[180779] in North American Network Operators' Group
Re: Routing Insecurity (Re: BGP in the Washington Post)
daemon@ATHENA.MIT.EDU (Sandra Murphy)
Wed Jun 10 11:54:11 2015
X-Original-To: nanog@nanog.org
From: Sandra Murphy <sandy@tislabs.com>
In-Reply-To: <061c01d0a37f$d24844b0$76d8ce10$@riw.us>
Date: Wed, 10 Jun 2015 11:54:08 -0400
To: "Russ White" <russw@riw.us>
Cc: 'North American Network Operators' Group' <nanog@nanog.org>,
Sandra Murphy <sandy@tislabs.com>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_93FB5D24-6A8B-4FAE-AC99-BC15B206C9E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
There have been suggestions that a key-per-AS is easier to manage than a =
key-per-router, like in provisioning.
Key-per-router was brought up as providing the means to excise one =
misbehaving router that is in some risky sort of environment, which is a =
different management pain.
In terms of security, from outside the AS, you are basing your decisions =
on your trust in the AS in the key-per-AS case, and you are basing your =
decisions on your trust in the AS that certified the router in the =
key-per-router case.
The local operator's environment and policy rule in choosing the =
technique.
The draft draft-ietf-sidr-bgpsec-ops-05 says:
A site/operator MAY use a single certificate/key in all their
routers, one certificate/key per router, or any granularity in
between.
--Sandy
On Jun 10, 2015, at 9:17 AM, "Russ White" <russw@riw.us> wrote:
>=20
>> rtfm. bgpsec key aggregation is at the descretion of the operator.
>> they could use one key to cover 42 ASs.
>=20
> I've been reading the presentations and the mailing lists, both of =
which
> imply you should use one key per router for security reasons. I would =
tend
> to agree with that assessment, BTW.=20
>=20
> Russ=20
--Apple-Mail=_93FB5D24-6A8B-4FAE-AC99-BC15B206C9E6
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVeF2gAAoJEHplpQeet0IZxsEQAKrobbGlP/xR1ansVGLFWYHQ
2pmZcHydhs9RZ6GTViaxzpXACdhya5wDubCHD7gFwXxF8MWUK2qLHPWA8YZXVJlp
M9WCi/eBvQJPKCNcqg7RdgW7mKjZVzbtXxM+B5O9kHjJPd+NornmaWz65kSi36zs
AS9B6imvuSVrvDmQwwiOuuPqsERArn2XGMF6WM4j+jkyo0Pd8fcnj8AxGBaETmH3
OJxlOOvT50Fg4xBai5eiw8XN4fp82Jzp2hQeL23kGSovh05VItuogIy0An5u6I1c
1SQiSWVHEHNnUMuEUzUp3iXnpRXwiZ15UeaxgwqkjT+hcxsFVo4AQuPJg2IpPgpE
GFBMA1BNZs91AyoItSZmrREe3FkMKPXfBER41rIg9eh4nW5eVQsVd1tG2QGTevIv
XAuW5SO9c/iWv4J9EW+F1/zv5NeEeYvkdOvn9OtPBOFa+XUhF0rm/yQ/0tBzAFYR
TntjlCQ1UgYHGQteSca9GPt1WNiC0BVpGfoWyhrddaVSmvVMfaGJuCzAxhPkXGmu
8VHYDUuoOrONLTdaN29VZdPGoKjKCjwdzgwfOvsFgH2fBPGFE1i7ZLGA4KiFMeCi
fvFxHrCRDCanNcDIcebF+WQCtaXWwmiJpDgjHnm0EB4Zm1+dV8Ol/HqrECRBnHph
zvihzrMpwr3+5kH+Wbp1
=yaE7
-----END PGP SIGNATURE-----
--Apple-Mail=_93FB5D24-6A8B-4FAE-AC99-BC15B206C9E6--
