North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: PKI for medium scale network operations

  • From: Christopher L. Morrow
  • Date: Sat Mar 26 17:56:50 2005

I, like Gadi, am certianly no PKI expert. I've seen folks get badly burned
by this fire though...

On Sat, 26 Mar 2005, Sean Donelan wrote:

> Most people figured out I was not looking for a "public" CA solution.
> There is very little reason why internal certificates need to be
> recognized world-wide, or by anything outside of the internal
> organization.  Also I didn't say it, but I'm not looking to identify
> natural people.

Kerb could also do this for you, routers (IOS atleast) already support
Kerb for authentication... So does *nix, NT/XP/2K/2k3, MacOSX. Does this
meet the need for authentication type things?

> Instead of using community names for SNMP or shared secrets for VPN,
> an alternative for a network operator is some form of public/private
> keys.

You could, I'm fairly certain, hack in kerb auth to VPN clients and
possibly to SNMP, though I admit to not  being an ASN.1 expert either :(
(kerb and snmp use this in their packing methods, rigth?)

> Several people pointed out certificates don't fix the compromised
> device problem.  Public/private key pairs are only as secure as the
> private key.  The length of the key doesn't matter if you can get
> a copy of the private key.

It's the compromised device problem that was the white-hot-flame-of-love
for the last PKI deployment I witnessed in action... Anwyay, Kerberos?
Might it also be considered for your situation?