Re: [sidr] Key learning procedures in BGPsec?
Stephen Kent <kent@bbn.com> Thu, 19 January 2012 22:18 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AA1821F8604 for <sidr@ietfa.amsl.com>; Thu, 19 Jan 2012 14:18:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.499
X-Spam-Level:
X-Spam-Status: No, score=-106.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2M+6c50PT8zV for <sidr@ietfa.amsl.com>; Thu, 19 Jan 2012 14:18:36 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 994FF21F85D5 for <sidr@ietf.org>; Thu, 19 Jan 2012 14:18:36 -0800 (PST)
Received: from dhcp89-089-066.bbn.com ([128.89.89.66]:49333) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Ro0JX-000ACr-Jk; Thu, 19 Jan 2012 17:18:35 -0500
Mime-Version: 1.0
Message-Id: <p06240808cb3e3f6ac87a@[128.89.89.66]>
In-Reply-To: <59DDDCF5-4FED-4B66-9739-59BAECD00027@verisign.com>
References: <13269421-8A36-4628-9F1A-30E02B922AE1@verisign.com> <p06240806cb3cd066c995@[128.89.89.66]> <59DDDCF5-4FED-4B66-9739-59BAECD00027@verisign.com>
Date: Thu, 19 Jan 2012 17:18:26 -0500
To: Eric Osterweil <eosterweil@verisign.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] Key learning procedures in BGPsec?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2012 22:18:37 -0000
At 3:07 PM -0500 1/19/12, Eric Osterweil wrote: >... > >Where "fairly large" could approximate a number that is on the order >of the number of all BGPsec routers in the global routing system, >right (~millions)? I would imaging that keeping a coherent cache of >these keys at every ISP would be a major concern, no? That's >potentially a huge challenge when you include churn, revocation, >etc, right? It's not clear how many different router certs we will see, but I agree that it may be substantial. it will likely be a mix of per-As and per-router certs, spread over all of the participating ASes. Even if there are many fewer certs, inconsistent caches would pose a problem. Unless we're discussing an emergency rekey for a cert, the smart procedure is to post a new cert well before the old one expires, allowing RPs to retrieve the new one in plenty of time. There is not yet an operational guidance doc for router cert management, but I anticipate this sort of guidance will appear there. Steve
- [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Tim Bruijnzeels
- Re: [sidr] Key learning procedures in BGPsec? Sriram, Kotikalapudi
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Richard Barnes
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Ross.Anderson@cl.cam.ac.uk
- Re: [sidr] Key learning procedures in BGPsec? Richard Barnes
- [sidr] Key learning procedures in BGPsec? Ross Anderson
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson