On Fri, 8 Apr 2011, Hannes Gredler wrote:
On Thu, Apr 07, 2011 at 09:20:05PM -0700, Pradosh Mohapatra wrote: | > We seem to be in a bit of a jam :( I don't think SIDR is going to be | > able to, by declaration, get opensource implementations of AO to | > appear. I don't see non-open-source implementations on the server side | > for tcp-md5 sadly either, but at least fbsd/obsd/linux have tcp-md5 | > support. | | We don't seem to be converging. I would suggest that we keep the status quo | and make ssh mandatory to implement. Other mechanisms may get prescribed | in future as & when they become commonly available. not sure if mandating a single transport is needed at all. since the pros and cons of the various transport protocols (TCP, TCP-MD5, TCP-AO, IPSec, SSH) are well understood, why not simply enumerating the choices and leave it to the operator's local security policy which one to deploy ?
Leaving it up to operator choice still leaves the question of what will be implemented. If we don't have a mandatory to implement protocol, can we be sure that an operator will have interoperating implementations wrt secure transport protocols from which to choose?
--Sandy, as member only
IMO you cannot dictate local security policy as they are different between operators. also if the level of containment is sufficiently enough (e.g. local-cache only reachable through vrf, not accessible through internet it is perfectly reasonable even to load your cache records using vanilla TCP.) _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
