Re: [sidr] Key learning procedures in BGPsec?
Stephen Kent <kent@bbn.com> Tue, 24 January 2012 00:06 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AFD821F86AA for <sidr@ietfa.amsl.com>; Mon, 23 Jan 2012 16:06:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.145
X-Spam-Level:
X-Spam-Status: No, score=-106.145 tagged_above=-999 required=5 tests=[AWL=0.410, BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiZkzjfWfjzK for <sidr@ietfa.amsl.com>; Mon, 23 Jan 2012 16:06:14 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 8936B21F86AF for <sidr@ietf.org>; Mon, 23 Jan 2012 16:06:14 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:46528 helo=[172.20.8.192]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1RpTtt-000Fvc-SI; Mon, 23 Jan 2012 19:06:14 -0500
Mime-Version: 1.0
Message-Id: <p06240802cb43737b14d4@[10.243.32.68]>
In-Reply-To: <8A9451E4-35C1-456B-960C-7FD150C0CF4C@verisign.com>
References: <13269421-8A36-4628-9F1A-30E02B922AE1@verisign.com> <p06240806cb3cd066c995@[128.89.89.66]> <59DDDCF5-4FED-4B66-9739-59BAECD00027@verisign.com> <p06240808cb3e3f6ac87a@[128.89.89.66]> <8A9451E4-35C1-456B-960C-7FD150C0CF4C@verisign.com>
Date: Mon, 23 Jan 2012 15:31:03 -0500
To: Eric Osterweil <eosterweil@verisign.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] Key learning procedures in BGPsec?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 00:06:15 -0000
At 10:39 PM -0500 1/19/12, Eric Osterweil wrote: >... > > >> Even if there are many fewer certs, inconsistent caches would pose >>a problem. Unless we're discussing an emergency rekey for a cert, >>the smart procedure is to post a new cert well before the old one >>expires, allowing RPs to retrieve the new one in plenty of time. > >Yeah, I agree with your comment about getting keys out ahead of >time. However, with a corpus of keys that could well order in the >millions, I would worry that the inherent churn and resource >requirements are going to be well more than we are (or at least I >was) expecting. speak for yourself :-). > > There is not yet an operational guidance doc for router cert >management, but >> I anticipate this sort of guidance will appear there. > >Will it include some discussion about scaling? I think this >key-per-router idea could turn out to be Pandora's box. While >having a key or two per AS or per prefix may allow us to use >elements of today's routing system to give us some idea about how >churn and dynamics _may_ look, I'm kind of worried now that we >haven't properly evaluated how enormous the resource dependencies >will be with per-router-keys. Are there any specific plans to write >this up anywhere? I anticipate that an operational considerations doc will be written. Steve
- [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Tim Bruijnzeels
- Re: [sidr] Key learning procedures in BGPsec? Sriram, Kotikalapudi
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Richard Barnes
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Ross.Anderson@cl.cam.ac.uk
- Re: [sidr] Key learning procedures in BGPsec? Richard Barnes
- [sidr] Key learning procedures in BGPsec? Ross Anderson
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson