[RPKI] [EXTERNAL] RTR over SSH Pros and Cons

Compton, Rich A Rich.Compton at charter.com
Tue Sep 7 16:15:42 UTC 2021 

The only reason that I’ve seen for people to do RTR over SSH is for older Cisco code that can’t source RTR traffic from a specific interface.  If the RTR traffic is encapsulated in SSH, the older Cisco code does allows sourcing that SSH client traffic from a specific interface.
We are not too concerned about protecting the confidentiality of the unencrypted RTR traffic with SSH tunneling since all of this traffic would be going across our own links.  I guess if you have this concerned about a monkey in the middle situation, then SSH tunneling might make sense.  Other than that, SSH tunneling seems to introduce more issues than it solves.

-Rich

From: RPKI <rpki-bounces at lists.nlnetlabs.nl> on behalf of Skanda Arasalingam via RPKI <rpki at lists.nlnetlabs.nl>
Reply-To: Skanda Arasalingam <Skanda.Arasalingam at optus.com.au>
Date: Friday, September 3, 2021 at 11:39 PM
To: "rpki at lists.nlnetlabs.nl" <rpki at lists.nlnetlabs.nl>
Subject: [EXTERNAL] [RPKI] RTR over SSH Pros and Cons

CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.
Hi all,

I am interested know benefits of using RTR over SSH compared to TCP.


  1.  Security : If a router is compromised, can get access to the command prompt of the RPKI validator server ?
  2.  Security : Password management, normally username/password need to be change on regular basis any organisation. How easy it is on the validators ? Is total build of the image required ?
  3.  Performance of the router using SSH over RTR

Regards,
Skanda Arasalingam
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20210907/734f7c7f/attachment.htm>

More information about the RPKI mailing list