adding bgpsec to bird

Michael Baer baerm at
Wed Mar 21 00:26:21 CET 2012

>>>>> On Tue, 20 Mar 2012 22:58:02 +0100, Ondrej Zajicek <santiago at> said:

    Ondrej> On Tue, Mar 20, 2012 at 11:11:44AM -0700, Michael Baer wrote:
    >> Hi All,
    >> We've been working on an extension to BIRD supporting the BGPSec
    >> protocol that is currently being discussed in the IETF SIDR
    >> Working Group.  And I had some questions I wanted to ask the BIRD
    >> developers.  If the user list isn't the appropriate forum, let me
    >> know and we can discuss it elsewhere or offline.

    Ondrej> I guess user list is appropriate. Personally, i do not
    Ondrej> believe in user/developer mailing list splits.

With only one list and not a high message load, it looked to me like
this would be a good forum.  But I wanted to be sure and ask.

    >> We've made some initial progress, although it's not even to what
    >> I would call an Alpha stage yet.  Our current plan is to have a
    >> beta/alpha working by the beginning of Summer and to continue
    >> work on it for up to a year afterwords.
    >> We would like to have the work contributed back to the BIRD
    >> project.  Which brings me to the questions I had.  Is the BIRD
    >> team interested in the contribution?  Are we in conflict with any
    >> work you are doing to support BGPSec? (I haven't seen any mention
    >> on the user list, but I don't know if there has been any work
    >> otherwise).  Assuming you are interested, besides that our code
    >> should have a compatible license, i.e. GPL, and it should try
    >> match the coding style of the files that are modified, are there
    >> any other requirements or desires that you may have regarding
    >> code enhancements and contributions to the BIRD project?

    Ondrej> We are interested in contributions, although it sometimes
    Ondrej> took a while to get reviewed and merged, esp. if it is an
    Ondrej> invasive patch.

    Ondrej> We don't have any current plans on BGPSec, AFAIK.

    Ondrej> GPL; coding style similar to one used in nest, BGP or OSPF
    Ondrej> and reusing existing elements and code patterns instead of
    Ondrej> reinventing wheel is probably enough. It is a good idea to
    Ondrej> write some overview (how it will be integrated in the
    Ondrej> current code) beforehand, esp. for invasive changes to the
    Ondrej> current code or non-standard interactions with the rest of
    Ondrej> BIRD.

    Ondrej> I don't know BGPSec, bug i see some possible problems -
    Ondrej> first, BGP code (and most of BIRD route propagation), is
    Ondrej> synchronous, which is probably not well suited for
    Ondrej> cryptographic validation. Second, how cryptographic code
    Ondrej> would be connected - external tool for validation, external
    Ondrej> lib, internal lib.

Generating the local cert info was going to be asynchronous to BIRD.
The validation, at least initially, will be synchronous using openssl.
It may be a problem for high capacity routers.  I'd guess for medium
use/decent hardware or low use routers that it won't be much of an
issue.  But since we haven't gotten far enough along to see the cpu load
during update validation, it's a pretty limited guess.


Michael Baer
baerm at

More information about the Bird-users mailing list