-----Original Message-----
From: John Scudder [mailto:[email protected]]
Sent: Friday, June 03, 2011 1:53 PM
To: Uma Chunduri
Cc: Christopher Morrow; [email protected]; [email protected]; Sean Turner;
[email protected]; Rob Austein
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
On Jun 3, 2011, at 4:23 PM, Uma Chunduri wrote:
> True, privacy through SSH is overkill but strong AUTH is *critical*, I feel:
> - TCP-MD5 should not be considered (as it is any ways deprecated and
> it's MD5)
What specifically do you mean by "should not be considered"?
[Uma] I responded in other e-mail. No protection is better than weak protection.
> - TCP-AO has only slight advantage as it has less overhead than ipsec-AH
> even when
> deployed with manual keys
> - but it's better if it is "MUST support authentication of nodes
> with TCP-AO or ipsec-AH" because
The drawback of saying "MUST support A or B" is that two implementations may be
formally compliant yet not interoperable. That would obviously be undesirable
(to say the least). IMO the spec should pick one mandatory one while leaving
open the option to support others.
[Uma] True. Then probably TCP-AO. But ipsec-AH can give tough challenge as it's
relatively
old and more readily available than AO (also understood better as it is
already deployed
else where).
-Uma
--John
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
