On 3/3/13 5:23 PM, "Erik Kline" <[email protected]> wrote: >> Very good point Erik, thank you. We will certainly take that into >> consideration going forward. This is also why we are proposing a mix of >> two to three CER/ISP Edge determining characteristics (e.g. Including >>the >> CER_ID option as well as the /48 prefix check, etc.). > >Yeah, well about that: I don't see any discussion of the security of >this CER_ID option. If a hipnet device were operating in an >environment in which such a thing could be spoofed then it would be >trivial to punch open a hipnet network. > >Furthermore, it will be bad press when someone inevitably publishes an >article documenting that your ISP can punch open your hipnet network >if they so choose just by publishing a CER_ID to you. Really bad >press. > >Maybe this is discussed in the CER_ID doc and you intended to pull its >security considerations in by transitive closure, I don't know.
Right, this is something that would be addressed in the CER_ID draft itself. While I don't doubt that spoofing or other malicious activity is possible, I am not sure I see how the possibility is any greater or more sever than it is today with existing DHCPv6 (and ND for that matter) messages. Are you simply saying that this is a possibility, or are you inferring that this option would introduce a more serious threat? Either way we should likely take this discussion off-list or onto the DHC list, since it is directly relevant to the CER_ID draft and only indirectly associated with the home network architecture more generally. Thanks, ~Chris _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
