Hi guys As far as i know, no vendor supports bgpsec, so what's the point of adding bgpsec support to hosted rpki? also cause of encryption/decryption process via async encryption method, it's a resource intensive process so not all routers are able to handle it, also the more important part is bgpsec changes the normal behavior of bgp, for instance, update packing (update group) will be disabled. Are we just discussing the support of bgpsec certs on hosted rpki, and we would discuss bgpsec deployment impacts and open issues later? On Mon, Oct 4, 2021, 2:55 PM Simon Muyal <smuyal@franceix.net> wrote:
Le 01/10/2021 à 17:06, marco@lamehost.it a écrit :
On Mon, 2021-09-20 at 00:28 +0200, job at fastly.com wrote:
Dear all,
[ TL;DR: What does the working group think about supporting an extension to the RPKI Dashboard to enable publication of BGPsec certs? ]
At the moment the hosted "RPKI Dashboard" athttps://my.ripe.net/#/rpki, only permits Resource Holders to create RPKI objects of one specific type: ROAs. However, a wider range of RPKI cryptographic product types also exists, for example: BGPsec Router Certificates [RFC 8209].
BGPsec is a RPKI-based technology which enables network operators to transitively validate whether a given BGP UPDATE - indeed - passed through the Autonomous Systems listed in the path. One way to think of BGPsec is as an ECDSA protected network of channels between a receiving EBGP node; and one (or many) routers in the BGP route's Origin AS.
I think BGPsec can be useful to protect "private peering" at large scale, and another use case is to increase confidence in routing information distributed via IXP Route/Blackhole Servers.
Right now, routing protocol researchers and network operators wishing to publish BGPsec Router Keys, also have to learn how to master "Delegated RPKI": a deployment model with a steep learning curve. I think there are benefits to the community if RIPE NCC appends an activity to the "RPKI Planning and Roadmap" to implement procedures to sign and publish BGPsec Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API and dashboard WebUI.
What do others think?
Kind regards,
Job
Relevant documentation:https://datatracker.ietf.org/doc/html/rfc8209https://datatracker.ietf.org/do...
Hello,
I support the idea as it would enable network operators to explore the benefits of BGPsec in production environment. And the effort sounds small
Hello all,
+1 The effort to enable publication of BGPsec certs on the RPKI dashboard seems reasonable as there is already an hosted RPKI and a portal to manage ROAs. Having an hosted RPKI for BGPSec objects will help definitely operators who do not have the resources to manage a PKI
Regards
-- ------------------------------ <https://franceix.net> <https://franceix.net> Simon *MUYAL* *Directeur Technique / Chief Technical Officer*
Tel :*+33 1 70 61 97 74* Site : www.franceix.net <https://blog.franceix.net/france-ix-and-rezopole-become-one/> <https://fr-fr.facebook.com/ixpfranceix/> <https://twitter.com/ixpfranceix> <https://www.linkedin.com/company/france-ix/?originalSubdomain=fr>