On Aug 24, 2011, at 2:45 PM, Joe Touch wrote: > On 8/24/2011 1:27 PM, Paul Hoffman wrote: >> On Aug 24, 2011, at 12:19 PM, Joe Touch wrote: >> >>> Is there ever a reason that this service should exist as a totally open and >>> insecure port? >> >> Given that it is explicitly listed in the draft, I find it worrisome that >> you even ask the question. >> >> Caches and routers MUST implement unprotected transport over TCP >> using a port, RPKI-Rtr, to be assigned, see Section 12. Operators >> SHOULD use procedural means, ACLs, ... to reduce the exposure to >> authentication issues. > > I saw a declaration that this was required, but no REASON that unprotected > transport was necessary.
Three paragraphs earlier in the document: Unfortunately, there is no protocol to do so on all currently used platforms. Therefore, as of this document, there is no mandatory to implement transport which provides authentication and integrity protection. This was discussed heavily in the WG. >>> Also, is there a reason for not assuming that the out-of-band and >> in-band services cannot exist on the same port (other than performance >> of the connection establishment)? >> >> Those aren't enough !?!? > > "those"? I listed only one - performance. Sorry, I misread your parenthetical as "other than performance and connection establishment". The idea that you can do TLS on the same port as not-TLS has been widely debated. It was finally agreed (maybe not by you) that the STARTTLS method for sharing a port may or may not be appropriate for each protocol. When I look at this protocol, I do not see a way to do it without completely rewriting the protocol interactions. --Paul Hoffman _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
