Hi, All. I think SSHv2 or IPSec with good CLI integration would be nice. (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec integration...etc.) TLS might be good but as Jared said, certificate revocation might not be that manageable. However it's better than plain TCP anyway. After all, it's kind of ironic that we send the cryptographically verified results without integrity.
Regards, Pyxis. On Mon, Dec 24, 2018 at 8:18 PM Jared Mauch <ja...@puck.nether.net> wrote: > > > > On Dec 24, 2018, at 2:38 AM, Melchior Aelmans <melch...@aelmans.eu> > wrote: > > > > Hi Chris, > > > >> Op 24 dec. 2018 om 05:11 heeft Chris Morrow <morr...@ops-netman.net> > het volgende geschreven: > >> > >> On Sun, 23 Dec 2018 16:15:24 -0500, > >> Melchior Aelmans <melch...@aelmans.eu> wrote: > >>> > >>> Hi Pyxis, > >>> > >>>> On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX <pyxi...@gmail.com> wrote: > >>>> > >>>> Does JUNOS support any secure transports mentioned in RFC6810 for > rpki-rtr > >>>> protocol? (SSHv2/IPsec or TLS for rpki-rtr-tls?) > >>>> > >>> > >>> We are discussing internally what secure transport method to support. > I'm > >>> happy to hear your ideas. > >> > >> 'tcp-ao' - yes... srsly. > > > > Im in favor but why do you think AO is the way to go? It seems SSH and > TLS have gained more support? Let me know your ideas. > > I’m not in favor of having to do certificate revocation etc on my routers > with TLS. Key management is also an issue with SSH and the vendors don’t > expose these knobs in the regular configuration systems nor provide good > tools for interaction with the filesystem. > > If you want to tackle those parts as well, then I think TLS/SSH would be > ok. > > - Jared > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
