Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))
Rob Austein <sra@hactrn.net> Fri, 11 May 2012 02:54 UTC
Return-Path: <sra@hactrn.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F92C11E80B5 for <sidr@ietfa.amsl.com>; Thu, 10 May 2012 19:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ju34zCDdzn8y for <sidr@ietfa.amsl.com>; Thu, 10 May 2012 19:54:34 -0700 (PDT)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [66.92.66.68]) by ietfa.amsl.com (Postfix) with ESMTP id CBC6211E8094 for <sidr@ietf.org>; Thu, 10 May 2012 19:54:33 -0700 (PDT)
Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 0845728465 for <sidr@ietf.org>; Fri, 11 May 2012 02:54:32 +0000 (UTC)
Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id D05A6170C1 for <sidr@ietf.org>; Thu, 10 May 2012 22:54:31 -0400 (EDT)
Date: Thu, 10 May 2012 22:54:31 -0400
From: Rob Austein <sra@hactrn.net>
To: sidr wg list <sidr@ietf.org>
In-Reply-To: <m262cbl2so.wl%randy@psg.com>
References: <4FA48240.9060405@ops-netman.net> <CE0C4A314044C843AEE900875D90D54E10847F@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <CAL9jLaZMkT-F5x5LAsjDhXsNnbG9akLhEotwT-eC=-6yX0J0kw@mail.gmail.com> <7309FCBCAE981B43ABBE69B31C8D213921BE2860C3@EUSAACMS0701.eamcs.ericsson.se> <m262cbl2so.wl%randy@psg.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/23.4 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20120511025431.D05A6170C1@thrintun.hactrn.net>
Subject: Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2012 02:54:34 -0000
At Fri, 04 May 2012 17:33:43 -1000, Randy Bush wrote: > > > Might it be possible to create the key pair on the router? > > Then you don't have to move the private key to the router, > > You move the public key off the router. Much easier. > > draft-ymbk-bgpsec-rtr-rekeying-00.txt, section 3. Router-Generated Keys Which notes that a (the?) main reason for even considering anything other than router-generated keys is that router-generated keys are somewhat problematic in hot swap scenarios. After thinking about this a bit, I'm not sure I really believe in the hot swap issue as described. Do we really care which router key is used to sign, so long as the router key in question is certified properly so that relying parties can verify the binding between key and signing AS? So I suspect one could make the router-generated model work well. One just has to plan for it (certify router keys from both the live and hot spare routers) or accept that there will be some cut-over time if one fails to plan (or if one's plans fail...).
- [sidr] RPKI and private keys (was RE: Interim Mee… Murphy, Sandra
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Osterweil, Eric
- Re: [sidr] RPKI and private keys (was RE: Interim… Chris Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Osterweil, Eric
- Re: [sidr] RPKI and private keys (was RE: Interim… Christopher Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Osterweil, Eric
- Re: [sidr] RPKI and private keys (was RE: Interim… Chris Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Osterweil, Eric
- Re: [sidr] RPKI and private keys (was RE: Interim… Chris Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Jakob Heitz
- Re: [sidr] RPKI and private keys (was RE: Interim… Chris Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Rob Austein
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Christopher Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Christopher Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… George, Wes
- Re: [sidr] RPKI and private keys (was RE: Interim… Tim Bruijnzeels
- Re: [sidr] RPKI and private keys (was RE: Interim… Warren Kumari
- Re: [sidr] RPKI and private keys (was RE: Interim… Montgomery, Douglas
- Re: [sidr] RPKI and private keys (was RE: Interim… Murphy, Sandra
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Warren Kumari
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush