[j-nsp] About Secure Transport for RPKI on JUNOS

Pyxis LX pyxislx at gmail.com
Thu Dec 27 00:02:17 EST 2018


Hello, Gert.

On Thu, Dec 27, 2018 at 2:28 AM Gert Doering <gert at greenie.muc.de> wrote:

> Hi,
>
> On Wed, Dec 26, 2018 at 09:40:57PM +0800, Pyxis LX wrote:
> > I'm not sure I agree with your opinion about SSH.
> > IMHO if a KEX/MAC/Cipher algorithm that is generally considered insecure
> by
> > the security community, it might not be a good idea to keep using it:)
>
> This very much depends on what your focus is.  Mine is more "operational
> stability" - and if unattended machine-to-machine communication breaks,
> causing operational outage, because one side decides to upgrade their
> SSH implementation and existing algorithms stop working, then I know what
> my answer will be.
>
> Like, when Fortinet upgraded their SSH backend in one of the minor
> releases,
> not even mentioning it in the release notes and all of a sudden SSH-DSA
> keys stopped working.  While the CLI still happily let us enter DSA keys,
> they just did not work anymore, with no hint whatsoever anywhere.  Broke
> quite a bit of our automatization system which was still using DSA keys
> because *other* vendors couldn't be bothered to implement RSA keys in a
> timely fashion...
>
>
I can see your point here. We keep at least 2 sets of NMS modules to deal
with this kind of problem.
Security is a serious concern when doing inband management. Probably more
important
than operational stability as you can almost always find a workaround
manually.
And I have the same feeling that most vendors lacks comprehensive
configuration knobs on SSH
subsystem. This should be enhanced. (HostKey management,
TrustedUserCAKeys...etc for example)

BTW, I'll consider the Fortinet CLI inconsistency as a software bug that
shall be fixed.


> > And please don't get me wrong, TCP-AO is totally fine with rpki-rtr since
> > it provides integrity.
> > Integrity provided by either SSHv2 tunnel or TLS, TCP-AO, ...etc. is
> > mandatory when using external rpki-rtr servers or renting a pseudo leased
> > line from other carriers that you might not have 100% trust.
>
> Sure.


> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>                              Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
>


More information about the juniper-nsp mailing list