[routing-wg] Add BGPsec support to Hosted RPKI?
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Simon Muyal
smuyal at franceix.net
Mon Oct 4 13:24:31 CEST 2021
Le 01/10/2021 à 17:06, marco at lamehost.it a écrit : > On Mon, 2021-09-20 at 00:28 +0200, job at fastly.com wrote: >> Dear all, >> >> [ TL;DR: What does the working group think about supporting an >> extension >> to the RPKI Dashboard to enable publication of BGPsec certs? >> ] >> >> At the moment the hosted "RPKI Dashboard" at >> https://my.ripe.net/#/rpki, >> only permits Resource Holders to create RPKI objects of one specific >> type: ROAs. However, a wider range of RPKI cryptographic product >> types >> also exists, for example: BGPsec Router Certificates [RFC 8209]. >> >> BGPsec is a RPKI-based technology which enables network operators to >> transitively validate whether a given BGP UPDATE - indeed - passed >> through the Autonomous Systems listed in the path. One way to think >> of >> BGPsec is as an ECDSA protected network of channels between a >> receiving >> EBGP node; and one (or many) routers in the BGP route's Origin AS. >> >> I think BGPsec can be useful to protect "private peering" at large >> scale, and another use case is to increase confidence in routing >> information distributed via IXP Route/Blackhole Servers. >> >> Right now, routing protocol researchers and network operators wishing >> to >> publish BGPsec Router Keys, also have to learn how to master >> "Delegated >> RPKI": a deployment model with a steep learning curve. I think there >> are >> benefits to the community if RIPE NCC appends an activity to the >> "RPKI >> Planning and Roadmap" to implement procedures to sign and publish >> BGPsec >> Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API >> and >> dashboard WebUI. >> >> What do others think? >> >> Kind regards, >> >> Job >> >> Relevant documentation: >> https://datatracker.ietf.org/doc/html/rfc8209 >> https://datatracker.ietf.org/doc/html/rfc8635 >> > Hello, > > I support the idea as it would enable network operators to explore the > benefits of BGPsec in production environment. And the effort sounds > small Hello all, +1 The effort to enable publication of BGPsec certs on the RPKI dashboard seems reasonable as there is already an hosted RPKI and a portal to manage ROAs. Having an hosted RPKI for BGPSec objects will help definitely operators who do not have the resources to manage a PKI > Regards > > -- ------------------------------------------------------------------------ <https://franceix.net> <https://franceix.net> Simon *MUYAL* *Directeur Technique / Chief Technical Officer* Tel :*+33 1 70 61 97 74* Site : www.franceix.net <http://www.franceix.net> <https://blog.franceix.net/france-ix-and-rezopole-become-one/> <https://fr-fr.facebook.com/ixpfranceix/> <https://twitter.com/ixpfranceix> <https://www.linkedin.com/company/france-ix/?originalSubdomain=fr> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/routing-wg/attachments/20211004/0e46e4ad/attachment.html>
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]