Re: [karp] rt-dir review of draft-ietf-karp-crypto-table

Stephen Kent <> Wed, 22 May 2013 15:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A21A221F93B7 for <>; Wed, 22 May 2013 08:39:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 83+yGMGatAGo for <>; Wed, 22 May 2013 08:39:30 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CB0A621F93FC for <>; Wed, 22 May 2013 08:39:27 -0700 (PDT)
Received: from ([]:36501 helo=COMSEC.local) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1UfB8P-000Chq-U7; Wed, 22 May 2013 11:39:26 -0400
Message-ID: <>
Date: Wed, 22 May 2013 11:39:26 -0400
From: Stephen Kent <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Randy Bush <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [karp] rt-dir review of draft-ietf-karp-crypto-table
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 May 2013 15:39:36 -0000


You're right that each BGPSEC router has a private key. However, the key 
table is
designed to manage key rollover for keys that are shared on a pairwise 
The private router key does not have that property, so it seems a bad fit.
I should have been more precise in my reply.


>> More importantly, the RPKI and BGPSEC are not relevant to the key
>> table design. The former requires no crypto operations on a
>> router. The latter deals with keys for routers, but management of
>> these keys is very different, precisely because they are public keys.
> that last clause is false.  in bgpsec, the router has at least one
> private key so that it can sign announcements.
> i am scratching my head on whether a karp table entry could be helpful
> in the use of bgpsec keys, and have not found a clear need.  but this
> could be my fault.
> randy