> Greetings again. Section 7 of draft-ietf-sidr-rpki-rtr-14 has a list
> of supported transports. However, it does not list the one that some
> people have said that they expect it to be run under sometimes, namely
> bare TCP.
huh? i see the following:
Caches and routers MUST implement unprotected transport over TCP
using a port, RPKI-Rtr, to be assigned, see Section 12. Operators
SHOULD use procedural means, ACLs, ... to reduce the exposure to
authentication issues.
> I propose the following for the end of section 7, just before 7.1:
>
> Caches and routers MAY use unprotected TCP as a transport,
> even though this provides none of the security protections of
> the other protocols listed here. Unprotected TCP MUST only be
> used when there is other forms of trusted security in place.
we actually can't. to rehash (null algroithm) the discussion
o AO, which may come for some routers late this year or the first half
of next year, does not exist for servers. as the market for AO in
servers is miniscule, i am not optimistic. side note: for example a
number of very large operators use only solaris.
o MD5, does not exist for many server platforms, or is half-assed.
o SSH, fine on servers, but many router platforms do not have SSH
APIs. they just have client code burned into the CLI.
o TLS, fine on servers, but many router platforms do not have SSH
APIs. they just have client code burned in.
> being honest in the document might be better than pretending
> otherwise.
exactly!
randy
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
