[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BGP over TLS

Subject: BGP over TLS
From: gtaylor at tnetconsulting.net (Grant Taylor)
Date: Mon, 21 Oct 2019 20:04:46 -0600
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>

On 10/21/19 11:04 AM, Jared Mauch wrote:
> Iâ??ve seen enough people have issues with managing a password that 
> certificates would be even harder when thereâ??s a router swap.

I think that's an unfortunate state of affair.  I don't know how to get 
around the PEBKAC problem.

> The issue isnâ??t that most people want privacy, itâ??s they want 
> transport integrity which in general the TLS community seems to think 
> everyone NEEDS both.

The biggest argument that I've seen is that you can't truly have privacy 
without integrity.  Lest you be speaking over an encrypted channel with 
an unauthenticated MitM.

My understanding is that authentication is the most important issue and 
that privacy is a nice add-on.

With that in mind, I wonder if we couldn't have each router be it's own 
CA and issue /client/ certificates for and to each neighbor to use to 
authenticate back to the local router.  This has the added advantage 
that you wouldn't need to worry about different routers trusting the 
same CA or bother with PKI.  Everything would be local router centric. 
The neighbor would effectively be using a super fancy key that a 
neighbor provided for use when talking to said neighbor.

I think that using /client/ certificates would also allow for 
certificate rotation in that the router can issue a new /client/ 
certificate while still trusting the existing /client/ certificate. 
Then once the client updates to using the new /client/ certificate, the 
router can revoke the old /client/ certificate using standard CRL methods.

All of this would be centric to the local router.

I suspect that it would likely be okay to have longer lived certificates 
in such a configuration.

-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191021/a2ae379d/attachment.bin>

References:
- BGP over TLS
  - From: kmedcalf at dessus.com (Keith Medcalf)
- BGP over TLS
  - From: jabley at hopcount.ca (Joe Abley)
- BGP over TLS
  - From: jared at puck.nether.net (Jared Mauch)

Prev by Date: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")
Next by Date: BGP over TLS
Previous by thread: BGP over TLS
Next by thread: BGP over TLS
Index(es):
- Date
- Thread