Le 01/10/2021 à 17:06, marco@lamehost.it a écrit :
On Mon, 2021-09-20 at 00:28 +0200, job at fastly.com wrote:
Dear all,
[ TL;DR: What does the working group think about supporting an extension to the RPKI Dashboard to enable publication of BGPsec certs? ]
At the moment the hosted "RPKI Dashboard" at https://my.ripe.net/#/rpki, only permits Resource Holders to create RPKI objects of one specific type: ROAs. However, a wider range of RPKI cryptographic product types also exists, for example: BGPsec Router Certificates [RFC 8209].
BGPsec is a RPKI-based technology which enables network operators to transitively validate whether a given BGP UPDATE - indeed - passed through the Autonomous Systems listed in the path. One way to think of BGPsec is as an ECDSA protected network of channels between a receiving EBGP node; and one (or many) routers in the BGP route's Origin AS.
I think BGPsec can be useful to protect "private peering" at large scale, and another use case is to increase confidence in routing information distributed via IXP Route/Blackhole Servers.
Right now, routing protocol researchers and network operators wishing to publish BGPsec Router Keys, also have to learn how to master "Delegated RPKI": a deployment model with a steep learning curve. I think there are benefits to the community if RIPE NCC appends an activity to the "RPKI Planning and Roadmap" to implement procedures to sign and publish BGPsec Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API and dashboard WebUI.
What do others think?
Kind regards,
Job
Relevant documentation: https://datatracker.ietf.org/doc/html/rfc8209 https://datatracker.ietf.org/doc/html/rfc8635
Hello,
I support the idea as it would enable network operators to explore the benefits of BGPsec in production environment. And the effort sounds small Hello all,
+1 The effort to enable publication of BGPsec certs on the RPKI dashboard seems reasonable as there is already an hosted RPKI and a portal to manage ROAs. Having an hosted RPKI for BGPSec objects will help definitely operators who do not have the resources to manage a PKI
Regards
-- ------------------------------------------------------------------------ <https://franceix.net> <https://franceix.net> Simon *MUYAL* *Directeur Technique / Chief Technical Officer* Tel :*+33 1 70 61 97 74* Site : www.franceix.net <http://www.franceix.net> <https://blog.franceix.net/france-ix-and-rezopole-become-one/> <https://fr-fr.facebook.com/ixpfranceix/> <https://twitter.com/ixpfranceix> <https://www.linkedin.com/company/france-ix/?originalSubdomain=fr>