On Mon, 2021-09-20 at 00:28 +0200, job at fastly.com wrote:
Dear all,
[ TL;DR: What does the working group think about supporting an
extension
to the RPKI Dashboard to enable publication of BGPsec certs?
]
At the moment the hosted "RPKI Dashboard" at
https://my.ripe.net/#/rpki,
only permits Resource Holders to create RPKI objects of one specific
type: ROAs. However, a wider range of RPKI cryptographic product
types
also exists, for example: BGPsec Router Certificates [RFC 8209].
BGPsec is a RPKI-based technology which enables network operators to
transitively validate whether a given BGP UPDATE - indeed - passed
through the Autonomous Systems listed in the path. One way to think
of
BGPsec is as an ECDSA protected network of channels between a
receiving
EBGP node; and one (or many) routers in the BGP route's Origin AS.
I think BGPsec can be useful to protect "private peering" at large
scale, and another use case is to increase confidence in routing
information distributed via IXP Route/Blackhole Servers.
Right now, routing protocol researchers and network operators wishing
to
publish BGPsec Router Keys, also have to learn how to master
"Delegated
RPKI": a deployment model with a steep learning curve. I think there
are
benefits to the community if RIPE NCC appends an activity to the
"RPKI
Planning and Roadmap" to implement procedures to sign and publish
BGPsec
Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API
and
dashboard WebUI.
What do others think?
Kind regards,
Job
Relevant documentation:
https://datatracker.ietf.org/doc/html/rfc8209
https://datatracker.ietf.org/doc/html/rfc8635
Hello,
I support the idea as it would enable network operators to explore the
benefits of BGPsec in production environment. And the effort sounds
small
Hello all,
