At Thu, 27 Dec 2018 11:57:54 +0100,
Bjørn Mork wrote:
>
> Chris Morrow writes:
>
> > tls brings with it cert issues.
>
> Well. How bad does it have to be? Yes, you have to manage private
> keys. That's the same for TCP-AO, SSH and TLS. Or any other transport
> security protocol. No real
At Thu, 27 Dec 2018 11:43:58 +0100,
Bjørn Mork wrote:
>
> Chris Morrow writes:
> > On Wed, 26 Dec 2018 14:11:19 -0500,
> > sth...@nethelp.no wrote:
> >>
> >> Now if Juniper could implement TCP-AO and then donate the implementation
> >> to FreeBSD? :-)
> >
> > This was sort of my point, yes.
>
Chris Morrow writes:
> tls brings with it cert issues.
Well. How bad does it have to be? Yes, you have to manage private
keys. That's the same for TCP-AO, SSH and TLS. Or any other transport
security protocol. No real difference.
I assume the perceived issue with TLS is that private keys
Chris Morrow writes:
> On Wed, 26 Dec 2018 14:11:19 -0500,
> sth...@nethelp.no wrote:
>>
>> Now if Juniper could implement TCP-AO and then donate the implementation
>> to FreeBSD? :-)
>
> This was sort of my point, yes.
> Thanks, as always for your cogent point(s).
I don't follow FreeBSD
Hi,
On Thu, Dec 27, 2018 at 01:02:17PM +0800, Pyxis LX wrote:
> BTW, I'll consider the Fortinet CLI inconsistency as a software bug that
> shall be fixed.
Yes, totally so.
But it's not the first time and won't be the last time that SSH setups
stop working "mysteriously" due to vendor decisions
Hello, Gert.
On Thu, Dec 27, 2018 at 2:28 AM Gert Doering wrote:
> Hi,
>
> On Wed, Dec 26, 2018 at 09:40:57PM +0800, Pyxis LX wrote:
> > I'm not sure I agree with your opinion about SSH.
> > IMHO if a KEX/MAC/Cipher algorithm that is generally considered insecure
> by
> > the security
On Wed, 26 Dec 2018 14:11:19 -0500,
sth...@nethelp.no wrote:
>
> Now if Juniper could implement TCP-AO and then donate the implementation
> to FreeBSD? :-)
This was sort of my point, yes.
Thanks, as always for your cogent point(s).
-chris
(without something to break the ao logjam we'll just
On Wed, 26 Dec 2018 13:36:49 -0500,
Bjørn Mork wrote:
>
> Chris Morrow writes:
> > On Sun, 23 Dec 2018 16:15:24 -0500,
> > Melchior Aelmans wrote:
> >>
> >> Hi Pyxis,
> >>
> >> On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX wrote:
> >>
> >> > Does JUNOS support any secure transports mentioned in
> On Dec 26, 2018, at 2:11 PM, sth...@nethelp.no wrote:
>
We are discussing internally what secure transport method to support. I'm
happy to hear your ideas.
>>>
>>> 'tcp-ao' - yes... srsly.
>>
>> Huh? Why? No support on any server OS, AFAIK. Yes, there were patches
>> for FreeBSD
> On Dec 26, 2018, at 1:36 PM, Bjørn Mork wrote:
>
> Chris Morrow writes:
>> On Sun, 23 Dec 2018 16:15:24 -0500,
>> Melchior Aelmans wrote:
>>>
>>> Hi Pyxis,
>>>
>>> On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX wrote:
>>>
Does JUNOS support any secure transports mentioned in RFC6810 for
>>> We are discussing internally what secure transport method to support. I'm
>>> happy to hear your ideas.
>>
>> 'tcp-ao' - yes... srsly.
>
> Huh? Why? No support on any server OS, AFAIK. Yes, there were patches
> for FreeBSD and Linux a few years ago, but I don't think they went
> anywhere?
If we are talking about SSH in Junos
I am waiting for TrustedUserCAKeys support as describe in
https://code.fb.com/security/scalable-and-secure-access-with-ssh/
Nitzan
On Wed, Dec 26, 2018 at 8:39 PM Bjørn Mork wrote:
> Chris Morrow writes:
> > On Sun, 23 Dec 2018 16:15:24 -0500,
> > Melchior
Chris Morrow writes:
> On Sun, 23 Dec 2018 16:15:24 -0500,
> Melchior Aelmans wrote:
>>
>> Hi Pyxis,
>>
>> On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX wrote:
>>
>> > Does JUNOS support any secure transports mentioned in RFC6810 for rpki-rtr
>> > protocol? (SSHv2/IPsec or TLS for rpki-rtr-tls?)
Hi,
On Wed, Dec 26, 2018 at 09:40:57PM +0800, Pyxis LX wrote:
> I'm not sure I agree with your opinion about SSH.
> IMHO if a KEX/MAC/Cipher algorithm that is generally considered insecure by
> the security community, it might not be a good idea to keep using it:)
This very much depends on what
On Mon, 24 Dec 2018 02:38:35 -0500,
Melchior Aelmans wrote:
>
> Hi Chris,
>
> > Op 24 dec. 2018 om 05:11 heeft Chris Morrow het
> > volgende geschreven:
> >
> > On Sun, 23 Dec 2018 16:15:24 -0500,
> > Melchior Aelmans wrote:
> >>
> >> Hi Pyxis,
> >>
> >>> On Sat, Dec 22, 2018 at 8:58 AM
> On Dec 26, 2018, at 8:48 AM, Melchior Aelmans wrote:
>
> Personally I would say we need TCP-AO, not only for securing RTR but also to
> replace MD5 in several protocols
Yes, this would be a positive step. It will also take ~5-7 years for those on
md5 to rotate to something else, but
> On Dec 25, 2018, at 5:22 AM, Job Snijders wrote:
>
> On Tue, Dec 25, 2018 at 09:08:32AM +0100, Gert Doering wrote:
>> On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote:
>>> I think SSHv2 or IPSec with good CLI integration would be nice.
>>> (ex: CLI to manage SSHv2 private keys,
Personally I would say we need TCP-AO, not only for securing RTR but also
to replace MD5 in several protocols
On Wed, Dec 26, 2018 at 2:43 PM Pyxis LX wrote:
> Hi, Gert.
>
> I'm not sure I agree with your opinion about SSH.
> IMHO if a KEX/MAC/Cipher algorithm that is generally considered
Hi, Gert.
I'm not sure I agree with your opinion about SSH.
IMHO if a KEX/MAC/Cipher algorithm that is generally considered insecure by
the security community, it might not be a good idea to keep using it:)
And please don't get me wrong, TCP-AO is totally fine with rpki-rtr since
it provides
Hi,
On Tue, Dec 25, 2018 at 11:22:09AM +0100, Job Snijders wrote:
> Already today Junos ships with an OpenSSH client (and server).
Yes, and it's an annoyance if you swap a device, replace the backuped
config, which does not contain the SSH host keys (so your SSH sessions break
with "KEY
On Tue, Dec 25, 2018 at 09:08:32AM +0100, Gert Doering wrote:
> On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote:
> > I think SSHv2 or IPSec with good CLI integration would be nice.
> > (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec
> > integration...etc.) TLS might be good but
Hi,
On Tue, Dec 25, 2018 at 09:45:06AM +0100, Lukas Tribus wrote:
> On Tue, 25 Dec 2018 at 09:09, Gert Doering wrote:
> > If someone can interfere with TCP packets *inside your network* without
> > you noticing, RPKI-RTR is likely the least of your worries.
>
> I'm not sure I follow ...
>
>
Hello Gert,
On Tue, 25 Dec 2018 at 09:09, Gert Doering wrote:
> If someone can interfere with TCP packets *inside your network* without
> you noticing, RPKI-RTR is likely the least of your worries.
I'm not sure I follow ...
other than using a lower layer encryption like macsec or L1 DWDM
Hi,
On Tue, Dec 25, 2018 at 02:46:57PM +0800, Pyxis LX wrote:
> I think SSHv2 or IPSec with good CLI integration would be nice.
> (ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec integration...etc.)
> TLS might be good but as Jared said, certificate revocation might not be
> that
Hi, All.
I think SSHv2 or IPSec with good CLI integration would be nice.
(ex: CLI to manage SSHv2 private keys, OSPFv3-like IPSec integration...etc.)
TLS might be good but as Jared said, certificate revocation might not be
that manageable.
However it's better than plain TCP anyway.
After all,
> On Dec 24, 2018, at 2:38 AM, Melchior Aelmans wrote:
>
> Hi Chris,
>
>> Op 24 dec. 2018 om 05:11 heeft Chris Morrow het
>> volgende geschreven:
>>
>> On Sun, 23 Dec 2018 16:15:24 -0500,
>> Melchior Aelmans wrote:
>>>
>>> Hi Pyxis,
>>>
On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX
Hi Chris,
> Op 24 dec. 2018 om 05:11 heeft Chris Morrow het
> volgende geschreven:
>
> On Sun, 23 Dec 2018 16:15:24 -0500,
> Melchior Aelmans wrote:
>>
>> Hi Pyxis,
>>
>>> On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX wrote:
>>>
>>> Does JUNOS support any secure transports mentioned in RFC6810
On Sun, 23 Dec 2018 16:15:24 -0500,
Melchior Aelmans wrote:
>
> Hi Pyxis,
>
> On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX wrote:
>
> > Does JUNOS support any secure transports mentioned in RFC6810 for rpki-rtr
> > protocol? (SSHv2/IPsec or TLS for rpki-rtr-tls?)
> >
>
> We are discussing
Hi Pyxis,
On Sat, Dec 22, 2018 at 8:58 AM Pyxis LX wrote:
> Does JUNOS support any secure transports mentioned in RFC6810 for rpki-rtr
> protocol? (SSHv2/IPsec or TLS for rpki-rtr-tls?)
>
We are discussing internally what secure transport method to support. I'm
happy to hear your ideas.
On Sat, Dec 22, 2018 at 03:56:28PM +0800, Pyxis LX wrote:
> Does JUNOS support any secure transports mentioned in RFC6810 for rpki-rtr
> protocol? (SSHv2/IPsec or TLS for rpki-rtr-tls?)
> I am unable to find any documents related on the JUNOS website or CLI.
> Given that IOS-XR supports SSHv2
Hi, All,
Does JUNOS support any secure transports mentioned in RFC6810 for rpki-rtr
protocol? (SSHv2/IPsec or TLS for rpki-rtr-tls?)
I am unable to find any documents related on the JUNOS website or CLI.
Given that IOS-XR supports SSHv2 tunnel, I would suspect JUNOS has same
level of support?
31 matches
Mail list logo