PKI for medium scale network operations
Sean Donelan
sean at donelan.com
Sat Mar 26 07:19:49 UTC 2005
Most people figured out I was not looking for a "public" CA solution.
There is very little reason why internal certificates need to be
recognized world-wide, or by anything outside of the internal
organization. Also I didn't say it, but I'm not looking to identify
natural people.
Instead of using community names for SNMP or shared secrets for VPN,
an alternative for a network operator is some form of public/private
keys.
1. Cisco IOS CA server (http://www.cisco.com/)
2. Microsoft CA software (http://www.microsoft.com/)
3. roCA, based on TinyCA (http://www.intrusion-lab.net/roca/)
4. CATool (http://www.open.com.au/)
The Cisco IOS CA and Microsoft CA have the advantage of being
integrated with a lot of each vendor's products. Once set up,
both try to simplfy on-going maintenance as long as you use
their products. roCA and CATool are stand-alone.
Several people pointed out certificates don't fix the compromised
device problem. Public/private key pairs are only as secure as the
private key. The length of the key doesn't matter if you can get
a copy of the private key.
More information about the NANOG
mailing list