summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAntonios Chariton (daknob) <daknob.mac@gmail.com>2024-04-05 22:38:08 +0200
committerChristian Breunig <christian@breunig.cc>2024-04-07 16:21:59 +0200
commit9fe4b8a9360c8c6544a21111c556cd0a4ec30d6c (patch)
treed3f9dade84def436470c377d5d3edf232d180103
parent7fcf02c24772ad2dfe68ad15d9cb12c4da7a1d68 (diff)
downloadvyos-documentation-9fe4b8a9360c8c6544a21111c556cd0a4ec30d6c.tar.gz
vyos-documentation-9fe4b8a9360c8c6544a21111c556cd0a4ec30d6c.zip
Fix mistake in RPKI documentation about the use of TLS
HTTP is not used for RPKI information, the RTR protocol is used, which works on top of plain TCP. Although some implementations can use TLS, VyOS (and FRR) do not support it, and use either plain TCP or SSH. (cherry picked from commit edbf8846059a9f3e2d5a6bdf8227f97f5d79da4f)
-rw-r--r--docs/configuration/protocols/rpki.rst12
1 files changed, 7 insertions, 5 deletions
diff --git a/docs/configuration/protocols/rpki.rst b/docs/configuration/protocols/rpki.rst
index d40bfb5c..acce2d56 100644
--- a/docs/configuration/protocols/rpki.rst
+++ b/docs/configuration/protocols/rpki.rst
@@ -140,11 +140,13 @@ Configuration
SSH
===
-Connections to the RPKI caching server can not only be established by HTTP/TLS
-but you can also rely on a secure SSH session to the server. To enable SSH you
-first need to create yoursels an SSH client keypair using ``generate ssh
-client-key /config/auth/id_rsa_rpki``. Once your key is created you can setup
-the connection.
+Connections to the RPKI caching server can not only be established by TCP using
+the RTR protocol but you can also rely on a secure SSH session to the server.
+This provides transport integrity and confidentiality and it is a good idea if
+your validation software supports it. To enable SSH, first you need to create
+an SSH client keypair using ``generate ssh client-key
+/config/auth/id_rsa_rpki``. Once your key is created you can setup the
+connection.
.. cfgcmd:: set protocols rpki cache <address> ssh username <user>