[j-nsp] About Secure Transport for RPKI on JUNOS
Gert Doering
gert at greenie.muc.de
Tue Dec 25 03:08:32 EST 2018
Hi,
On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote:
> I think SSHv2 or IPSec with good CLI integration would be nice.
> (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec integration...etc.)
> TLS might be good but as Jared said, certificate revocation might not be
> that manageable.
> However it's better than plain TCP anyway.
Careful what you wish for. Adding heaps of crypto that all of a sudden
decides "oh, this certificate is expired" or "bah, this algorithm is so
insecure, we do not support this key exchange / mac / cipher anymore!"
adds quite a bit of brittleness...
So TCP-MD5 is actually nice because it has none of all that fanciness.
> After all, it's kind of ironic that we send the cryptographically verified
> results without integrity.
If someone can interfere with TCP packets *inside your network* without
you noticing, RPKI-RTR is likely the least of your worries.
(Using an externally hosted RPKI validator might change these arguments
quite a bit)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20181225/895d69ef/attachment.sig>
More information about the juniper-nsp
mailing list