[routing-wg] Add BGPsec support to Hosted RPKI?
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Randy Bush
randy at psg.com
Mon Oct 11 13:29:57 CEST 2021
> RIPE NCC may have substantial resources, but they are applied sequentially. Perhaps > RIPE NCC can shed a light on the effort involved, but I suspect it's more than > we might think. > > In that context, I am not against BGPSec as such, there are just things that I > would like to see first: > > 1. Publication Service > > I think this has immediate applicability to anyone considering running a delegated > CA. It's also in the interest of the ecosystem to limit the excessive growth in the > number of repositories. as what the ncc would be 'selling' here is reliability, i suspect this would be part of a distributed deployment accenting reliability, maybe part of the cloudy thing. so it may take a while and be part of a project consuming a fair amount of resource, as you point out. > 2. ASPA > > This is in draft status, but so were ROAs when the production system launched in > January 2011 (I should know, I was part of the RIPE NCC software team at the time, > been reading and writing I-Ds and RFCs since 2009). > > ASPA is orthogonal to BGPSec. It lets AS holders declare who their upstreams are > (in the context of BGP Path, not business relation). Even if this information is > not yet used in routers in an automated way, a clear text validated output with > this information can already be valuable to operators, e.g. for provisioning. > (This is also how ROAs were oftentimes used in the early days). yup. and much more easily deployed than bgpsec. and small resource consumption by the ncc. > Wrt BGPSec.. I am actually very happy to see that so many people are in favor of > supporting it. I hope that router vendors are watching. To the best of my knowledge > BGPSec has only been implemented in Bird and Quagga. The main value of supporting > BGPSec in the hosted system would not be to test the protocol as such. This has > already been done using Bird and Quagga and the RPKI tool set by Dragon Research > Labs. > > It would really help to convince my idea of priority on this if at least a couple > of router vendors would indicate that they are willing to listen to operator wishes > here and implement. i know some vendors looking for phd student(s) or post-doc(s) to have a go at this. if you know of such, feel free to drop me a line. randy
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]