IETF Logo Mail Archive

Re: [sidr] Key learning procedures in BGPsec?

Eric Osterweil <eosterweil@verisign.com> Thu, 19 January 2012 20:08 UTC

Return-Path: <eosterweil@verisign.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F9D121F8554 for <sidr@ietfa.amsl.com>; Thu, 19 Jan 2012 12:08:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dN1ZTWwqIB6J for <sidr@ietfa.amsl.com>; Thu, 19 Jan 2012 12:08:01 -0800 (PST)
Received: from exprod6og116.obsmtp.com (exprod6og116.obsmtp.com [64.18.1.37]) by ietfa.amsl.com (Postfix) with ESMTP id 69C2221F854B for <sidr@ietf.org>; Thu, 19 Jan 2012 12:08:01 -0800 (PST)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob116.postini.com ([64.18.5.12]) with SMTP ID DSNKTxh4Hd9qwGQhukwGwboDHSek4g3T2JA+@postini.com; Thu, 19 Jan 2012 12:08:01 PST
Received: from dul1wnexcn01.vcorp.ad.vrsn.com (dul1wnexcn01.vcorp.ad.vrsn.com [10.170.12.138]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id q0JK7ueq003783; Thu, 19 Jan 2012 15:07:56 -0500
Received: from dul1eosterwe-m1.vcorp.ad.vrsn.com ([10.100.1.67]) by dul1wnexcn01.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 19 Jan 2012 15:07:55 -0500
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Eric Osterweil <eosterweil@verisign.com>
In-Reply-To: <p06240806cb3cd066c995@[128.89.89.66]>
Date: Thu, 19 Jan 2012 15:07:56 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <59DDDCF5-4FED-4B66-9739-59BAECD00027@verisign.com>
References: <13269421-8A36-4628-9F1A-30E02B922AE1@verisign.com> <p06240806cb3cd066c995@[128.89.89.66]>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1084)
X-OriginalArrivalTime: 19 Jan 2012 20:07:55.0955 (UTC) FILETIME=[08741830:01CCD6E6]
Cc: "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] Key learning procedures in BGPsec?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2012 20:08:02 -0000

On Jan 18, 2012, at 2:41 PM, Stephen Kent wrote:

> At 6:36 PM -0500 1/17/12, Eric Osterweil wrote:
>> ...
>> 2 - How do we envision the process of an AS getting its own private key information installed on all of its routers?*  Without _these_, updates cannot be signed...
> 
> BGPSEC allows for a per-AS key pair or a per-router key pair.or anything
> in between. Thus, if an AS has routers in locations that the AS operator considers physically insecure, it can choose to have those routers be individually keyed, while having a shared key pair for other routers.
> 
> Yes, this design may require routers to have access to a fairly large number of PUBLIC keys for routers/ASes.

Where "fairly large" could approximate a number that is on the order of the number of all BGPsec routers in the global routing system, right (~millions)?  I would imaging that keeping a coherent cache of these keys at every ISP would be a major concern, no?  That's potentially a huge challenge when you include churn, revocation, etc, right?

Eric

v2.23.0 | Report a Bug | By Email