This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] Add BGPsec support to Hosted RPKI?
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Matthew Walster
matthew at walster.org
Mon Oct 11 13:15:21 CEST 2021
On Mon, 11 Oct 2021 at 11:52, Tim Bruijnzeels <tim at nlnetlabs.nl> wrote: > > On 11 Oct 2021, at 12:45, Matthew Walster <matthew at walster.org> wrote: > > > > I genuinely don't understand the reason for obstruction here, what am I > missing? > > Perhaps this sentence could have made clear that I am not 'obstructing': > My apologies if I've also misread. > "In that context, I am not against BGPSec as such, there are just things > that I > would like to see first." > > In any case, I know it's not my decision to make. Feedback was asked. I > gave my 2cts Indeed, and it's good to hear from those with a dissenting opinion also. I, too, am wary about BGPsec -- mostly from a pragmatic operational point-of-view rather than a technical one. The barrier to entry has to be sufficiently low that it is almost a no-brainer to turn BGPsec on within a router, even if the policies to filter are not implemented, having the signing of your own prefix originations strengthens the trust and reliability in RPKI OV. I think there's a lot that needs to be analysed, tested, and potentially altered before it becomes mainstream. As you quite rightly say, there are things that need to be seen first -- and one of those things is the availability of router signing keys in RPKI to do offline analysis. Signing and not verifying would produce a great deal of useful data to guide the future of both BGPsec and projects like ASPA. Hence, the addition of router signing keys into the hosted RPKI offering does seem like a win-win to me, regardless of how BGPsec turns out, having the keys in the repo is definitely something that I feel would be of benefit. Matthew Walster -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/routing-wg/attachments/20211011/4bca0ad3/attachment.html>
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]