On Sun, Dec 06, 2015 at 03:21:15AM +0900, Randy Bush wrote: > >> and the bit about TLS having been around for 20 years already and it > >> being past time to do something. > > https://www.openssl.org/news/vulnerabilities.html#y2015 > > i might list the interminable vuln i get in the mail from juniper and > cisco, but it would be a major project to find even a majority of them.
I could certainly publish several that I'm responsible for either finding or, in an occasional case, causing. The reason to highlight this is the platitude "use TLS" also means "and here are some of the consequences". Operators are used to engineering the network to protect against vulnerability space. This just opens another set of things. > the operational fact of life is that nobody deploys ipsec under any > routing or pretty much anything else other than some vpns. i should not > have to waste pixels on this. ipsec clauses in sec cons are a cheap > farce that should be stopped at the wg level, or at the iesg if the wgs > are gutless. Or we should figure out how to make this easy to work. But there's also operational consequences like impact on various high availability solutions. > thanks to browsers, email, and a hoard of other apps, tls is what is > deployed and therefore more easily deployable. it ain't perfect, but > not much we do is. and it beats the crap outta ipsec, which was <insert > sick ietf sec behavior here> and then frozen in time. One would hope. Mostly, I'd look for stability and low bug counts in a layer I'd want to use in code. As I said, who's willing to sign your network up to run secured BMP? -- Jeff _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
