nanog mailing list archives

RE: Routing Insecurity (Re: BGP in the Washington Post)

From: "Russ White" <russw () riw us>
Date: Thu, 11 Jun 2015 07:30:01 -0400

There have been suggestions that a key-per-AS is easier to manage than a
key-per-router, like in provisioning.


Two points --

First, if a single person with console access leaves the company, I must
roll the key for all my BGP routes, with the attendant churn, etc. I can't
imagine anyone deploying such a thing. 

Second, a secret only remains secret if two people know it, and one of them
is dead -- a basic rule of security is prevent the spread of knowledge. If
every person in the organization with console access knows the private key
for every router in the network, it's no longer secret.

So you can have one key pair per AS, and risk your security. Or you can add
more key pairs, either per router, per POP, per region, or at some other
level of granularity, and advertise more information about your network as
well as make the key pair database larger. Either you weaken your security
in one way, or you weaken your security in another. Doesn't sound like much
of a "tradeoff" to me.

What astounds me is the quietness on this list about this stuff... 

:-)

Russ

Current thread:

Re: Routing Insecurity (Re: BGP in the Washington Post), (continued)
- - - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 04)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 09)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 11)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Christopher Morrow (Jun 11)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 04)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Andrews (Jun 02)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Danny McPherson (Jun 03)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 01)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Tinka (Jun 01)
- Re: BGP in the Washngton Post Max Tulyev (Jun 01)

(Thread continues...)