Hi, Gert. I'm not sure I agree with your opinion about SSH. IMHO if a KEX/MAC/Cipher algorithm that is generally considered insecure by the security community, it might not be a good idea to keep using it:)
And please don't get me wrong, TCP-AO is totally fine with rpki-rtr since it provides integrity. Integrity provided by either SSHv2 tunnel or TLS, TCP-AO, ...etc. is mandatory when using external rpki-rtr servers or renting a pseudo leased line from other carriers that you might not have 100% trust. Regards, Pyxis. On Tue, Dec 25, 2018 at 4:08 PM Gert Doering <[email protected]> wrote: > Hi, > > On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote: > > I think SSHv2 or IPSec with good CLI integration would be nice. > > (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec > integration...etc.) > > TLS might be good but as Jared said, certificate revocation might not be > > that manageable. > > However it's better than plain TCP anyway. > > Careful what you wish for. Adding heaps of crypto that all of a sudden > decides "oh, this certificate is expired" or "bah, this algorithm is so > insecure, we do not support this key exchange / mac / cipher anymore!" > adds quite a bit of brittleness... > > So TCP-MD5 is actually nice because it has none of all that fanciness. > > > After all, it's kind of ironic that we send the cryptographically > verified > > results without integrity. > > If someone can interfere with TCP packets *inside your network* without > you noticing, RPKI-RTR is likely the least of your worries. > > (Using an externally hosted RPKI validator might change these arguments > quite a bit) > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > [email protected] > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
