On Mon, 11 Oct 2021 at 12:29, Randy Bush <randy@psg.com> wrote:
ASPA is orthogonal to BGPSec. It lets AS holders declare who their upstreams are (in the context of BGP Path, not business relation). Even if this information is not yet used in routers in an automated way, a clear text validated output with this information can already be valuable to operators, e.g. for provisioning. (This is also how ROAs were oftentimes used in the early days).
yup. and much more easily deployed than bgpsec. and small resource consumption by the ncc.
Could you explain this further for me? AIUI, the requirements on the RPKI repo for BGPsec is just the signing keys being uploaded, with an attestation as to the ASNs that they are permitted to sign for. ASPA requires a relatively huge amount of stuff to be specified (specifying your upstreams etc) in comparison that requires frequent updates, whereas router signing keys will be dwarfed by ROAs etc, there being far more prefixes than there are border routers. Or have I missed something here? (I'm not trolling, I genuinely want to understand if I'm overlooking some major part). Matthew Walster