[routing-wg] Add BGPsec support to Hosted RPKI?

Hi guys


As far as i know, no vendor supports bgpsec, so what's the point of adding
bgpsec support to hosted rpki?
also cause of encryption/decryption process via async encryption method,
it's a resource intensive process so not all routers are able to handle it,
also the more important part is bgpsec changes the normal behavior of bgp,
for instance, update packing (update group) will be disabled. Are we just
discussing the support of bgpsec certs on hosted rpki, and we would discuss
bgpsec deployment impacts and open issues later?

On Mon, Oct 4, 2021, 2:55 PM Simon Muyal <smuyal at franceix.net> wrote:

>
>
> Le 01/10/2021 à 17:06, marco at lamehost.it a écrit :
>
> On Mon, 2021-09-20 at 00:28 +0200, job at fastly.com wrote:
>
> Dear all,
>
> [ TL;DR: What does the working group think about supporting an
> extension
>          to the RPKI Dashboard to enable publication of BGPsec certs?
> ]
>
> At the moment the hosted "RPKI Dashboard" athttps://my.ripe.net/#/rpki,
> only permits Resource Holders to create RPKI objects of one specific
> type: ROAs. However, a wider range of RPKI cryptographic product
> types
> also exists, for example: BGPsec Router Certificates [RFC 8209].
>
> BGPsec is a RPKI-based technology which enables network operators to
> transitively validate whether a given BGP UPDATE - indeed - passed
> through the Autonomous Systems listed in the path. One way to think
> of
> BGPsec is as an ECDSA protected network of channels between a
> receiving
> EBGP node; and one (or many) routers in the BGP route's Origin AS.
>
> I think BGPsec can be useful to protect "private peering" at large
> scale, and another use case is to increase confidence in routing
> information distributed via IXP Route/Blackhole Servers.
>
> Right now, routing protocol researchers and network operators wishing
> to
> publish BGPsec Router Keys, also have to learn how to master
> "Delegated
> RPKI": a deployment model with a steep learning curve. I think there
> are
> benefits to the community if RIPE NCC appends an activity to the
> "RPKI
> Planning and Roadmap" to implement procedures to sign and publish
> BGPsec
> Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API
> and
> dashboard WebUI.
>
> What do others think?
>
> Kind regards,
>
> Job
>
> Relevant documentation:https://datatracker.ietf.org/doc/html/rfc8209https://datatracker.ietf.org/doc/html/rfc8635
>
>
> Hello,
>
> I support the idea as it would enable network operators to explore the
> benefits of BGPsec in production environment. And the effort sounds
> small
>
> Hello all,
>
> +1
> The effort to enable publication of BGPsec certs on the RPKI dashboard
> seems reasonable as there is already an hosted RPKI and a portal to manage
> ROAs.
> Having an hosted RPKI for BGPSec objects will help definitely operators
> who do not have the resources to manage a PKI
>
>
> Regards
>
>
>
>
> --
> ------------------------------
> <https://franceix.net>
> <https://franceix.net>
> Simon *MUYAL*
> *Directeur Technique / Chief Technical Officer*
>
> Tel :*+33 1 70 61 97 74*
> Site : www.franceix.net
> <https://blog.franceix.net/france-ix-and-rezopole-become-one/>
> <https://fr-fr.facebook.com/ixpfranceix/>
> <https://twitter.com/ixpfranceix>
> <https://www.linkedin.com/company/france-ix/?originalSubdomain=fr>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/routing-wg/attachments/20211004/88c5e00f/attachment-0001.html>