This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] Add BGPsec support to Hosted RPKI?
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Simon Muyal
smuyal at franceix.net
Mon Oct 4 13:24:31 CEST 2021
Le 01/10/2021 à 17:06, marco at lamehost.it a écrit : > On Mon, 2021-09-20 at 00:28 +0200, job at fastly.com wrote: >> Dear all, >> >> [ TL;DR: What does the working group think about supporting an >> extension >> to the RPKI Dashboard to enable publication of BGPsec certs? >> ] >> >> At the moment the hosted "RPKI Dashboard" at >> https://my.ripe.net/#/rpki, >> only permits Resource Holders to create RPKI objects of one specific >> type: ROAs. However, a wider range of RPKI cryptographic product >> types >> also exists, for example: BGPsec Router Certificates [RFC 8209]. >> >> BGPsec is a RPKI-based technology which enables network operators to >> transitively validate whether a given BGP UPDATE - indeed - passed >> through the Autonomous Systems listed in the path. One way to think >> of >> BGPsec is as an ECDSA protected network of channels between a >> receiving >> EBGP node; and one (or many) routers in the BGP route's Origin AS. >> >> I think BGPsec can be useful to protect "private peering" at large >> scale, and another use case is to increase confidence in routing >> information distributed via IXP Route/Blackhole Servers. >> >> Right now, routing protocol researchers and network operators wishing >> to >> publish BGPsec Router Keys, also have to learn how to master >> "Delegated >> RPKI": a deployment model with a steep learning curve. I think there >> are >> benefits to the community if RIPE NCC appends an activity to the >> "RPKI >> Planning and Roadmap" to implement procedures to sign and publish >> BGPsec >> Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API >> and >> dashboard WebUI. >> >> What do others think? >> >> Kind regards, >> >> Job >> >> Relevant documentation: >> https://datatracker.ietf.org/doc/html/rfc8209 >> https://datatracker.ietf.org/doc/html/rfc8635 >> > Hello, > > I support the idea as it would enable network operators to explore the > benefits of BGPsec in production environment. And the effort sounds > small Hello all, +1 The effort to enable publication of BGPsec certs on the RPKI dashboard seems reasonable as there is already an hosted RPKI and a portal to manage ROAs. Having an hosted RPKI for BGPSec objects will help definitely operators who do not have the resources to manage a PKI > Regards > > -- ------------------------------------------------------------------------ <https://franceix.net> <https://franceix.net> Simon *MUYAL* *Directeur Technique / Chief Technical Officer* Tel :*+33 1 70 61 97 74* Site : www.franceix.net <http://www.franceix.net> <https://blog.franceix.net/france-ix-and-rezopole-become-one/> <https://fr-fr.facebook.com/ixpfranceix/> <https://twitter.com/ixpfranceix> <https://www.linkedin.com/company/france-ix/?originalSubdomain=fr> -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/routing-wg/attachments/20211004/0e46e4ad/attachment.html>
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]