On Mon, 11 Oct 2021 at 11:52, Tim Bruijnzeels <[email protected]> wrote:
> > On 11 Oct 2021, at 12:45, Matthew Walster <[email protected]> wrote: > > > > I genuinely don't understand the reason for obstruction here, what am I > missing? > > Perhaps this sentence could have made clear that I am not 'obstructing': > My apologies if I've also misread. > "In that context, I am not against BGPSec as such, there are just things > that I > would like to see first." > > In any case, I know it's not my decision to make. Feedback was asked. I > gave my 2cts Indeed, and it's good to hear from those with a dissenting opinion also. I, too, am wary about BGPsec -- mostly from a pragmatic operational point-of-view rather than a technical one. The barrier to entry has to be sufficiently low that it is almost a no-brainer to turn BGPsec on within a router, even if the policies to filter are not implemented, having the signing of your own prefix originations strengthens the trust and reliability in RPKI OV. I think there's a lot that needs to be analysed, tested, and potentially altered before it becomes mainstream. As you quite rightly say, there are things that need to be seen first -- and one of those things is the availability of router signing keys in RPKI to do offline analysis. Signing and not verifying would produce a great deal of useful data to guide the future of both BGPsec and projects like ASPA. Hence, the addition of router signing keys into the hosted RPKI offering does seem like a win-win to me, regardless of how BGPsec turns out, having the keys in the repo is definitely something that I feel would be of benefit. Matthew Walster
