On 4-okt-2006, at 16:30, Steven M. Bellovin wrote:
Having read the draft, I do have similar concerns with "double-ended"
operations. The draft mentions that the new key should only be used
when it's "at a point where it is reasonably certain that the other
side would have it installed, too". This is not very exact language,
and I wonder how implementations would handle this.
My intention, actually, was that operators would do that. "Attention
customers: we will be installing the 2007 BGP key on January 15.
Please
install the new key on your end before then." -- and then you
actually do
your end on Jan 20 or thereabouts.
My perspective:
First of all, you NEVER want to bother a customer with requiring some
kind of change from them. It sucks up unbelievable amounts of time
and effort that are better spent elsewhere. Second, in this case,
when the customer connection is reset or redirected by an attacker,
that's the customer's problem, not the service provider's problem. So
it's the customer who should decide if and when key changes need to
happen, not the service provider. Third, you never want to say to a
customer "we are going to make a change, as of this date you can do
such-and-such". What you want to do is make the change on your end
BEFORE informing the customer (in cases where both ends must change
and one end can change without problems first, such as in this
example). Then, the customer can make the change at their end
immediately when they get your message. Last but not least, if you
say you're going to remove the old situation so that they'll be down
if they haven't made the change at their end at that point, you do
this on the date that you announce, so that they can correlate any
problems with the announcement. (All of this assumes that you have a
reliable and secure way to communicate with the right people in the
customer organization by the way, which isn't always the case.)
As a customer, I would want to be the one that sees the change happen
when I'm logged in to the router, so I'd probably say to the service
provider that I want to change keys and please let an engineer call
me when she or he is ready to make the change so I can monitor from
my side. But I'd probably install the new key beforehand so that if
they don't call me and make the change anyway, the session stays up.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf