As far as i know, no vendor supports bgpsec, so what's the point of adding bgpsec support to hosted rpki?
There already are multiple RPKI validators which support BGPsec, multiple signers, and multiple BGPsec-capable BGP implementations. Whether one likes the currently available choices is of course a somewhat subjective matter. :-)
BGPsec - at present - definitely isn’t the operators “go to” tool; but the specification has been published via the IETF RFC standards track, received significant scrutiny, and multiple independent implementations have been produced. It takes a lot of community effort to go from 0 to 1, and from 1 to 100.
I think adding BGPsec support to hosted RPKI management dashboards might help make BGPsec more mainstream, in turn increasing demand for additional (commercial off the shelf) implementations. The effects of obstacles to deployment often appear to compound.
also cause of encryption/decryption process via async encryption method, it's a resource intensive process so not all routers are able to handle it, also the more important part is bgpsec changes the normal behavior of bgp, for instance, update packing (update group) will be disabled.
Indeed, it is always important to use equipment suitable for the job at hand. It might make sense to keep an eye out for BGP routers with AVX512 support in their CPU, rather than attempting to retrofit this type of tech onto 32-bit PowerPC based platforms. :-)
Are we just discussing the support of bgpsec certs on hosted rpki, and we would discuss bgpsec deployment impacts and open issues later?
I believe the current discussion is about the first aspect. But I love and welcome dialogue on deployment impact and any open issues (so the community can work on addressing each and every issue)!
Evaluating and (potentially) deploying BGPsec in production environments is a multi-year project, just like RPKI-based BGP Origin Validation was.
Kind regards,
Job