Routing Insecurity (Re: BGP in the Washington Post)

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2015-06-11 07:30, Russ White wrote:
>> There have been suggestions that a key-per-AS is easier to manage 
>> than a
>> key-per-router, like in provisioning.
>
> Two points --
>
> First, if a single person with console access leaves the company, I 
> must
> roll the key for all my BGP routes, with the attendant churn, etc. I 
> can't
> imagine anyone deploying such a thing.

I assume the vast majority of these cases are when the person leaves 
with no indication of malicious intent. In those cases, it might be 
possible to perform the key rollover with a relatively long grace period 
in which both keys are valid. Wouldn't that help reduce churn?

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]