[j-nsp] About Secure Transport for RPKI on JUNOS
Pyxis LX
pyxislx at gmail.com
Wed Dec 26 08:40:57 EST 2018
Hi, Gert.
I'm not sure I agree with your opinion about SSH.
IMHO if a KEX/MAC/Cipher algorithm that is generally considered insecure by
the security community, it might not be a good idea to keep using it:)
And please don't get me wrong, TCP-AO is totally fine with rpki-rtr since
it provides integrity.
Integrity provided by either SSHv2 tunnel or TLS, TCP-AO, ...etc. is
mandatory when using external rpki-rtr servers or renting a pseudo leased
line from other carriers that you might not have 100% trust.
Regards,
Pyxis.
On Tue, Dec 25, 2018 at 4:08 PM Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote:
> > I think SSHv2 or IPSec with good CLI integration would be nice.
> > (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec
> integration...etc.)
> > TLS might be good but as Jared said, certificate revocation might not be
> > that manageable.
> > However it's better than plain TCP anyway.
>
> Careful what you wish for. Adding heaps of crypto that all of a sudden
> decides "oh, this certificate is expired" or "bah, this algorithm is so
> insecure, we do not support this key exchange / mac / cipher anymore!"
> adds quite a bit of brittleness...
>
> So TCP-MD5 is actually nice because it has none of all that fanciness.
>
> > After all, it's kind of ironic that we send the cryptographically
> verified
> > results without integrity.
>
> If someone can interfere with TCP packets *inside your network* without
> you noticing, RPKI-RTR is likely the least of your worries.
>
> (Using an externally hosted RPKI validator might change these arguments
> quite a bit)
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never
> doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
>
More information about the juniper-nsp
mailing list