Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))
Christopher Morrow <morrowc.lists@gmail.com> Fri, 11 May 2012 18:51 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5350B21F86FE for <sidr@ietfa.amsl.com>; Fri, 11 May 2012 11:51:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.284
X-Spam-Level:
X-Spam-Status: No, score=-103.284 tagged_above=-999 required=5 tests=[AWL=-0.285, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRTCOP5Him+4 for <sidr@ietfa.amsl.com>; Fri, 11 May 2012 11:51:04 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id B2F5B21F8705 for <sidr@ietf.org>; Fri, 11 May 2012 11:51:00 -0700 (PDT)
Received: by obbeh20 with SMTP id eh20so4348851obb.31 for <sidr@ietf.org>; Fri, 11 May 2012 11:51:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=TbMAxnBKOME2KbA3XLXQbwND5OwtysK2L1EoZj0hAGs=; b=OVMslg+upmcDjz56aB2Lep10DifX/0eg3ZvGTM6oF2A0cKwHm4Nvn9Pmrlqcl1k18d fMf5z4hMAkQOeKwGCgm3Gp3aIsF5PQoeGdd+WAoYQBHvaqQgUvczfEFB5QX3zNm17aSg WGngxZWtZMN/JsGrl0r36dYoY9wU9Ovd+MKOamoM+3XjwFFudixSTyLlH45vXWu4FofL adB1ksMyPxjJfELOJCaza/h8LI9nt6DIgra/n0YtLwPCQeSmzj68rJVk0rp4mLuTid55 dr8G78zKZB5+6Q8jUakBfkbcLi5qmPEoGLpgi3pcTR8A3Aj5Jc/sSRzRTppHksCrixrF W4Yw==
MIME-Version: 1.0
Received: by 10.60.1.67 with SMTP id 3mr13251436oek.15.1336762260313; Fri, 11 May 2012 11:51:00 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.182.166.71 with HTTP; Fri, 11 May 2012 11:51:00 -0700 (PDT)
In-Reply-To: <m28vgyo8wq.wl%randy@psg.com>
References: <4FA48240.9060405@ops-netman.net> <CE0C4A314044C843AEE900875D90D54E10847F@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <CAL9jLaZMkT-F5x5LAsjDhXsNnbG9akLhEotwT-eC=-6yX0J0kw@mail.gmail.com> <7309FCBCAE981B43ABBE69B31C8D213921BE2860C3@EUSAACMS0701.eamcs.ericsson.se> <m262cbl2so.wl%randy@psg.com> <20120511025431.D05A6170C1@thrintun.hactrn.net> <m23977pc67.wl%randy@psg.com> <CAL9jLab63Gx12aGMEQO8X878Xb+_dUOoNtKTqW1dQ4qOF3J7Uw@mail.gmail.com> <m28vgyo8wq.wl%randy@psg.com>
Date: Fri, 11 May 2012 14:51:00 -0400
X-Google-Sender-Auth: M9B_GG2Jpm5UotiSaO8FMvmpnZc
Message-ID: <CAL9jLaayCvtPCWV02px+kCOZ=CqJE+6CzAY3gD8d_rGbESz0qw@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Randy Bush <randy@psg.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Rob Austein <sra@hactrn.net>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2012 18:51:06 -0000
On Fri, May 11, 2012 at 2:43 PM, Randy Bush <randy@psg.com> wrote: >> though I contend you have time between 'card fail' and 'router back to >> normal' to ship a key in the ether/ssh to the device too. > > by the time the replacement re is sufficiently on net to create and send > a public key to the noc for signing and publishing, the router is up and > has at least some routing data. so the subsequent publication delay > would be a critical path delay (in the pert sense) to full, i.e. bgpsec, > use. hrm, so... normally something like this happens: 1) router go boom 2) troubleshooting ensues to see where the problem is (what to fix) 3) RE/RSP is determined to be at fault 4) spares call placed 5) spare arrives and is placed into the chassis 6) reboot/checkout happens 7) customer links brought back online 8) things return to 'normal' I think that at 1 all routing stops (or enough stops that you stop it all anyway). I think that at 6 you are in a state where at a minimum the router has core-facing connectivity and you are placing the config back on the device + relevant other bits (the key in question). So... I agree you can make a key locally, you can ALSO probably just re-ship the current stored-in-a-safe key to the device, because you've got an extra 10 seconds for a complete new SSH session to come up/down while scp'ing the file-o-key-material to the remote device. -chris
- [sidr] RPKI and private keys (was RE: Interim Mee… Murphy, Sandra
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Osterweil, Eric
- Re: [sidr] RPKI and private keys (was RE: Interim… Chris Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Osterweil, Eric
- Re: [sidr] RPKI and private keys (was RE: Interim… Christopher Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Osterweil, Eric
- Re: [sidr] RPKI and private keys (was RE: Interim… Chris Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Osterweil, Eric
- Re: [sidr] RPKI and private keys (was RE: Interim… Chris Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Jakob Heitz
- Re: [sidr] RPKI and private keys (was RE: Interim… Chris Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Rob Austein
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Christopher Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Christopher Morrow
- Re: [sidr] RPKI and private keys (was RE: Interim… George, Wes
- Re: [sidr] RPKI and private keys (was RE: Interim… Tim Bruijnzeels
- Re: [sidr] RPKI and private keys (was RE: Interim… Warren Kumari
- Re: [sidr] RPKI and private keys (was RE: Interim… Montgomery, Douglas
- Re: [sidr] RPKI and private keys (was RE: Interim… Murphy, Sandra
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush
- Re: [sidr] RPKI and private keys (was RE: Interim… Warren Kumari
- Re: [sidr] RPKI and private keys (was RE: Interim… Randy Bush