nanog mailing list archives
Re: BGP over TLS
From: Jared Mauch <jared () puck nether net>
Date: Tue, 22 Oct 2019 19:04:22 -0400
On Oct 22, 2019, at 6:31 PM, Keith Medcalf <kmedcalf () dessus com> wrote: I see. It is an AIC problem, not a CIA problem. TLS in its default usage is a CIA thing because, well, it was designed to solve CIA problems where even temporary secrecy is more important than being down for a week. As had been pointed out though, TLS does allow for non-CIA configuration and usage such as by using PSK or fingerprint authentication. SSH is also an AIC thing. It solves the problem by recording the fingerprint on first connect and alarming if the fingerprint is not subsequently what was expected. Cannot TLS be configured to do the same thing bidirectionally?
I’ve had enough of a problem with the management side of my router w/ SSH(host) keys that imagining trying to scale that to lets say 200 peers at an IXP would make it insane to touch. In my home network I ended up placing a rule due to how often I would play with embedded devices, eg: Host 10.0.0.* StrictHostKeyChecking no UserKnownHostsFile=/dev/null Because each time I have a new device come up with a hostname (eg: raspberrypi.local) I would have to clear out my known hosts file. This local policy allows me to make this simpler. I think something like that is really what’s desired, but when was the last time you managed to keep the ssh daemon key on your router when you swap hardware? The simpler the tools the better. Things like ACME made it much easier for someone to manage their TLS certs and config. There’s much to be desired from the management plane of these devices. No wonder people with scale roll their own code.. Routers haven’t advanced much past the early 90s in sophistication in how you configure them. We’re still in the late 90s with kickstart techniques and manual patching vs enmasse configuration changes. I see the limitations on both the technical side and the human side. Try to tell someone who has been caretaking all the routers to become a sysadmin and watch what happens. It’s up to us as consumers of the technology to push our vendors for something better. I can’t have a router reboot itself when you type commit or similar which is still the state of the industry. - Jared
Current thread:
- Re: BGP over TLS, (continued)
- Re: BGP over TLS Tony Finch (Oct 21)
- Re: BGP over TLS Jared Mauch (Oct 21)
- Re: BGP over TLS Grant Taylor via NANOG (Oct 21)
- Re: BGP over TLS Julien Goodwin (Oct 22)
- Re: BGP over TLS Christopher Morrow (Oct 22)
- RE: BGP over TLS Keith Medcalf (Oct 22)
- Re: BGP over TLS Chris Adams (Oct 22)
- Re: BGP over TLS Brandon Martin (Oct 22)
- Re: BGP over TLS Jared Mauch (Oct 22)
- RE: BGP over TLS Keith Medcalf (Oct 22)
- Re: BGP over TLS Jared Mauch (Oct 22)
- Re: BGP over TLS Bjørn Mork (Oct 22)
- Re: BGP over TLS Christopher Morrow (Oct 22)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brandon Martin (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brielle (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Jeffrey Haas (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brandon Martin (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Jeffrey Haas (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brandon Martin (Oct 21)
- Re: BGP over TLS Bjørn Mork (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Jared Mauch (Oct 21)