Skip to content

bgpipe: BGP pipeline processor

bgpipe is an open-source tool that processes BGP messages through a pipeline of composable stages — bridging the gaps between monitoring and control.

Usually, bgpipe sits between routers as a transparent proxy, auditing, filtering, and transforming BGP sessions on the fly. Built on the bgpfix library, written in Go, and distributed under the MIT license. Started in 2023 as part of a research project at the Polish Academy of Sciences.

Quick Demo

Read live data from RIPE RIS, do real-time RPKI validation using Cloudflare RTR server, and show the first RPKI-invalid announcement.

$ bgpipe -go \
    -- ris-live \
    -- rpki --invalid=keep \
    -- grep 'tag[rpki/status] == INVALID' \
    -- head -n 1

[
    "R",
    10843,
    "2026-02-10T12:47:02.900",
    "UPDATE",
    {
        "reach":["201.49.180.0/23","201.49.181.0/24"],
        "attrs":{
            "ORIGIN":{"flags":"T","value":"IGP"},
            "ASPATH":{"flags":"T","value":[199524,174,52320,53062,262907,262907,262907,262907,262907,52900,273801]},
            "NEXTHOP":{"flags":"T","value":"196.60.9.188"}
        }
    },
    {
        "PEER_IP":"196.60.9.188",
        "PEER_AS":"199524",
        "COLLECTOR":"rrc19",
        "RIS_HOST":"rrc19.ripe.net",
        "RIS_ID":"196.60.9.188-019c479748f40019",
        "rpki/201.49.180.0/23":"INVALID",
        "rpki/201.49.181.0/24":"INVALID",
        "rpki/status":"INVALID"
    }
]

Use Cases

  • BGP Firewall

    Drop-in proxy with RPKI validation, prefix limits, and rate limiting

  • Full JSON Translation

    Bidirectional BGP ↔ JSON including Flowspec — pipe through jq, Python, anything

  • MRT Processing

    Read, convert, and filter compressed MRT archives at scale

  • Scriptable Pipeline

    Chain stages or pipe messages through external programs

  • Live BGP Monitoring

    Stream from RIPE RIS Live or RouteViews with real-time filters

  • Secure Transport

    Add TCP-MD5 to sessions, proxy over encrypted WebSockets

Features

  • Transparent proxy — sits between two BGP speakers; routers see a normal peer
  • Full JSON translation — bidirectional BGP ↔ JSON for every message type, including Flowspec
  • Built-in filters — match on prefixes, AS paths, communities, attributes, and tags with a concise filter language
  • RPKI validation — validate UPDATEs against RPKI using RTR protocol (e.g. Cloudflare, Routinator)
  • Prefix and rate limits — enforce prefix count/length thresholds and message rate limits per session
  • UPDATE rewriting — add, remove, or modify path attributes on the fly
  • Multiple data formats — read and write JSON, MRT, BMP, OpenBMP, ExaBGP, and raw BGP wire format
  • Compression support — transparent gzip/bzip2/zstd for MRT and other file formats
  • HTTP/HTTPS sources — read directly from URLs (e.g. RouteViews or RIS MRT archives)
  • External program integration — pipe messages through any process (exec, pipe stages)
  • WebSocket transport — exchange messages over encrypted WebSockets for remote processing
  • TCP-MD5 handling — add or drop TCP-MD5 independently on each side of a session
  • Live data feeds — stream from RIPE RIS Live or RouteViews in real time
  • Message tagging — attach metadata to messages for downstream filtering and routing decisions
  • 20 pipeline stages — composable building blocks, each doing one thing well (full list)

Project

bgpipe is hosted on GitHub under the MIT license, built on the bgpfix library.