nanog mailing list archives

Re: Routing Insecurity (Re: BGP in the Washington Post)

From: Sandra Murphy <sandy () tislabs com>
Date: Wed, 10 Jun 2015 11:54:08 -0400

There have been suggestions that a key-per-AS is easier to manage than a key-per-router, like in provisioning.

Key-per-router was brought up as providing the means to excise one misbehaving router that is in some risky sort of 
environment, which is a different management pain.

In terms of security, from outside the AS, you are basing your decisions on your trust in the AS in the key-per-AS 
case, and you are basing your decisions on your trust in the AS that certified the router in the key-per-router case.

The local operator's environment and policy rule in choosing the technique.

The draft draft-ietf-sidr-bgpsec-ops-05 says:

   A site/operator MAY use a single certificate/key in all their
   routers, one certificate/key per router, or any granularity in
   between.

--Sandy

On Jun 10, 2015, at 9:17 AM, "Russ White" <russw () riw us> wrote:

rtfm.  bgpsec key aggregation is at the descretion of the operator.
they could use one key to cover 42 ASs.


I've been reading the presentations and the mailing lists, both of which
imply you should use one key per router for security reasons. I would tend
to agree with that assessment, BTW. 

Russ

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

Re: Routing Insecurity (Re: BGP in the Washington Post), (continued)
- - - Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 04)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 04)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 09)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 11)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Christopher Morrow (Jun 11)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 04)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Andrews (Jun 02)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Danny McPherson (Jun 03)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 01)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Tinka (Jun 01)

(Thread continues...)