[j-nsp] About Secure Transport for RPKI on JUNOS

Tue Dec 25 01:46:57 EST 2018

Hi, All.

I think SSHv2 or IPSec with good CLI integration would be nice.
(ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec integration...etc.)
TLS might be good but as Jared said, certificate revocation might not be
that manageable.
However it's better than plain TCP anyway.
After all, it's kind of ironic that we send the cryptographically verified
results without integrity.

Regards,
Pyxis.

On Mon, Dec 24, 2018 at 8:18 PM Jared Mauch <jared at puck.nether.net> wrote:

>
>
> > On Dec 24, 2018, at 2:38 AM, Melchior Aelmans <melchior at aelmans.eu>
> wrote:
> >
> > Hi Chris,
> >
> >> Op 24 dec. 2018 om 05:11 heeft Chris Morrow <morrowc at ops-netman.net>
> het volgende geschreven:
> >>
> >> On Sun, 23 Dec 2018 16:15:24 -0500,
> >> Melchior Aelmans <melchior at aelmans.eu> wrote:
> >>>
> >>> Hi Pyxis,
> >>>
> >>>> On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX <pyxislx at gmail.com> wrote:
> >>>>
> >>>> Does JUNOS support any secure transports mentioned in RFC6810 for
> rpki-rtr
> >>>> protocol? (SSHv2/IPsec or TLS for rpki-rtr-tls?)
> >>>>
> >>>
> >>> We are discussing internally what secure transport method to support.
> I'm
> >>> happy to hear your ideas.
> >>
> >> 'tcp-ao' - yes... srsly.
> >
> > Im in favor but why do you think AO is the way to go? It seems SSH and
> TLS have gained more support? Let me know your ideas.
>
> I’m not in favor of having to do certificate revocation etc on my routers
> with TLS.  Key management is also an issue with SSH and the vendors don’t
> expose these knobs in the regular configuration systems nor provide good
> tools for interaction with the filesystem.
>
> If you want to tackle those parts as well, then I think TLS/SSH would be
> ok.
>
> - Jared
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>