[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Routing Insecurity (Re: BGP in the Washington Post)

Subject: Routing Insecurity (Re: BGP in the Washington Post)
From: david at mandelberg.org (David Mandelberg)
Date: Thu, 11 Jun 2015 15:10:22 -0400
In-reply-to: <[email protected]>
References: "\"<17689457.2434.1433171075960.JavaMail.mhammett@ThunderFuck> <[email protected]> <CAD6AjGQWs-aKD8axgiRyaYXPB564MswKZsuaOUhjUn--KJXuUg@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <CAGvYMCrvPEBXv+P0no3DZ+uKBuvObemz=b0EfaR7=M9xxva82w@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]>" <[email protected]>" <[email protected]> <m2381zpxvf.wl%[email protected]> <[email protected]> <[email protected]> <[email protected]>

On 2015-06-11 07:30, Russ White wrote:
>> There have been suggestions that a key-per-AS is easier to manage 
>> than a
>> key-per-router, like in provisioning.
>
> Two points --
>
> First, if a single person with console access leaves the company, I 
> must
> roll the key for all my BGP routes, with the attendant churn, etc. I 
> can't
> imagine anyone deploying such a thing.

I assume the vast majority of these cases are when the person leaves 
with no indication of malicious intent. In those cases, it might be 
possible to perform the key rollover with a relatively long grace period 
in which both keys are valid. Wouldn't that help reduce churn?

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

Follow-Ups:
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: morrowc.lists at gmail.com (Christopher Morrow)

References:
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: nanog at ics-il.net (Mike Hammett)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: mark.tinka at seacom.mu (Mark Tinka)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: cb.list6 at gmail.com (Ca By)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: marka at isc.org (Mark Andrews)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: rdobbins at arbor.net (Roland Dobbins)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: dwcarder at wisc.edu (Dale W. Carder)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: ethan at cs.washington.edu (Ethan Katz-Bassett)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: rdobbins at arbor.net (Roland Dobbins)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: david at mandelberg.org (David Mandelberg)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: rdobbins at arbor.net (Roland Dobbins)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: david at mandelberg.org (David Mandelberg)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: russw at riw.us (Russ White)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: randy at psg.com (Randy Bush)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: russw at riw.us (Russ White)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: sandy at tislabs.com (Sandra Murphy)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: russw at riw.us (Russ White)

Prev by Date: Greenfield 464XLAT (In January)
Next by Date: Routing Insecurity (Re: BGP in the Washington Post)
Previous by thread: Routing Insecurity (Re: BGP in the Washington Post)
Next by thread: Routing Insecurity (Re: BGP in the Washington Post)
Index(es):
- Date
- Thread