nanog mailing list archives

Re: Routing Insecurity (Re: BGP in the Washington Post)

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 11 Jun 2015 15:19:09 -0400

On Thu, Jun 11, 2015 at 3:10 PM, David Mandelberg <david () mandelberg org> wrote:

On 2015-06-11 07:30, Russ White wrote:


There have been suggestions that a key-per-AS is easier to manage than a
key-per-router, like in provisioning.



Two points --

First, if a single person with console access leaves the company, I must
roll the key for all my BGP routes, with the attendant churn, etc. I can't
imagine anyone deploying such a thing.



I assume the vast majority of these cases are when the person leaves with no
indication of malicious intent. In those cases, it might be possible to


it's actually nearly impossible to tell this... so the 'best' option
is to do the changes required as quickly as is safe for your network.

yes, it sucks... you know what sucks more? when 2 people leave on adjacent days.

Current thread:

Re: Routing Insecurity (Re: BGP in the Washington Post), (continued)
- - - Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 11)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Christopher Morrow (Jun 11)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 04)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Andrews (Jun 02)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Danny McPherson (Jun 03)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 01)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Tinka (Jun 01)
- Re: BGP in the Washngton Post Max Tulyev (Jun 01)
  - Re: BGP in the Washngton Post Mark Andrews (Jun 02)
    - Re: BGP in the Washngton Post Randy Bush (Jun 02)

(Thread continues...)