Hi Tim, May I suggest to read the RFC's about BGPSec and spin up something in an environment to do some testing with BGP and BGPSec. Normally I would suggest people to do some research, but they might end up on Facebook and in the light of last Monday .. doing research on BGP and Facebook, might be a different rabbit hole .. ;-) Back in 2008 we did some policy work here in the community for RPKI .. there were only a couple CLI based "validators", most routers vendors had no idea what RPKI was .. and still we asked the RIPE NCC to do work on RPKI. If you don't recall that, perhaps Alex B. can provide some history on that process __ What Job asked is to see if we should start with a similar process for BGPSec. We start with publishing and monitoring ... and who knows when and if this will become mainstream .. But if we don't start somewhere .. it will never get anywhere .. The question and discussion isn't about if someone likes BGPSec or if it will ever become mainstream .. or if someone will personally ever use it .. or if the current status of the RFC's isn't finished yet to the final version .. In order to be able to asses this for the community .. there need to be some tools in place .. to make it easier for it to even go to that step. At some point the community will do some testing, find bugs in current implementations that the RFC authors didn't foresee .. that is how things go .. we fix shizzle. Hope that this clarifies. Just my 2cp, Regards, Erik Bais On 07/10/2021, 11:41, "routing-wg on behalf of Tim Bruijnzeels" <routing-wg-bounces@ripe.net on behalf of tim@nlnetlabs.nl> wrote: Hi Randy, all, > On 6 Oct 2021, at 17:10, Randy Bush <randy@psg.com> wrote: > >> A fundamental issue that I see is that BGPSec validation only has >> 'valid' or 'invalid'. > > just as ROV has: Valid and Invalid. > > hard to have other states in a crypto-based validation; though i have > faith that some creative types could come up with something. please > color it magenta :) > > and, just as ROV has NotFound, BGPsec has not signed. Please bear with me, it is not my intention to misrepresent things. I meant what I said with "I would *love* BGPSec to succeed" - no sarcasm or other meanings were intended. If BGPSec really is incrementally deployable then I have no objections to giving operators the means to create BGPSec certificates in the hosted system, and doing the same myself in Krill for that matter. Although I still believe it would then also be good - as I believe you hinted at as well - to hear if there are plans by router vendors to support this. Back to this point. I honestly want to understand it thoroughly. It is very well possible that I misunderstood or misremembered parts, but if so, ?I am not alone in this and it can help to ask the questions: A BGPSec certificate published in the RPKI can be valid or invalid. If it is valid, then the public router key can be used for BGPSec validation. Correct? Normal non-BGPSec updates are unsigned. They are neither BGPSec valid nor invalid, correct? A path can only be BGPSec evaluated of if it consists entirely of BGPSec updates, signed by each AS on the path. Broadly speaking the path is valid if all updates are valid, and otherwise it's invalid (section 5.2 of RFC8205). Correct? In principle therefore, operators can use local policy where they would reject a BGPSec *invalid* path, but accept unsigned paths. Correct? However.. I seem to remember it being brought up that this would allow malicious actors to do a downgrade attack where they simply remove the BGPSec signatures, resulting in a path that looks 'unsigned' rather than 'invalid'. Correct? My understanding of the incremental deployment considerations (section 7.9 of RFC 8205), rephrased by Job in his message, is that BGPSec validation can be mutually agreed on in islands. In other words, it's explicitly turned on. Correct? Question: would unsigned paths be acceptable? Other question: was it ever considered, and dismissed, to make the decision to use BGPSec validation automated? An approach that I can think of would be to assume that if, and only if, all ASNs on the path have published BGPSec certificates this can be read as a pledge that they will in fact do BGPSec. If so one could then also reject 'unsigned' here, and be safe against the downgrade attack. I don't know for a fact that this will work, but I am asking the question because I believe that automation will help. Manually deciding to turn this on on individual sessions will scale more painfully, let alone trying this cross transit. Kind regards, Tim > > randy