On Mon, 2021-09-20 at 00:28 +0200, job at fastly.com wrote: > Dear all, > > [ TL;DR: What does the working group think about supporting an > extension > to the RPKI Dashboard to enable publication of BGPsec certs? > ] > > At the moment the hosted "RPKI Dashboard" at > https://my.ripe.net/#/rpki, > only permits Resource Holders to create RPKI objects of one specific > type: ROAs. However, a wider range of RPKI cryptographic product > types > also exists, for example: BGPsec Router Certificates [RFC 8209]. > > BGPsec is a RPKI-based technology which enables network operators to > transitively validate whether a given BGP UPDATE - indeed - passed > through the Autonomous Systems listed in the path. One way to think > of > BGPsec is as an ECDSA protected network of channels between a > receiving > EBGP node; and one (or many) routers in the BGP route's Origin AS. > > I think BGPsec can be useful to protect "private peering" at large > scale, and another use case is to increase confidence in routing > information distributed via IXP Route/Blackhole Servers. > > Right now, routing protocol researchers and network operators wishing > to > publish BGPsec Router Keys, also have to learn how to master > "Delegated > RPKI": a deployment model with a steep learning curve. I think there > are > benefits to the community if RIPE NCC appends an activity to the > "RPKI > Planning and Roadmap" to implement procedures to sign and publish > BGPsec > Router Keys via a PKCS#10 / PKCS#7 exchange, callable via both API > and > dashboard WebUI. > > What do others think? > > Kind regards, > > Job > > Relevant documentation: > https://datatracker.ietf.org/doc/html/rfc8209 > https://datatracker.ietf.org/doc/html/rfc8635 >
Hello, I support the idea as it would enable network operators to explore the benefits of BGPsec in production environment. And the effort sounds small Regards
