On Thu, Apr 07, 2011 at 09:20:05PM -0700, Pradosh Mohapatra wrote: | > We seem to be in a bit of a jam :( I don't think SIDR is going to be | > able to, by declaration, get opensource implementations of AO to | > appear. I don't see non-open-source implementations on the server side | > for tcp-md5 sadly either, but at least fbsd/obsd/linux have tcp-md5 | > support. | | We don't seem to be converging. I would suggest that we keep the status quo | and make ssh mandatory to implement. Other mechanisms may get prescribed | in future as & when they become commonly available.
not sure if mandating a single transport is needed at all. since the pros and cons of the various transport protocols (TCP, TCP-MD5, TCP-AO, IPSec, SSH) are well understood, why not simply enumerating the choices and leave it to the operator's local security policy which one to deploy ? IMO you cannot dictate local security policy as they are different between operators. also if the level of containment is sufficiently enough (e.g. local-cache only reachable through vrf, not accessible through internet it is perfectly reasonable even to load your cache records using vanilla TCP.) _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
