[180889] in North American Network Operators' Group
Re: Routing Insecurity (Re: BGP in the Washington Post)
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Jun 11 15:19:18 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <c2174caa5548efc907200f054ecb4e70@mail.mandelberg.org>
Date: Thu, 11 Jun 2015 15:19:09 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: David Mandelberg <david@mandelberg.org>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Thu, Jun 11, 2015 at 3:10 PM, David Mandelberg <david@mandelberg.org> wrote:
> On 2015-06-11 07:30, Russ White wrote:
>>>
>>> There have been suggestions that a key-per-AS is easier to manage than a
>>> key-per-router, like in provisioning.
>>
>>
>> Two points --
>>
>> First, if a single person with console access leaves the company, I must
>> roll the key for all my BGP routes, with the attendant churn, etc. I can't
>> imagine anyone deploying such a thing.
>
>
> I assume the vast majority of these cases are when the person leaves with no
> indication of malicious intent. In those cases, it might be possible to
it's actually nearly impossible to tell this... so the 'best' option
is to do the changes required as quickly as is safe for your network.
yes, it sucks... you know what sucks more? when 2 people leave on adjacent days.
