-----Original Message----- From: Sandra Murphy [mailto:[email protected]] Sent: Friday, June 03, 2011 1:43 PM To: Uma Chunduri Cc: [email protected]; Sean Turner; [email protected] Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
On Fri, 3 Jun 2011, Uma Chunduri wrote: > > .... > > True, privacy through SSH is overkill but strong AUTH is *critical*, I feel: > - TCP-MD5 should not be considered (as it is any ways deprecated and it's > MD5) > - TCP-AO has only slight advantage as it has less overhead than ipsec-AH > even when > deployed with manual keys > - but it's better if it is "MUST support authentication of nodes > with TCP-AO or ipsec-AH" because Just to be sure: Did you understand the part about implementations of TCP-AO and ipsec-AH not being available at present? I.e., you recognize this forces a delay in implementation of the protocol (and accept the consequent impact on deployment of the RPKI)? [Uma] Yes, I did. Even though operators don't like ipsec-AH today, it is still deployed for OSPFv3 protection as that (of course now there are other drafts to mitigate complexity with reasonable trade-off). Problem with MD5 is, it can present the *weakest* link for the whole RPKI infa. At least new infrastructure like RPKI should avoid deprecated stuff. -Uma --Sandy, speaking as wg co-chair > as both support > - strong auth algos > - algo agility > - can be deployed with manual and auto key management > (auto key probably required eventually, once with lot of > connections at > cache/global RPKI/server side and for automatic key > changes periodically) > - key changes for existing sessions > > One would get flexibility with this. > Also Section 7 (page 16) > "It is assumed that the router and cache have exchanged keys out of band > by some reasonably secured means" > This will be still applicable but only if TCP-AO/ipsce-AH are deployed > with manual keys. > > 2 cents, > -Uma > > > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
