There have been suggestions that a key-per-AS is easier to manage than a key-per-router, like in provisioning.
Key-per-router was brought up as providing the means to excise one misbehaving router that is in some risky sort of environment, which is a different management pain. In terms of security, from outside the AS, you are basing your decisions on your trust in the AS in the key-per-AS case, and you are basing your decisions on your trust in the AS that certified the router in the key-per-router case. The local operator's environment and policy rule in choosing the technique. The draft draft-ietf-sidr-bgpsec-ops-05 says: A site/operator MAY use a single certificate/key in all their routers, one certificate/key per router, or any granularity in between. --Sandy On Jun 10, 2015, at 9:17 AM, "Russ White" <ru...@riw.us> wrote: > >> rtfm. bgpsec key aggregation is at the descretion of the operator. >> they could use one key to cover 42 ASs. > > I've been reading the presentations and the mailing lists, both of which > imply you should use one key per router for security reasons. I would tend > to agree with that assessment, BTW. > > Russ
signature.asc
Description: Message signed with OpenPGP using GPGMail
