[j-nsp] About Secure Transport for RPKI on JUNOS
Gert Doering
gert at greenie.muc.de
Tue Dec 25 06:30:10 EST 2018
Hi,
On Tue, Dec 25, 2018 at 11:22:09AM +0100, Job Snijders wrote:
> Already today Junos ships with an OpenSSH client (and server).
Yes, and it's an annoyance if you swap a device, replace the backuped
config, which does not contain the SSH host keys (so your SSH sessions break
with "KEY CHANGED! INSECURE!"). Now on JunOS it's actually possible
to get out and backup the SSH host keys (if slightly annoying) - other
platforms are worse.
> I'm not
> too worried 'heaps of crypto' will be added if the SSH path is picked.
I'm not so much worried about the code overhead but about crypto-associated
silliness. "Your perfectly-working setup will now stop working because
some crypto bit decided that it is considered insecure now, so it MUST
NOT BE ALLOWED to go on".
SSH is a prime example of that - you upgrade something, and then you
start adding things like "HostKeyAlgorithms +ssh-dss" all over the place
because previously-working scripts are falling apart.
And, see above, for SSH host keys...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20181225/9e4e31de/attachment.sig>
More information about the juniper-nsp
mailing list