On Tue, Dec 25, 2018 at 09:08:32AM +0100, Gert Doering wrote: > On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote: > > I think SSHv2 or IPSec with good CLI integration would be nice. > > (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec > > integration...etc.) TLS might be good but as Jared said, certificate > > revocation might not be that manageable. However it's better than > > plain TCP anyway. > > Careful what you wish for. Adding heaps of crypto that all of a > sudden decides "oh, this certificate is expired" or "bah, this > algorithm is so insecure, we do not support this key exchange / mac / > cipher anymore!" adds quite a bit of brittleness... > > So TCP-MD5 is actually nice because it has none of all that fanciness.
Already today Junos ships with an OpenSSH client (and server). I'm not too worried 'heaps of crypto' will be added if the SSH path is picked. Kind regards, Job _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp