Routing Insecurity (Re: BGP in the Washington Post)

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There have been suggestions that a key-per-AS is easier to manage than a key-per-router, like in provisioning.

Key-per-router was brought up as providing the means to excise one misbehaving router that is in some risky sort of environment, which is a different management pain.

In terms of security, from outside the AS, you are basing your decisions on your trust in the AS in the key-per-AS case, and you are basing your decisions on your trust in the AS that certified the router in the key-per-router case.

The local operator's environment and policy rule in choosing the technique.

The draft draft-ietf-sidr-bgpsec-ops-05 says:

   A site/operator MAY use a single certificate/key in all their
   routers, one certificate/key per router, or any granularity in
   between.

--Sandy

On Jun 10, 2015, at 9:17 AM, "Russ White" <russw at riw.us> wrote:

> 
>> rtfm.  bgpsec key aggregation is at the descretion of the operator.
>> they could use one key to cover 42 ASs.
> 
> I've been reading the presentations and the mailing lists, both of which
> imply you should use one key per router for security reasons. I would tend
> to agree with that assessment, BTW. 
> 
> Russ 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150610/d40997ad/attachment.sig>

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]