IETF Logo Mail Archive

Re: [sidr] Key learning procedures in BGPsec?

"Murphy, Sandra" <Sandra.Murphy@sparta.com> Thu, 19 January 2012 22:25 UTC

Return-Path: <Sandra.Murphy@sparta.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBC021F8613 for <sidr@ietfa.amsl.com>; Thu, 19 Jan 2012 14:25:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.137
X-Spam-Level:
X-Spam-Status: No, score=-102.137 tagged_above=-999 required=5 tests=[AWL=-0.138, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzzUKhGz3rwY for <sidr@ietfa.amsl.com>; Thu, 19 Jan 2012 14:25:34 -0800 (PST)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id A7FD821F85D4 for <sidr@ietf.org>; Thu, 19 Jan 2012 14:25:33 -0800 (PST)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id q0JMPQYn024779; Thu, 19 Jan 2012 16:25:26 -0600
Received: from Hermes.columbia.ads.sparta.com ([157.185.80.107]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id q0JMPOKH029704; Thu, 19 Jan 2012 16:25:25 -0600
Received: from HERMES.columbia.ads.sparta.com ([2002:9db9:506b::9db9:506b]) by Hermes.columbia.ads.sparta.com ([::1]) with mapi id 14.01.0355.002; Thu, 19 Jan 2012 17:25:24 -0500
From: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
To: Eric Osterweil <eosterweil@verisign.com>, Stephen Kent <kent@bbn.com>
Thread-Topic: [sidr] Key learning procedures in BGPsec?
Thread-Index: AQHM1XDuuc3Eip6I+kepCBOaAHZARZYS22MAgAGZnQD//7uV+Q==
Date: Thu, 19 Jan 2012 22:25:22 +0000
Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F60750C4@Hermes.columbia.ads.sparta.com>
References: <13269421-8A36-4628-9F1A-30E02B922AE1@verisign.com> <p06240806cb3cd066c995@[128.89.89.66]>, <59DDDCF5-4FED-4B66-9739-59BAECD00027@verisign.com>
In-Reply-To: <59DDDCF5-4FED-4B66-9739-59BAECD00027@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.185.63.118]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] Key learning procedures in BGPsec?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2012 22:25:35 -0000

About your "all BGPSEC routers in the global routing system" - keep in mind that the ebgp routers are the ones that need a private key, not all the routers in an AS.

While we have a lot of info on churn in routing updates, I am not certain how to predict how much church there will be in the keys assigned to routers.

To those who operate networks:
can you mention an order of magnitude of the number of e-bgp routers you have?
can you mention how often you re-key your routers, for whatever secure communication you ordinarily  use with the routers?  (I presume without proof that operators typically secure the communications to their routers and must already be doing key management.) 

--Sandy

________________________________________
From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] on behalf of Eric Osterweil [eosterweil@verisign.com]
Sent: Thursday, January 19, 2012 3:07 PM
To: Stephen Kent
Cc: sidr@ietf.org list
Subject: Re: [sidr] Key learning procedures in BGPsec?

On Jan 18, 2012, at 2:41 PM, Stephen Kent wrote:

> At 6:36 PM -0500 1/17/12, Eric Osterweil wrote:
>> ...
>> 2 - How do we envision the process of an AS getting its own private key information installed on all of its routers?*  Without _these_, updates cannot be signed...
>
> BGPSEC allows for a per-AS key pair or a per-router key pair.or anything
> in between. Thus, if an AS has routers in locations that the AS operator considers physically insecure, it can choose to have those routers be individually keyed, while having a shared key pair for other routers.
>
> Yes, this design may require routers to have access to a fairly large number of PUBLIC keys for routers/ASes.

Where "fairly large" could approximate a number that is on the order of the number of all BGPsec routers in the global routing system, right (~millions)?  I would imaging that keeping a coherent cache of these keys at every ISP would be a major concern, no?  That's potentially a huge challenge when you include churn, revocation, etc, right?

Eric
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email