[j-nsp] About Secure Transport for RPKI on JUNOS

Chris Morrow morrowc at ops-netman.net
Wed Dec 26 17:57:19 EST 2018


On Wed, 26 Dec 2018 13:36:49 -0500,
Bjørn Mork <bjorn at mork.no> wrote:
> 
> Chris Morrow <morrowc at ops-netman.net> writes:
> > On Sun, 23 Dec 2018 16:15:24 -0500,
> > Melchior Aelmans <melchior at aelmans.eu> wrote:
> >> 
> >> Hi Pyxis,
> >> 
> >> On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX <pyxislx at gmail.com> wrote:
> >> 
> >> > Does JUNOS support any secure transports mentioned in RFC6810 for rpki-rtr
> >> > protocol? (SSHv2/IPsec or TLS for rpki-rtr-tls?)
> >> >
> >> 
> >> We are discussing internally what secure transport method to support. I'm
> >> happy to hear your ideas.
> >
> > 'tcp-ao' - yes... srsly.
> 
> Huh? Why? No support on any server OS, AFAIK.  Yes, there were patches
> for FreeBSD and Linux a few years ago, but I don't think they went
> anywhere? This will severely limit the usability.

there's no support elsewhere because no one that cares (you, me, network people) can get vendors to deploy AO.
There's no support in network devices because there's no support in linux/etc ...

this is a pretty horrid place to be :( so, if folk want to put AO into
junos for this, we can get it for the other vendors and for other
parts of each vendor's problem-space... and along the way we'll get it
for linux/*bsd (I expect).

> Let's have ssh, and optionally tls. We need something we can run on a
> server today.  Not 8 year old foilware.

ssh isn't in the right form on pretty much any vendor's device, so
said the vendor implementers many times during rpki-rtr
development/process. (hannes gredler, jeff haas, several cisco folks
as well).

tls brings with it cert issues.


More information about the juniper-nsp mailing list