Re: [sidr] Key learning procedures in BGPsec?
"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Wed, 18 January 2012 13:48 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AE7021F87E0 for <sidr@ietfa.amsl.com>; Wed, 18 Jan 2012 05:48:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XP1VJggAXL-B for <sidr@ietfa.amsl.com>; Wed, 18 Jan 2012 05:48:58 -0800 (PST)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 4C50121F86DE for <sidr@ietf.org>; Wed, 18 Jan 2012 05:48:57 -0800 (PST)
Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 18 Jan 2012 08:48:52 -0500
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Wed, 18 Jan 2012 08:46:45 -0500
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Eric Osterweil <eosterweil@verisign.com>, "sidr@ietf.org list" <sidr@ietf.org>
Date: Wed, 18 Jan 2012 08:42:38 -0500
Thread-Topic: [sidr] Key learning procedures in BGPsec?
Thread-Index: AczVcNRPW24BV+twTmSKB+xyWa/SBgAdjcZr
Message-ID: <D7A0423E5E193F40BE6E94126930C4930905C5E593@MBCLUSTER.xchange.nist.gov>
References: <13269421-8A36-4628-9F1A-30E02B922AE1@verisign.com>
In-Reply-To: <13269421-8A36-4628-9F1A-30E02B922AE1@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Subject: Re: [sidr] Key learning procedures in BGPsec?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2012 13:48:59 -0000
>For that matter, what do people think about the issue that a private key >could simply be covertly extracted from an AS' routers that are deployed >in far off lands? Wouldn't this kind of compromise be a terrifying security >threat to most ISPs? Eric, We (BGPSEC document authors) had considered this problem. It is mitigated by having 'Key per Router' as discussed in: http://tools.ietf.org/html/draft-sriram-bgpsec-design-choices-01#section-4.5 4.5. Key Per Router (Rouge Router Problem) 4.5.1. Decision Within each AS, each individual BGPSEC router can have a unique pair of private and public keys. 4.5.2. Discussion If a router is compromised, its key pair can be revoked independently, without disrupting the other routers in the AS. Each per-router key-pair will be represented in an end-entity certificate issued under the CA cert of the AS. The Subject Key Identifier (SKI) in the signature points to the router certificate (and thus the unique public key) of the router that affixed its signature, so that a validating router can reliably identify the public key to use for signature verification. Sriram P.S. In case you had not seen the cited document (draft-sriram-bgpsec-design-choices) before, it is a design rationale discussion document and is a companion to draft-lepinski-bgpsec-protocol-00.txt (our initial individual draft submission).
- [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Tim Bruijnzeels
- Re: [sidr] Key learning procedures in BGPsec? Sriram, Kotikalapudi
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Eric Osterweil
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Richard Barnes
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Ross.Anderson@cl.cam.ac.uk
- Re: [sidr] Key learning procedures in BGPsec? Richard Barnes
- [sidr] Key learning procedures in BGPsec? Ross Anderson
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson
- Re: [sidr] Key learning procedures in BGPsec? Stephen Kent
- Re: [sidr] Key learning procedures in BGPsec? Murphy, Sandra
- Re: [sidr] Key learning procedures in BGPsec? Brian Dickson