[routing-wg] Add BGPsec support to Hosted RPKI?
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Rubens Kuhl
rubensk at gmail.com
Mon Sep 20 01:06:54 CEST 2021
Hi Job. Our experience in Brazil is that delegated RPKI is not much of an issue provided its software deployment is easy enough. Krill + Lagosta + Up/Down activation + Upwards ROA publishing adds to being really effective. The Brazilian number resources ROA repository might be useful in seeing how far this can go: https://jdr.nlnetlabs.nl/#/search/%2Frpki-repo%2Frrdp%2Frepository.lacnic.net%2Frpki%2Flacnic%2F48f083bb-f603-4893-9990-0284c04ceb85%2Ffd25c9bb7e5cac7419fa9193770f64a6edf20c19.cer That said, each region's mileage may vary... Rubens On Sun, Sep 19, 2021 at 7:29 PM Job Snijders via routing-wg <routing-wg at ripe.net> wrote: > > Dear all, > > [ TL;DR: What does the working group think about supporting an extension > to the RPKI Dashboard to enable publication of BGPsec certs? ] > > At the moment the hosted "RPKI Dashboard" at https://my.ripe.net/#/rpki, > only permits Resource Holders to create RPKI objects of one specific > type: ROAs. However, a wider range of RPKI cryptographic product types > also exists, for example: BGPsec Router Certificates [RFC 8209]. > > BGPsec is a RPKI-based technology which enables network operators to > transitively validate whether a given BGP UPDATE - indeed - passed > through the Autonomous Systems listed in the path. One way to think of > BGPsec is as an ECDSA protected network of channels between a receiving > EBGP node; and one (or many) routers in the BGP route's Origin AS. > > I think BGPsec can be useful to protect "private peering" at large > scale, and another use case is to increase confidence in routing > information distributed via IXP Route/Blackhole Servers. > > Right now, routing protocol researchers and network operators wishing to > publish BGPsec Router Keys, also have to learn how to master "Delegated > RPKI": a deployment model with a steep learning curve. I think there are > benefits to the community if RIPE NCC appends an activity to the "RPKI > Planning and Roadmap" to implement procedures to sign and publish BGPsec > Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API and > dashboard WebUI. > > What do others think? > > Kind regards, > > Job > > Relevant documentation: > https://datatracker.ietf.org/doc/html/rfc8209 > https://datatracker.ietf.org/doc/html/rfc8635 >
- Previous message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
- Next message (by thread): [routing-wg] Add BGPsec support to Hosted RPKI?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]