[routing-wg] Add BGPsec support to Hosted RPKI?

On Mon, 11 Oct 2021 at 12:29, Randy Bush <randy at psg.com> wrote:

> > ASPA is orthogonal to BGPSec. It lets AS holders declare who their
> upstreams are
> > (in the context of BGP Path, not business relation). Even if this
> information is
> > not yet used in routers in an automated way, a clear text validated
> output with
> > this information can already be valuable to operators, e.g. for
> provisioning.
> > (This is also how ROAs were oftentimes used in the early days).
>
> yup.  and much more easily deployed than bgpsec.  and small resource
> consumption by the ncc.
>

Could you explain this further for me? AIUI, the requirements on the RPKI
repo for BGPsec is just the signing keys being uploaded, with an
attestation as to the ASNs that they are permitted to sign for. ASPA
requires a relatively huge amount of stuff to be specified (specifying your
upstreams etc) in comparison that requires frequent updates, whereas router
signing keys will be dwarfed by ROAs etc, there being far more prefixes
than there are border routers.

Or have I missed something here? (I'm not trolling, I genuinely want to
understand if I'm overlooking some major part).

Matthew Walster
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/routing-wg/attachments/20211011/fff9d609/attachment.html>