[j-nsp] About Secure Transport for RPKI on JUNOS

Melchior Aelmans melchior at aelmans.eu
Wed Dec 26 08:48:00 EST 2018


Personally I would say we need TCP-AO, not only for securing RTR but also
to replace MD5 in several protocols....

On Wed, Dec 26, 2018 at 2:43 PM Pyxis LX <pyxislx at gmail.com> wrote:

> Hi, Gert.
>
> I'm not sure I agree with your opinion about SSH.
> IMHO if a KEX/MAC/Cipher algorithm that is generally considered insecure by
> the security community, it might not be a good idea to keep using it:)
>
> And please don't get me wrong, TCP-AO is totally fine with rpki-rtr since
> it provides integrity.
> Integrity provided by either SSHv2 tunnel or TLS, TCP-AO, ...etc. is
> mandatory when using external rpki-rtr servers or renting a pseudo leased
> line from other carriers that you might not have 100% trust.
>
> Regards,
>
> Pyxis.
>
>
> On Tue, Dec 25, 2018 at 4:08 PM Gert Doering <gert at greenie.muc.de> wrote:
>
> > Hi,
> >
> > On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote:
> > > I think SSHv2 or IPSec with good CLI integration would be nice.
> > > (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec
> > integration...etc.)
> > > TLS might be good but as Jared said, certificate revocation might not
> be
> > > that manageable.
> > > However it's better than plain TCP anyway.
> >
> > Careful what you wish for.  Adding heaps of crypto that all of a sudden
> > decides "oh, this certificate is expired" or "bah, this algorithm is so
> > insecure, we do not support this key exchange / mac / cipher anymore!"
> > adds quite a bit of brittleness...
> >
> > So TCP-MD5 is actually nice because it has none of all that fanciness.
> >
> > > After all, it's kind of ironic that we send the cryptographically
> > verified
> > > results without integrity.
> >
> > If someone can interfere with TCP packets *inside your network* without
> > you noticing, RPKI-RTR is likely the least of your worries.
> >
> > (Using an externally hosted RPKI validator might change these arguments
> > quite a bit)
> >
> > gert
> >
> > --
> > "If was one thing all people took for granted, was conviction that if you
> >  feed honest figures into a computer, honest figures come out. Never
> > doubted
> >  it myself till I met a computer with a sense of humor."
> >                              Robert A. Heinlein, The Moon is a Harsh
> > Mistress
> >
> > Gert Doering - Munich, Germany
> > gert at greenie.muc.de
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list