Hi guys


As far as i know, no vendor supports bgpsec, so what's the point of adding bgpsec support to hosted rpki?
also cause of encryption/decryption process via async encryption method, it's a resource intensive process so not all routers are able to handle it, also the more important part is bgpsec changes the normal behavior of bgp, for instance, update packing (update group) will be disabled. Are we just discussing the support of bgpsec certs on hosted rpki, and we would discuss bgpsec deployment impacts and open issues later?

On Mon, Oct 4, 2021, 2:55 PM Simon Muyal <smuyal@franceix.net> wrote:


Le 01/10/2021 à 17:06, marco@lamehost.it a écrit :
On Mon, 2021-09-20 at 00:28 +0200, job at fastly.com wrote:

Dear all,

[ TL;DR: What does the working group think about supporting an
extension
         to the RPKI Dashboard to enable publication of BGPsec certs?
]

At the moment the hosted "RPKI Dashboard" at
https://my.ripe.net/#/rpki,
only permits Resource Holders to create RPKI objects of one specific
type: ROAs. However, a wider range of RPKI cryptographic product
types
also exists, for example: BGPsec Router Certificates [RFC 8209].

BGPsec is a RPKI-based technology which enables network operators to
transitively validate whether a given BGP UPDATE - indeed - passed
through the Autonomous Systems listed in the path. One way to think
of
BGPsec is as an ECDSA protected network of channels between a
receiving
EBGP node; and one (or many) routers in the BGP route's Origin AS.

I think BGPsec can be useful to protect "private peering" at large
scale, and another use case is to increase confidence in routing
information distributed via IXP Route/Blackhole Servers.

Right now, routing protocol researchers and network operators wishing
to
publish BGPsec Router Keys, also have to learn how to master
"Delegated
RPKI": a deployment model with a steep learning curve. I think there
are
benefits to the community if RIPE NCC appends an activity to the
"RPKI
Planning and Roadmap" to implement procedures to sign and publish
BGPsec
Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API
and
dashboard WebUI.

What do others think?

Kind regards,

Job

Relevant documentation:
https://datatracker.ietf.org/doc/html/rfc8209
https://datatracker.ietf.org/doc/html/rfc8635


Hello,

I support the idea as it would enable network operators to explore the
benefits of BGPsec in production environment. And the effort sounds
small
Hello all,

+1
The effort to enable publication of BGPsec certs on the RPKI dashboard seems reasonable as there is already an hosted RPKI and a portal to manage ROAs.
Having an hosted RPKI for BGPSec objects will help definitely operators who do not have the resources to manage a PKI

Regards

--
Simon MUYAL
Directeur Technique / Chief Technical Officer

Tel :+33 1 70 61 97 74
Site : www.franceix.net