This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] Add BGPsec support to Hosted RPKI?
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Rubens Kuhl
rubensk at gmail.com
Mon Sep 20 01:06:54 CEST 2021
Hi Job. Our experience in Brazil is that delegated RPKI is not much of an issue provided its software deployment is easy enough. Krill + Lagosta + Up/Down activation + Upwards ROA publishing adds to being really effective. The Brazilian number resources ROA repository might be useful in seeing how far this can go: https://jdr.nlnetlabs.nl/#/search/%2Frpki-repo%2Frrdp%2Frepository.lacnic.net%2Frpki%2Flacnic%2F48f083bb-f603-4893-9990-0284c04ceb85%2Ffd25c9bb7e5cac7419fa9193770f64a6edf20c19.cer That said, each region's mileage may vary... Rubens On Sun, Sep 19, 2021 at 7:29 PM Job Snijders via routing-wg <routing-wg at ripe.net> wrote: > > Dear all, > > [ TL;DR: What does the working group think about supporting an extension > to the RPKI Dashboard to enable publication of BGPsec certs? ] > > At the moment the hosted "RPKI Dashboard" at https://my.ripe.net/#/rpki, > only permits Resource Holders to create RPKI objects of one specific > type: ROAs. However, a wider range of RPKI cryptographic product types > also exists, for example: BGPsec Router Certificates [RFC 8209]. > > BGPsec is a RPKI-based technology which enables network operators to > transitively validate whether a given BGP UPDATE - indeed - passed > through the Autonomous Systems listed in the path. One way to think of > BGPsec is as an ECDSA protected network of channels between a receiving > EBGP node; and one (or many) routers in the BGP route's Origin AS. > > I think BGPsec can be useful to protect "private peering" at large > scale, and another use case is to increase confidence in routing > information distributed via IXP Route/Blackhole Servers. > > Right now, routing protocol researchers and network operators wishing to > publish BGPsec Router Keys, also have to learn how to master "Delegated > RPKI": a deployment model with a steep learning curve. I think there are > benefits to the community if RIPE NCC appends an activity to the "RPKI > Planning and Roadmap" to implement procedures to sign and publish BGPsec > Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API and > dashboard WebUI. > > What do others think? > > Kind regards, > > Job > > Relevant documentation: > https://datatracker.ietf.org/doc/html/rfc8209 > https://datatracker.ietf.org/doc/html/rfc8635 >
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]