[78952] in North American Network Operators' Group
Re: PKI for medium scale network operations
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Sat Mar 26 17:56:03 2005
Date: Sat, 26 Mar 2005 22:55:39 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <Pine.GSO.4.58.0503260123390.22607@clifden.donelan.com>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
I, like Gadi, am certianly no PKI expert. I've seen folks get badly burned
by this fire though...
On Sat, 26 Mar 2005, Sean Donelan wrote:
>
> Most people figured out I was not looking for a "public" CA solution.
> There is very little reason why internal certificates need to be
> recognized world-wide, or by anything outside of the internal
> organization. Also I didn't say it, but I'm not looking to identify
> natural people.
>
Kerb could also do this for you, routers (IOS atleast) already support
Kerb for authentication... So does *nix, NT/XP/2K/2k3, MacOSX. Does this
meet the need for authentication type things?
> Instead of using community names for SNMP or shared secrets for VPN,
> an alternative for a network operator is some form of public/private
> keys.
>
You could, I'm fairly certain, hack in kerb auth to VPN clients and
possibly to SNMP, though I admit to not being an ASN.1 expert either :(
(kerb and snmp use this in their packing methods, rigth?)
> Several people pointed out certificates don't fix the compromised
> device problem. Public/private key pairs are only as secure as the
> private key. The length of the key doesn't matter if you can get
> a copy of the private key.
It's the compromised device problem that was the white-hot-flame-of-love
for the last PKI deployment I witnessed in action... Anwyay, Kerberos?
Might it also be considered for your situation?
-Chris
