As announced at #RIPE86, the RIPE NCC #RPKI Publication Service is now in production and proving quite popular. 167 CAs are now active, publishing 2100 ROAs, resulting in 3671 VRPs. It’s easy to set this up, and will allow you to sub-delegate resources, do #ASPA, as well as #BGPsec. https://blog.nlnetlabs.nl/running-krill-under-ripe-ncc/

Let’s kick off the #RIPE86 #BGP routing working group with some #RPKI numbers. In the global RPKI there are 149,606 ROAs resulting in 433,197 VRPs. Also, 3 #BGPsec router keys and 64 #ASPA objects out in the wild.

Perfectly timed for all the #RoutingSecurity discussions at #RIPE86, we’re proud to launch Krill 0.13. This release introduces production grade #ASPA support in addition to #BGPsec. It also adds a full #RPKI Trust Anchor support, enabling RIRs to run Krill as their root CA solution. https://github.com/NLnetLabs/krill/releases/tag/v0.13.0

Nearly 20,000 #RPKI certificates have been issued, and the RPKI publication service is in production. This means you have all the advantages of running Krill - including #ASPA and #BGPsec support - and publish at the RIPE NCC. #RIPE86

Our #BGP #routing team will be available at #RIPE86 as well:
🛰️ Excited by our #OpenSource modular #BGP toolkit Rotonda? It's written in #rustlang too, making it insanely fast while providing #MemorySafety. Talk to @jasper, Luuk or Ximon about our imminent launch.
🦐 Meanwhile, we’ve been cooking up #ASPA support to compliment #BGPsec in Krill, our #RPKI CA software. Tim can tell you all about it, along with our future plans.

Now, Ignas Bagdonas benchmarks #BGPsec performance. On his lab setup, it is awfully slow.

Interesting explanations about software optimisation. BGPsec uses SHA-2 (hard for memory, cool for the CPU) and ECDSA (the opposite): do them in parallel (but the BGPsec format of data does not make it easy).

#RIPE84 #BGP

The conclusion is pessimistic: #BGPsec is too expensive for the routers (layout of the data is not optimized, too many shuffles necessary).

Interesting discussion about protocol design: should protocols take into account the specifics of today's machines (some machines, actually)? Protocols live longer than machines...

#IETF

Next, #BGPsec scalability: what if everyone (and his cat) started to use BGPsec? Are we all going to die? Can routers do SHA-2 (fast but touches memory) and P-256 (slow but does not touch memory) quickly enough?

#IETF