[routing-wg] Add BGPsec support to Hosted RPKI?

On Mon, 2021-09-20 at 00:28 +0200, job at fastly.com wrote:
> Dear all,
> 
> [ TL;DR: What does the working group think about supporting an
> extension
>          to the RPKI Dashboard to enable publication of BGPsec certs?
> ]
> 
> At the moment the hosted "RPKI Dashboard" at
> https://my.ripe.net/#/rpki,
> only permits Resource Holders to create RPKI objects of one specific
> type: ROAs. However, a wider range of RPKI cryptographic product
> types
> also exists, for example: BGPsec Router Certificates [RFC 8209].
> 
> BGPsec is a RPKI-based technology which enables network operators to
> transitively validate whether a given BGP UPDATE - indeed - passed
> through the Autonomous Systems listed in the path. One way to think
> of
> BGPsec is as an ECDSA protected network of channels between a
> receiving
> EBGP node; and one (or many) routers in the BGP route's Origin AS.
> 
> I think BGPsec can be useful to protect "private peering" at large
> scale, and another use case is to increase confidence in routing
> information distributed via IXP Route/Blackhole Servers.
> 
> Right now, routing protocol researchers and network operators wishing
> to
> publish BGPsec Router Keys, also have to learn how to master
> "Delegated
> RPKI": a deployment model with a steep learning curve. I think there
> are
> benefits to the community if RIPE NCC appends an activity to the
> "RPKI
> Planning and Roadmap" to implement procedures to sign and publish
> BGPsec
> Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API
> and
> dashboard WebUI.
> 
> What do others think?
> 
> Kind regards,
> 
> Job
> 
> Relevant documentation:
> https://datatracker.ietf.org/doc/html/rfc8209
> https://datatracker.ietf.org/doc/html/rfc8635
> 

Hello,

I support the idea as it would enable network operators to explore the
benefits of BGPsec in production environment. And the effort sounds
small

Regards