There have been suggestions that a key-per-AS is easier to manage than a key-per-router, like in provisioning. Key-per-router was brought up as providing the means to excise one misbehaving router that is in some risky sort of environment, which is a different management pain. In terms of security, from outside the AS, you are basing your decisions on your trust in the AS in the key-per-AS case, and you are basing your decisions on your trust in the AS that certified the router in the key-per-router case. The local operator's environment and policy rule in choosing the technique. The draft draft-ietf-sidr-bgpsec-ops-05 says: A site/operator MAY use a single certificate/key in all their routers, one certificate/key per router, or any granularity in between. --Sandy On Jun 10, 2015, at 9:17 AM, "Russ White" <russw@riw.us> wrote:
rtfm. bgpsec key aggregation is at the descretion of the operator. they could use one key to cover 42 ASs.
I've been reading the presentations and the mailing lists, both of which imply you should use one key per router for security reasons. I would tend to agree with that assessment, BTW.
Russ