Re: Preventing BGP Route leak (Hijack) for Management Channel BGP session

Eric C Rosen <erosen@juniper.net> Thu, 16 August 2018 19:59 UTC

Return-Path: <erosen@juniper.net>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30221130F26; Thu, 16 Aug 2018 12:59:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.721
X-Spam-Level:
X-Spam-Status: No, score=-0.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yei9t2Bzj3TQ; Thu, 16 Aug 2018 12:59:32 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 151FB130E22; Thu, 16 Aug 2018 12:59:32 -0700 (PDT)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7GJxRfN006905; Thu, 16 Aug 2018 12:59:28 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : subject : to : references : message-id : date : mime-version : in-reply-to : content-type; s=PPS1017; bh=BqyLHc9z2w9mwF/zt3jGzboyMgzK375S1qsUlGly6/c=; b=QwRkLzBBhitkuYiIhUPh1SbbcZSXUvvd26Zk9BJT0VG1JxtQOXpSm+yckWolDeuFEia7 vC1HpkoHxRRjEkidLgN7nrHAp2U3YnBwXY60irTG1aKtMlXK+Jm6yDx/cOdm9IbCyBRi mRbTe/QeLgfwlW9Z/WwOrp0hkHsi/hgVU8Df8pKrgN7W3xlk14KGBTILyamSLLeo2Ecq T/CQ+JgXngDb9eUpTI98WI2XOpMf5Y+m9UoIyE+ypZaKImtfddb/UZuMJi8UIc5EAQSL /HOeUaMG4C9swH1adl5y1yU7mKqxbkuE48cSkgZwoKoW4uHpBcoM7A0BDG8bVbdi5jI7 NA==
Received: from nam04-sn1-obe.outbound.protection.outlook.com (mail-sn1nam04lp0083.outbound.protection.outlook.com [216.32.180.83]) by mx0a-00273201.pphosted.com with ESMTP id 2kw7qp8vnc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 16 Aug 2018 12:59:27 -0700
Received: from [172.29.34.132] (66.129.241.12) by DM5PR0501MB3864.namprd05.prod.outlook.com (2603:10b6:4:7b::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1059.13; Thu, 16 Aug 2018 19:59:20 +0000
From: Eric C Rosen <erosen@juniper.net>
Subject: Re: Preventing BGP Route leak (Hijack) for Management Channel BGP session
To: Linda Dunbar <linda.dunbar@huawei.com>, "shares@ndzh.com" <shares@ndzh.com>, "idr@ietf.org" <idr@ietf.org>, Jeff Tantsura <jefftant.ietf@gmail.com>, RTGWG <rtgwg@ietf.org>
References: <4A95BA014132FF49AE685FAB4B9F17F66B0DAE87@sjceml521-mbx.china.huawei.com>
Message-ID: <d6d522ea-f555-9344-0dee-732bb9983ef9@juniper.net>
Date: Thu, 16 Aug 2018 15:59:16 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B0DAE87@sjceml521-mbx.china.huawei.com>
Content-Type: multipart/alternative; boundary="------------89DFA5C19FD77CE743BE42B6"
Content-Language: en-US
X-Originating-IP: [66.129.241.12]
X-ClientProxiedBy: MWHPR19CA0018.namprd19.prod.outlook.com (2603:10b6:300:d4::28) To DM5PR0501MB3864.namprd05.prod.outlook.com (2603:10b6:4:7b::27)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 353c6e30-960d-4197-a8fa-08d603b2c239
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM5PR0501MB3864;
X-Microsoft-Exchange-Diagnostics: 1; DM5PR0501MB3864; 3:37i7Of5UR2Yg0kOtSoin6rFlMtg8GifW6uSj9gmFHzPaAHrNjEKvGwK5/+xsA87aS32C7uqEU7RPBPLzYn7TPxIVbSsnNRE9FUQMrB2AwqHR0SVygzx3VdeOYc/5GNDm1xEaoOHWq+Dmi4Zo8TjTB4y7TX9BgWoqjb2ZWz5CUwrcZCfgl6C0cbVHi6fXeHV7br2uP4FBa27PrkaB+afGdFdeWhJdNfJh6wV0SB2YDTeO09IfkPLIyu76UdMGFqX8; 25:M2+tXZwRKsVAgBfOiOPLn+HZSSeSD9RsC7bvWfeKPeWuTb4zfL3qu1sVGP+5sNxQYZwC7JsEtPIAwwZGsIZN0ZcpazZ4vqkQjOR7Y/5NM6rTodpDycgmZW03XQjtyUNsXa0M02i+8cP40dkLeviOp3SB1iEhuC/CUhVrOSSjqSH0m1+VV5YypfEi/RnV+u3E+tu7OhnTq02JUwZY1CyLFHMNFkgJONc8yMd4oBv04E64C4z8Fd7jXNC/bVJoE5pmO9WRZSd4EnE1gN3UWKDJs746aYNnS72dUFDs61697VmiTUBfyZ2MR01+LcQBS09PmLB+TILoVR61k7Erv3wB8w==; 31:eIGhCTxHFXyWAChVUalBo501TF4UlACq6eTM2Mk9CPFfcCxf/Q7INWjJQHricGvvJsZdMO8KUtSvoOMp1bBnGTRy9g07Ltzn8ZTT0k3vZeyyOBEXAogTj4VizCKCv1tnGoMxg/NaU0ijcOplDcVzERORsLfNEcDTa2e5yGTX6/F8oITZcyKxmLr7WBAmR/sL7poR4AUuRW7OwMNjIuqZN0mp4MnrqfPbbjhZMV1llng=
X-MS-TrafficTypeDiagnostic: DM5PR0501MB3864:
X-Microsoft-Exchange-Diagnostics: 1; DM5PR0501MB3864; 20:3TfoFsq3P+yZL/+m2Mg24BctEMit2/DwjixSM+wPbn4Br/90caC+8WrTrIHxmNJoF3KbRXj/SSnhfUZDpdwp1u0hPwvhX3FZRpsyxL45kjjubMRoHgJDcmv8zInBZpF7F6oAvoGroQW0a2qpDy9HeJW6P33jeXwjMem8rBpc7uuCxsZyEn1wL6HamnTTIC5jcDVqXA1tWJMVYzqLzE2Haei2OreBDDBxayq8y4ogRLMyPbTO8Q3TiFGB9P0yTjDqFgPwZPFimiPhDFWtR/Vp8Wm3btMjsvDgBJIqJx396tYAKWZMNY7wbSb/WiPmEtpJl9XtJCnTgZB4QT9ou8J2jDJaD80YDBn62HtX2ajFe/d+JNDX2Hs1pYW73Vqute/RM+0NzXPMOv73QUotTSytCS9gAUi/Mt+BSD7SFlkAJPfwPBtbY7sx62uzLAimEzVgP81ZvaLrsU/5KIDVKOMqwb3HSfagnj+PHlQe8XAiUnJkpYZjIs9V4ZWRdELqzWBhmVRreAaTWTVnTwIu0iskmMqXQ7qqsPb2slfw37oge47/kQcvlsATSY56mHcQztUVifyWeIe8iVl1USdU/9NHKNBk7duTpFiAYrtdTftVWQg=
X-Microsoft-Antispam-PRVS: <DM5PR0501MB38640781A39FC239950FCC1AD43E0@DM5PR0501MB3864.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(10436049006162)(72170088055959)(120809045254105)(50582790962513);
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699016); SRVR:DM5PR0501MB3864; BCL:0; PCL:0; RULEID:; SRVR:DM5PR0501MB3864;
X-Microsoft-Exchange-Diagnostics: 1; DM5PR0501MB3864; 4:BuA6KK6YmNJ0gEcyXPzpcSO5BjKE/AzVhctfsI+14aP/aHxLl7t4H/AAwwHTQrYIGDT2MAOdrBhBH5mmWt1l9dBn0Lc9hdTdEYfzEL3jZuLHak5UJMKMCi3g5h1uhb+5PQb+NNDWVfQX56dxxtWg4W9VOrD15yr3s6abMEHV627fObXu98aTMzr+GY1M0rr1lZUOKnwxfwhUbthFPQD2Kj63l0EFjXQM8SSsX65DUt5Ml3sSPJgxczSkW2F1asHNtPY+WJIhcH++YmDLgXbYrZ79vFQfUGe/WdpiHh8Q9DUxHbvc+Lv+7WQgL7GMzWG+kkMq/miWjdQgHIirFTim8WcrLq/q0XXv0ZQqcPy2cN7K5FeAcIsa4nh2toU0VR6x0NfgfPk9hstGxy+7m7IlslrF9rP0GLdRNSaVWhZGmYY=
X-Forefront-PRVS: 07665BE9D1
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6049001)(346002)(376002)(136003)(39860400002)(366004)(396003)(189003)(199004)(106356001)(26005)(476003)(16526019)(2906002)(64126003)(5660300001)(65826007)(53546011)(3260700006)(25786009)(97736004)(77096007)(53936002)(6486002)(478600001)(966005)(2616005)(5024004)(956004)(486006)(68736007)(11346002)(81156014)(31696002)(37036004)(6116002)(7736002)(3846002)(2501003)(110136005)(606006)(6306002)(58126008)(65806001)(8676002)(446003)(65956001)(236005)(6666003)(66066001)(52116002)(84326002)(54896002)(76176011)(36756003)(39060400002)(386003)(105586002)(16586007)(8936002)(81166006)(6246003)(31686004)(86362001)(316002)(16576012)(2201001)(575784001)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR0501MB3864; H:[172.29.34.132]; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
Received-SPF: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1; DM5PR0501MB3864; 23:mFpGZ0MktLLfOiIB7s7uCpoezfKeJiD3umqZUZTqfXODhCJPvdAukUV/Z3PSE1Vv3ZqC93l/Ql70IY+g6ZvMF9P4byZ2v2RruvyZrRAcST/6fWbJmrwo8IUa3lcjE7bnqKCvbxffbNF6Obt9kIPjT+kZwQx5AHV4VHGkpMGTy3GLY1QPC9h1VUJSi9ScdfmTxGoA3coa8gbQSxmqcyuk7yKYoHNBwMgXtDQ5aBo5yvYjAjxhCeorRqR0wtYSEa83S5eudfqVeMA5JIvRAq7L7rgFTLGEoR4PeGmTkkf12AeIQENdbEmxKVKdhoYXB92NJTMBx7PDtJaUmJsklUWndjKzdG1ZVrluyCyRHwWGaom4rMw6vH2P7XaS7Z0V4tSQv4qqBf/GFUCZCLQU2CfIRvps88MqFbPtZxiMByBeOBiQi/aC6gp5/vWVN/0vg14wq4+4ZfKrhzAnWtxrmbf1se7YnSX+oZoneZWI59XKeeBMb+1kuxiVf9Fx+bAKaheF1NKoHNoL/f7JsG+pyp2CmToiduvBBpt4mgr8UlbCB5Z99aFT7iu4lmHmDylVjqvcc48Uu2ka1wAgW5Yohv4A/o0EBB+EIYm0kOcOcnLVwVkUmYLog6Gf0dXvfEZ8XtZOl9zkl2dQgazotAWE7DiQUDGxtoRTf1a+EN7AIINOs/By6KWbVI/9JWIlvTm+qvz1zNuNHzZ1CLbmpUAHIxY42cujYrMQPa/KKO5Hrhh4U4FUejc5IxHLQPBxETtRE8VlJB0kc2e4tFbXLdV5Fo0ElWwBrz8EyW4UaXQ1coaJun1XCcQk9KjuD84S5uS3xftXf58c2AoW39ix45jJJ0r3gEXy04V+n8qS7yAEHaxw3emDQHlmH7Mehl387WZhfuEhGvmWKgx3As7pxX2H1yP/8IlqShTuDlK1btXCqR9EkVVAcIAHtQaFTDg4TaT0c+Z6fMwGz6U8wPSD3uPWOnXDXqtH8I0JD2FyMSzJne2V5e9PCkQWdp4bdadW3CBSvZYhXGenfgakxqgkbCeqKVk7mWjIdKwLqej844yyk2qCKJBverUsZX6VDUnQcFq8CQb94ZPXvT7Wgiqm92b2y5oHq2KnR9kp36qwBYUN20t6NIugVaKgG/bjxndi1dANOyLGhbYfnsfJc0W1/87qNcRCmG0wKsZLmMKJ1V5k90DoHXa7ntgc7rnPScBcJHF8nv2ta//GoU7bvFOJSMJKpJk4TGGekVQYnwUwBkB6vkLhodZAQcResG9s7y5SBjk0q+OMqJmpO7FWKJffJMuPgodS8YqQ2F+v91nWcwWG9Nsrx6DDuLcJ2FqnH711OM+DO5Nptomgc7JaBuNtoRzsypZcEM4ewRRXK337W+SqJeGn+KVFDdptTecsjrnDrptIt/FEo8iasiARkQYUUxJwFMHMHmGnNAWgt9RIhXtoujr3vVNBcyGGJVOlzSFD0xQ+4cY4RaMEQsV0DbnWXQxCSGGE6JsLpMjTikQh+hS0ppYucXs=
X-Microsoft-Antispam-Message-Info: aamMBBgfhAXrYJsg/ehuQqD6ErGLuAVT+46XhWjwJKS+wdSFvUDHPBKgMmMsId/p3TjiD3em1bopcKriYQwHGba1rhNSnAusb7pLsQMFUF3cYBPExjYDy6MuuwtXsqItEzvGeuynPI5B8di/79vTuOBiniTV7kI1/6+WqQ7PGbOJi5rgexn0QBZpd0F/fRaL5QF5MgjTsktj0HSzaKkE3u3aLPEtX0PX7hi54yd0MmtS9ddSivM+OyM/0PZrUJVvPcXC/B7uCSMYNEUEfQr4mAVyKq8U7dMboGoxt7JIuJtpeqzWZDo/twi+p/WtbwRHj7TvrhEfX0o9Vc6dgy17l4b6ijnVAGSTamt7wb3Hjyc=
X-Microsoft-Exchange-Diagnostics: 1; DM5PR0501MB3864; 6:fCsHi3U0fyaU79ng7sHsQvzSaMBJPuuxMrP5fh3gYP/6ZEZTysfoAXN/7ltnD3nfgwCfhJLvl6lZBgWAF6Txmw0cpal4xs86wyrovz1NmI07dp3/gzGdiCSwRczDhcivEw/FURrWF7osEB3GmKPo+pW+jURZb2EugL9nOCqXVC/r7DxY2Hn5cB06ZcvnYNABx3jzElSf0h5lN5Gq8wtobSXzjBAQ7CMlX5qqVEMqlNTnOS7JAsh0lrFYPQnt4xK1+/fZ33ODC2SVsVocLkJx+HBUmKCicX+Q4H55R4smf+qZZuXH8RKQ9Oukrfd6a/CsOM5R991ni5XR1HbWvGszEitO2ecJt9JC6anFLyD2QNe1jJ5NSZ1Hu/lRfeCPQdfGctOg7Wv2w1DbPp1b9xD/BCZ5TI/0HBzn/nfOs1sa7gGmIiZFDZkU2TQPCbe0xYMYrMJKcSbvtF7Su6ldHIkYlQ==; 5:+p8aK0TfY1X4nK3Ow4vzRE45RyfVXjVrcg5S3lsgQiqmXbJsWH0CJ/Z2PE+VMFo/ZXpNlRWZhSxfQo2PNz2Gk8YDQ0H4CA/KJREXXhRhswy/cQLFo7iEO+l176XEi6TKKxBAOL626ddjLAMFzovtAMCcpC0ZZUFakHIrHPQDUao=; 7:BiGFC4/WBybCe+zuj6e5sk8nOlcOFmpGVyhLZJAtJ8Da+IsltIiM/xxYpmsVPt/l+grWWYNFP2zUNQnc4dwl8BNKQXoHYw07xofYOVAiKblh7mCF8EpkqAMeCq3w7+6VBj0OlhPSkyu/yp1YQM7j/VetW7sLjlcsoH1yotF7NyGnftakqwJ8DfS2E/kahN9DKxdhcbO2eqXrfTI1P+RYvYhPYxMTujaEOsocpTagIcR0iQWW2W/9+iML8gxNN06t
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Aug 2018 19:59:20.1463 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 353c6e30-960d-4197-a8fa-08d603b2c239
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0501MB3864
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-16_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808160204
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/Ok3Uz6Q8Nm27ScjqZbE02j9vyNY>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 19:59:35 -0000

On 8/13/2018 3:26 PM, Linda Dunbar wrote:
>
> One of the comments to 
> https://datatracker.ietf.org/doc/draft-dm-net2cloud-gap-analysis/ 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Ddm-2Dnet2cloud-2Dgap-2Danalysis_&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=-DXB84eU9m4cIlq2OOcCJCQQAwJXQQswyu3F0kG0VNo&m=RToh0UhV7F8cp3q2ud1LmU6GZtypPTJdboL4dgpRzr0&s=9xbKYj5fP6Jv93coe5g-lfzpp0L0bK0GyrlB91Ry3Sw&e=> 
> the In RTGwg session of IETF102 is that using BGP session to pass 
> configuration keys for IPsec can be risky even if the path between RR 
> & node is secure (say via TLS) due to BGP route leak (Hijack).
>
> But the BGP session to carry IPsec configurations is via BGP 
> management session, which is completely isolated form the dataplane 
> BGP sessions.
>

I'm not sure I have the whole context, but the question seems to be 
whether it could ever be safe to use BGP to distribute secret keys.

Presumably:

- The keys would be carried in an attribute that can only be attached by 
UPDATEs of a specified AFI/SAFI, where the specified AFI/SAFI is only 
used to carry management/configuration information.

- UPDATEs of that AFI/SAFI would only be sent on BGP sessions that are 
adequately secured so as to provide privacy, integrity and authentication.

- The UPDATEs would carry the NO_ADVERTISE community (to make sure they 
are not propagated further).

- None of the BGP systems involved would allow any sort of "BGP 
monitoring" that might expose the unencrypted contents of the UPDATEs.

In this scenario, I don't think it matters whether the secure BGP 
session also carries other AFI/SAFIs.

The privacy properties of this scenario are pretty good, in theory, but 
I don't think they are really good enough for distributing secret keys.

- Once you're using BGP to distribute information, it is inevitable that 
someone will decide to remove the "NO_ADVERTISE" and allow the 
information to be propagated through intermediate nodes (RRs or ASBRs) 
to the actual target node.  After all, one of the main values of using 
BGP to distribute stuff is that you get a big distribution system.  Even 
if all the intermediate nodes are trusted and all the intermediate BGP 
sessions have adequate privacy/integrity/authentication, you still 
wouldn't want to expose the secret keys to those nodes.  You might trust 
those nodes to see all the routing information, and even to see most of 
the management information, but you probably don't want them to see all 
the secret keys.  And you probably don't want the secret keys stored in 
the clear on those intermediate nodes.

- I would worry about BGP monitoring procedures creating a backdoor 
through which the secret keys would be exposed.

- No matter how careful you are, when you use BGP you can be pretty sure 
that your UPDATEs will end up somewhere they're not supposed to go.  
It's just too easy to make mistakes.
So I don't think I'd try to do dynamic keying by attaching the actual 
keys to BGP UPDATEs.  At most I'd use BGP to distribute parameters that 
could then be used by something like IKEv2 to actually fetch the secret 
keys.