[j-nsp] About Secure Transport for RPKI on JUNOS

Job Snijders job at ntt.net
Tue Dec 25 05:22:09 EST 2018


On Tue, Dec 25, 2018 at 09:08:32AM +0100, Gert Doering wrote:
> On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote:
> > I think SSHv2 or IPSec with good CLI integration would be nice.
> > (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec
> > integration...etc.) TLS might be good but as Jared said, certificate
> > revocation might not be that manageable.  However it's better than
> > plain TCP anyway.
> 
> Careful what you wish for.  Adding heaps of crypto that all of a
> sudden decides "oh, this certificate is expired" or "bah, this
> algorithm is so insecure, we do not support this key exchange / mac /
> cipher anymore!" adds quite a bit of brittleness...
> 
> So TCP-MD5 is actually nice because it has none of all that fanciness.

Already today Junos ships with an OpenSSH client (and server). I'm not
too worried 'heaps of crypto' will be added if the SSH path is picked.

Kind regards,

Job


More information about the juniper-nsp mailing list