[routing-wg] Add BGPsec support to Hosted RPKI?

On Mon, 11 Oct 2021 at 11:52, Tim Bruijnzeels <tim at nlnetlabs.nl> wrote:

> > On 11 Oct 2021, at 12:45, Matthew Walster <matthew at walster.org> wrote:
> >
> >  I genuinely don't understand the reason for obstruction here, what am I
> missing?
>
> Perhaps this sentence could have made clear that I am not 'obstructing':
>

My apologies if I've also misread.


>  "In that context, I am not against BGPSec as such, there are just things
> that I
> would like to see first."
>
> In any case, I know it's not my decision to make. Feedback was asked. I
> gave my 2cts


Indeed, and it's good to hear from those with a dissenting opinion also.

I, too, am wary about BGPsec -- mostly from a pragmatic operational
point-of-view rather than a technical one. The barrier to entry has to be
sufficiently low that it is almost a no-brainer to turn BGPsec on within a
router, even if the policies to filter are not implemented, having the
signing of your own prefix originations strengthens the trust and
reliability in RPKI OV.

I think there's a lot that needs to be analysed, tested, and potentially
altered before it becomes mainstream. As you quite rightly say, there are
things that need to be seen first -- and one of those things is the
availability of router signing keys in RPKI to do offline analysis. Signing
and not verifying would produce a great deal of useful data to guide
the future of both BGPsec and projects like ASPA.

Hence, the addition of router signing keys into the hosted RPKI offering
does seem like a win-win to me, regardless of how BGPsec turns out, having
the keys in the repo is definitely something that I feel would be
of benefit.

Matthew Walster
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/routing-wg/attachments/20211011/4bca0ad3/attachment.html>