Hey everyone, I was walking through the thought exercise of figuring out how BGPsec might be planning to do its crypto key learning (which I see as a two pronged problem that I outline below), and I couldn't seem to find any clear text on this matter in the current drafts. I think I'm up to date on most of the drafts, but perhaps not? Can someone point me to the the treatises that clarify: 1 - How are routers in BGPsec going to learn and onboard the crypto certs (ROAs/AOAs/xOAs?) needed to verify the routing updates that they receive from peers? These certs are clearly going to need to be maintained and updated somewhere in each router's extended memory hierarchy, right? Without these, updates from other ASes can not be verified... - and - 2 - How do we envision the process of an AS getting its own private key information installed on all of its routers?* Without _these_, updates cannot be signed...
*Note: I think this is a subtle, but very critical issue. If we consider (for example) that multinational ASes have routers all over the world, and that these routers need to be upgraded/replaced/etc sometimes, and that the ASes' private keys are essentially critical secrets (which also will change periodically), then how do we envision addressing the _ongoing_ issue of getting private keys onto routers in faraway places? For instance, we wouldn't press a private key onto a CD, give it to a FedEx delivery person, and then let it work its way through customs in a foreign country that may (or may not) host entities with a vested interest in acquiring or intercepting such a critical enabling secret, right? For that matter, what do people think about the issue that a private key could simply be covertly extracted from an AS' routers that are deployed in far off lands? Wouldn't this kind of compromise be a terrifying security threat to most ISPs? afaict, this threat directly elevates the importance the vulnerability period that comes between compromise, detection, revocation/reissuing, and the lag that occurs until other routers throughout the routing system learn of the changes to certs. fwiw, I don't think we can punt on this and claim it is anything other than a first order architectural issue, because of the online nature of BGPsec's signing process. That said, I'm really hoping that I've just missed/misread some text that addresses these issues. If that's the case, please forgive the rambling noise, and tia for the pointers... :-} Eric _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
