At Fri, 04 May 2012 17:33:43 -1000, Randy Bush wrote: > > > Might it be possible to create the key pair on the router? > > Then you don't have to move the private key to the router, > > You move the public key off the router. Much easier. > > draft-ymbk-bgpsec-rtr-rekeying-00.txt, section 3. Router-Generated Keys
Which notes that a (the?) main reason for even considering anything other than router-generated keys is that router-generated keys are somewhat problematic in hot swap scenarios. After thinking about this a bit, I'm not sure I really believe in the hot swap issue as described. Do we really care which router key is used to sign, so long as the router key in question is certified properly so that relying parties can verify the binding between key and signing AS? So I suspect one could make the router-generated model work well. One just has to plan for it (certify router keys from both the live and hot spare routers) or accept that there will be some cut-over time if one fails to plan (or if one's plans fail...). _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
