This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[routing-wg] Add BGPsec support to Hosted RPKI?
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Randy Bush
randy at psg.com
Mon Oct 11 13:29:57 CEST 2021
> RIPE NCC may have substantial resources, but they are applied sequentially. Perhaps > RIPE NCC can shed a light on the effort involved, but I suspect it's more than > we might think. > > In that context, I am not against BGPSec as such, there are just things that I > would like to see first: > > 1. Publication Service > > I think this has immediate applicability to anyone considering running a delegated > CA. It's also in the interest of the ecosystem to limit the excessive growth in the > number of repositories. as what the ncc would be 'selling' here is reliability, i suspect this would be part of a distributed deployment accenting reliability, maybe part of the cloudy thing. so it may take a while and be part of a project consuming a fair amount of resource, as you point out. > 2. ASPA > > This is in draft status, but so were ROAs when the production system launched in > January 2011 (I should know, I was part of the RIPE NCC software team at the time, > been reading and writing I-Ds and RFCs since 2009). > > ASPA is orthogonal to BGPSec. It lets AS holders declare who their upstreams are > (in the context of BGP Path, not business relation). Even if this information is > not yet used in routers in an automated way, a clear text validated output with > this information can already be valuable to operators, e.g. for provisioning. > (This is also how ROAs were oftentimes used in the early days). yup. and much more easily deployed than bgpsec. and small resource consumption by the ncc. > Wrt BGPSec.. I am actually very happy to see that so many people are in favor of > supporting it. I hope that router vendors are watching. To the best of my knowledge > BGPSec has only been implemented in Bird and Quagga. The main value of supporting > BGPSec in the hosted system would not be to test the protocol as such. This has > already been done using Bird and Quagga and the RPKI tool set by Dragon Research > Labs. > > It would really help to convince my idea of priority on this if at least a couple > of router vendors would indicate that they are willing to listen to operator wishes > here and implement. i know some vendors looking for phd student(s) or post-doc(s) to have a go at this. if you know of such, feel free to drop me a line. randy
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]