[Sidrops] Example BGPSec Router certificate, and GBR for testing?

Tim Bruijnzeels <tim@nlnetlabs.nl> Fri, 02 October 2020 09:24 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7885B3A0F48 for <sidrops@ietfa.amsl.com>; Fri, 2 Oct 2020 02:24:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WhTAG7j77c5M for <sidrops@ietfa.amsl.com>; Fri, 2 Oct 2020 02:24:05 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C75503A0F46 for <sidrops@ietf.org>; Fri, 2 Oct 2020 02:24:05 -0700 (PDT)
Received: from yoda.fritz.box (unknown [IPv6:2001:981:4b52:1:6c37:42e1:6071:7ddf]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id BAA49261CA; Fri, 2 Oct 2020 11:24:03 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1601630643; bh=agBJGcfm27+vlA0lGeUidBsnmaESMKjI47lbg4x6o9w=; h=From:Date:Subject:To; b=dVn977R3MaxggwssEREMvXNf9ptoABpY9oMyuso1/L1Ebomin4cJdu01BOPpSZmE4 /tZOxLFLxK1i7poD46TdeEJp2NOd/LOR+KlzmOQxIOPnuu6oWhLn3EV0UiUufhYujp PLgs7X8/CIEloX9Qo2S8LneAmTxXFywC026cQZGc=
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Fri, 02 Oct 2020 11:24:03 +0200
Message-Id: <7058F38E-AB83-4209-823D-6A3B860711B6@nlnetlabs.nl>
To: SIDR Operations WG <sidrops@ietf.org>
X-Mailer: Apple Mail (2.3608.
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/94PLbc_WrZYH60tCzEGBnCktKCk>
Subject: [Sidrops] Example BGPSec Router certificate, and GBR for testing?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2020 09:24:08 -0000

Hi all,

Does anyone have a real world BGPSec router certificate and Ghostbuster object they could share for testing validation software?

The router certificates use the same extension as delegated CA certificates: ".cer". But, they are of course slightly different. Relying parties should therefore be aware that when they loop over the entries in a manifest, any file with the ".cer" extension might be either.

I am not aware of any BGPSec certificates in the wild, but they can appear at any moment. Especially given the direction of the manifest -bis document it's therefore important that RPs can deal with these certificates properly.

The same applies to Ghostbuster records. If there is an example that could be shared, then this could help us and other RP implementers to deal with these objects securely as well.