At 3:07 PM -0500 1/19/12, Eric Osterweil wrote:
...
Where "fairly large" could approximate a number that is on the order
of the number of all BGPsec routers in the global routing system,
right (~millions)? I would imaging that keeping a coherent cache of
these keys at every ISP would be a major concern, no? That's
potentially a huge challenge when you include churn, revocation,
etc, right?
It's not clear how many different router certs we will see, but I
agree that it may be substantial. it will likely be a mix of per-As
and per-router certs, spread over all of the participating ASes.
Even if there are many fewer certs, inconsistent caches would pose a
problem. Unless we're discussing an emergency rekey for a cert, the
smart procedure is to post a new cert well before the old one
expires, allowing RPs to retrieve the new one in plenty of time.
There is not yet an operational guidance doc for router cert management, but
I anticipate this sort of guidance will appear there.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
