[j-nsp] About Secure Transport for RPKI on JUNOS

[Jared Mauch]

> On Dec 26, 2018, at 1:36 PM, Bjørn Mork <bjorn at mork.no> wrote:
> 
> Chris Morrow <morrowc at ops-netman.net> writes:
>> On Sun, 23 Dec 2018 16:15:24 -0500,
>> Melchior Aelmans <melchior at aelmans.eu> wrote:
>>> 
>>> Hi Pyxis,
>>> 
>>> On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX <pyxislx at gmail.com> wrote:
>>> 
>>>> Does JUNOS support any secure transports mentioned in RFC6810 for rpki-rtr
>>>> protocol? (SSHv2/IPsec or TLS for rpki-rtr-tls?)
>>>> 
>>> 
>>> We are discussing internally what secure transport method to support. I'm
>>> happy to hear your ideas.
>> 
>> 'tcp-ao' - yes... srsly.
> 
> Huh? Why? No support on any server OS, AFAIK.  Yes, there were patches
> for FreeBSD and Linux a few years ago, but I don't think they went
> anywhere? This will severely limit the usability.
> 
> Let's have ssh, and optionally tls. We need something we can run on a
> server today.  Not 8 year old foilware.

*Insert anti-FreeBSD snark about how problematic it is, as it burned me in production once too many times .. yes a RC is there to tell you when you broke the network driver built into the motherboard and yes you should fix it before posting -RELEASE but we don’t care about the end-users so .. yeah I hate it*

TCP-AO, regardless of the OS is going to be much easier to use compared to ssh or TLS. 

SSH and TLS come with extra complexity as I mentioned before.  TCP-AO please. 

It would be nice to see many packages updated.. OpenSSH could use an update from 7.2 and the NTP daemon as well from 4.2.0-a to something much newer as well.

If you’ve not been following the IETF activities btw, md5 does cause some head scratching when a protocol gets a security review.  It’s amusing to watch when you say “I need something more stable than TLS provides the capability for”, or “I care about integrity not confidentiality” and the crypto zealots heads explode.. 

- Jared