PKI for medium scale network operations
Christopher L. Morrow
christopher.morrow at mci.com
Sat Mar 26 22:55:39 UTC 2005
I, like Gadi, am certianly no PKI expert. I've seen folks get badly burned
by this fire though...
On Sat, 26 Mar 2005, Sean Donelan wrote:
>
> Most people figured out I was not looking for a "public" CA solution.
> There is very little reason why internal certificates need to be
> recognized world-wide, or by anything outside of the internal
> organization. Also I didn't say it, but I'm not looking to identify
> natural people.
>
Kerb could also do this for you, routers (IOS atleast) already support
Kerb for authentication... So does *nix, NT/XP/2K/2k3, MacOSX. Does this
meet the need for authentication type things?
> Instead of using community names for SNMP or shared secrets for VPN,
> an alternative for a network operator is some form of public/private
> keys.
>
You could, I'm fairly certain, hack in kerb auth to VPN clients and
possibly to SNMP, though I admit to not being an ASN.1 expert either :(
(kerb and snmp use this in their packing methods, rigth?)
> Several people pointed out certificates don't fix the compromised
> device problem. Public/private key pairs are only as secure as the
> private key. The length of the key doesn't matter if you can get
> a copy of the private key.
It's the compromised device problem that was the white-hot-flame-of-love
for the last PKI deployment I witnessed in action... Anwyay, Kerberos?
Might it also be considered for your situation?
-Chris
More information about the NANOG
mailing list