Personally I would say we need TCP-AO, not only for securing RTR but also to replace MD5 in several protocols....
On Wed, Dec 26, 2018 at 2:43 PM Pyxis LX <[email protected]> wrote: > Hi, Gert. > > I'm not sure I agree with your opinion about SSH. > IMHO if a KEX/MAC/Cipher algorithm that is generally considered insecure by > the security community, it might not be a good idea to keep using it:) > > And please don't get me wrong, TCP-AO is totally fine with rpki-rtr since > it provides integrity. > Integrity provided by either SSHv2 tunnel or TLS, TCP-AO, ...etc. is > mandatory when using external rpki-rtr servers or renting a pseudo leased > line from other carriers that you might not have 100% trust. > > Regards, > > Pyxis. > > > On Tue, Dec 25, 2018 at 4:08 PM Gert Doering <[email protected]> wrote: > > > Hi, > > > > On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote: > > > I think SSHv2 or IPSec with good CLI integration would be nice. > > > (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec > > integration...etc.) > > > TLS might be good but as Jared said, certificate revocation might not > be > > > that manageable. > > > However it's better than plain TCP anyway. > > > > Careful what you wish for. Adding heaps of crypto that all of a sudden > > decides "oh, this certificate is expired" or "bah, this algorithm is so > > insecure, we do not support this key exchange / mac / cipher anymore!" > > adds quite a bit of brittleness... > > > > So TCP-MD5 is actually nice because it has none of all that fanciness. > > > > > After all, it's kind of ironic that we send the cryptographically > > verified > > > results without integrity. > > > > If someone can interfere with TCP packets *inside your network* without > > you noticing, RPKI-RTR is likely the least of your worries. > > > > (Using an externally hosted RPKI validator might change these arguments > > quite a bit) > > > > gert > > > > -- > > "If was one thing all people took for granted, was conviction that if you > > feed honest figures into a computer, honest figures come out. Never > > doubted > > it myself till I met a computer with a sense of humor." > > Robert A. Heinlein, The Moon is a Harsh > > Mistress > > > > Gert Doering - Munich, Germany > > [email protected] > > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
