On Mon, Oct 11, 2021 at 11:33:40AM +0200, Tim Bruijnzeels wrote:
Why now?
There are published RFC and running code. Time for the next step.
RIPE NCC may have substantial resources, but they are applied sequentially. Perhaps RIPE NCC can shed a light on the effort involved, but I suspect it's more than we might think.
It is not clear to me what you mean with "more than we might think". I think a standard PKCS#10 / PKCS#7 exchange is less involved than implementing support for an entirely new Signed Object profile? Additionally, to implement BGPsec support in the hosted environment, the developers can take inspiration from prior-art. For ASPA no examples exist yet.
In that context, I am not against BGPSec as such, there are just things that I would like to see first:
Thank you for sharing your personal wishlist. The above 'context' seems to depend on an assumption that work progresses sequentially.
1. Publication Service
I think this has immediate applicability to anyone considering running a delegated CA. It's also in the interest of the ecosystem to limit the excessive growth in the number of repositories.
2. ASPA
This is in draft status, but so were ROAs when the production system launched in January 2011.
I'll with the working group a brief overview of where ASPA is, which should help understand why ASPA probably is more of a 2022/2023 project. I'm personally involved as co-author of the ASPA specification. * ASPA is 2 drafts, 0 RFCs: https://datatracker.ietf.org/doc/search/?name=aspa&activedrafts=on&rfcs=on This means that ASPA has not yet received review from the wider IETF community. * As of yet no codepoints have been assigned to ASPA https://www.iana.org/assignments/rpki/rpki.xhtml * No RPKI-to-Router protocol extension has been proposed for ASPA. * At the IETF 111 SIDROPS meeting it was suggested to first construct a testbed before moving ASPA forward. See slids 11 and onwards: https://datatracker.ietf.org/meeting/111/materials/slides-111-sidrops-runnin... The testbed does not exist yet: https://github.com/SIDROPS/ASPA-testbed * ASPA's running code status page still is empty https://trac.ietf.org/trac/sidrops/wiki ("AspaImplementations?" is a non-existing wiki page) * Only a few months ago an issue was discovered in the ASPA verification algorithm in relationship to IX Route Servers. This has since been resolved (in -07 of the draft). To me it is an indicator that ASPA's specification still is in flux. All in all ASPA undeniably is making progress, I would love for a RPKI-based routing policy signaling mechanism to exist, but there is a lot of work yet to be done. I would suggest to start a discussion about adding ASPA to the RPKI Quarterly planning as soon as passed at least "IETF Working Group Last Call". Kind regards, Job