>> I'm kinda surprised the security ADs are OK with this in a brand new
>> connection-oriented protocol meant to increase security of the
>> network:
>
> Me too. I didn't even know I'd read that draft yet:-)
>
> When I do read it then I'll be ok with it or will not be ok with it.
> Neither applies yet.
this was discussed with HO in helpful secdir review:
there is no reasonable (integrity and authentication, we do not care
about privacy) protocol X implemented on all servers (unix, linux,
solaris) and routers (cisco, juniper, ...). AO, $diety's gift to
the wire, is on none of them. there are routers which have an ssh
server built into the cli but which do not have an ssh library
available to new hacks such as rpki-rtr. freebsd can generate md5
but does not check it on receipt. and so on. ground truth is very
uuuuugly.
for when this was discussed in wg last call, see
http://www.ietf.org/mail-archive/web/sidr/current/msg02899.html
http://www.ietf.org/mail-archive/web/sidr/current/msg03186.html
http://www.ietf.org/mail-archive/web/sidr/current/msg02694.html
a bunch security folk probably remember the discussion then, amusingly
some folk seem not to.
randy
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf