I am reading mglt-homenet-naming-delegation-00. (hmm. It was on my reading list, maybe it got superseded, or adopted already?)
Section 9.4 articulates that the DHCP channel between the CPE and the ISP DHCP server MUST be secured. I certainly agree with the concern, but 1) I think that the opportunity for attack is perhaps understated. Given that homenet envisions plugging things together in arbitrary ways, it seems that it would be quite easy for an attacker to confuse a CPE into thinking that it is in fact the CPE closest to the ISP, when in fact it isn't. 2) yet, I think that the consequences of "failing secure" might be undiresable. Given that homenet envisions plugging things together in arbitrary ways, if a CPE makes a security boundary mis-classification, it may view it's "WAN" link as being on the outside rather than on the inside. It might then attempt to secure the DHCP channel to the (non-existant ISP), and fail, resulting in... packets not flowing. 3) I think that section 9.4 confuses reasons why the CPE should be concerned if another CPE can impersonate it, reasons why the ISP should be concerned if one CPE can impersonate it, and reasons why the CPE should be concerned if another entity can impersonate the ISP. I think that most of the concerns are solved by PPPoE connections that use CHAP. In the cable-modem-stuff-looks-like-ethernet scenario, unless there is some strong controls on what MAC address is where, it will, as the section suggests, fall to DHCP security. -- Michael Richardson -on the road-
pgp7pC9AbFvmG.pgp
Description: PGP signature
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
