[j-nsp] About Secure Transport for RPKI on JUNOS

Bjørn Mork bjorn at mork.no
Thu Dec 27 05:57:54 EST 2018


Chris Morrow <morrowc at ops-netman.net> writes:

> tls brings with it cert issues.

Well.  How bad does it have to be?  Yes, you have to manage private
keys. That's the same for TCP-AO, SSH and TLS. Or any other transport
security protocol. No real difference.

I assume the perceived issue with TLS is that private keys have short
life spans?  But they don't have to in a RPKI setup.  You will want to
manage the CA(s) yourself, and can implement the policies you need. If
you want keys with "infinite" life spans, then that's possible. The
servers validating router certificates can easily check revoked keys,
using a simple CRL or whatever. So you can issue a certificate to your
router and just forget about ever updating it, just like you do with all
your other passwords ;-)

The only difference is that there is a way to actually withdraw that
password.

TLS is nice. Don't be fooled by all the lousy infrastructure
implementations.  Certificate management does not have to suck.

And there is no reason to believe that TCP-AO key management will suck
less - until we've seen it implemented.


Bjørn


More information about the juniper-nsp mailing list