status Network          Next Hop            Metric  LocPrf Weight Path
*> B2E8F5E6 v(v,-)              10.0.0.0/16      192.168.56.104           0              0 20 i
*> 093057FE i(i,-)              10.0.0.0/24      192.168.56.104           0              0 20 i
*  -------- ?(?,-)          I   10.0.1.0/24      0.0.0.0                  0          32768 i
*> D58A50E7 u(u,-)              10.10.0.0/16     192.168.56.104           0              0 20 i
 
The ROA table is the same than in the JunOS example. As you can see 10.0.0.0/16 is valid, 10.0.0.0/24 is invalid and 10.10.0.0/16 is unknown.
 
The specific announce of one route looks like:
 
bgpd# sh ip bgp 10.0.0.0/16
BGP routing table entry for 10.0.0.0/16
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  20
    SRx Information:
      Update ID: 0xB2E8F5E6
      Validation:
        prefix-origin: valid
        path processing disabled!
    192.168.56.104 from 192.168.56.104 (192.168.56.104)
      Origin IGP, metric 0, localpref 100, valid, external, best
      Last update: Wed Dec 31 22:38:17 1969
 
We will keep working on this and soon we will be able to provide a virtual machine ready to use. Meanwhile you can download the code from NIST and if you have questions please feel free to contact us.