On 05/06/2012 02:24 PM, Dan Wing wrote:
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael Thomas
Sent: Sunday, May 06, 2012 12:32 PM
To: [email protected]
Subject: [homenet] [SPAM] I have a problem
I suspect many/most of you do too. Looking through the charter and arch
doc, my primary problem
is that I'm probably way off charter, but I'm not sure so I'll ask.
When I'm out and about, there are zillions of wifi opportunities. Who
runs them and for what
reason, I haven't the foggiest idea. Some of them are undoubtedly
malicious, many more poorly
run. So it's fairly crazy to use them. But like a lot of people,
connectivity often trumps sanity.
What I'd really like is to not feel dirty when I do that. The most
obvious thing to do is to
use a VPN, but I don't have a corporate mothership these days so I'd
have to set all of that
up, and it would most likely have to be through my home linux box since
my el cheapo home
router doesn't know about IPsec afaik. Not to mention that even if *I*
could move
heaven and earth to protect my posterior, the vast unwashed masses are
not so fortunate.
So why did I come to homenet to complain? Well, it's because I can't
think of another place
that I'd reasonably place the other end of my VPN but on my home net.
As far as I can tell, there
aren't many places to dogleg my traffic to avoid access network fun and
games. My ISP doesn't
care about this problem let alone doing anything fancy like running a
mobile ip home agent
which would be even better of course. Nor do I see others, so I'm not
holding my breath.
Yes, I know the performance would be miserable given the asymmetric
nature of cable/dsl. But
it would at least not allow $EVILSHOP to do nasty things with my
unencrypted traffic, and
traffic analysis on the rest.
That said, even if this is widely off charter, another aspect may not:
if we have lots of new
services in our homes I may very well want to access them remotely. If
VPN's are good enough
for corpro, then mightn't the same be true for my home networks too?
"Understanding Apple's Back to My Mac (BTMM) Service",
http://tools.ietf.org/html/rfc6281 is an interesting read.
Regarding where to terminate the VPN, see its Section 7.3.2 titled
"Discussion: End-to-End Encryption" which lists some disadvantages
to terminating the VPN at the home gateway.
I don't really see that as helpful as the current reality is that
I can't get an ipsec tunnel to anything in my home as a practical
reality. Yes, if I am sufficiently geekly I can terminate it back at
a PC or Mac or Linux box -- all of which exact their own pound of
flesh for the effort. All would require their own credentials enrollment
too. At least at the home router demark I'd only have to go through
that exercise once, and with maybe with some auto config pixie
dust it might not even be much harder than using wifi which people
manifestly seem to be able to do.
In any case, that sort of tradeoff might be a reason that this is
interesting to this wg, especially if you think of this in terms of
routing within a home -- a vpn is just another interface, right?
There is also SIP-initiated IPsec, http://tools.ietf.org/html/rfc6193,
which terminates the VPN on the home gateway.
To your point that connectivity trumps sanity, if such VPNs were
commonplace, an active attacker would interfere with attempts to
bring up such VPNs. And the user's desire for connectivity would
cause the user to skip setting up their VPN, under the mistaken
assumption that their home network is down or otherwise unavailable.
Well, people already use vpn's on the road and in evil places now,
it's just that they're doing it through a corpro vpn back at the mothership.
I just want to be able to have the same choice when I'm doing this on
my own dime. As it stands, I can't do that for all intents and purposes.
Mike
-d
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
