On Oct 22, 2013, at 5:30 PM, Michael Thomas <[email protected]> wrote: > Yes, it just limits the bad guys to those who know that shared secret. I'll > leave it > to crypto-heads whether that's enough of an advantage to warrant l2/l3 > entanglement > (which is what you really should rip me for :)
I think WPA2 Enterprise uses L3 to get the access control information, so we can forgive you for this minor faux pas. :) > Yes, of course. And it's why zeroconf is incompatible with security: you have > to enroll, > and enrollment without checking who you're talking to is insecure. Ssh isn't > *really* > zeroconf if you consider it: it asks you first whether you want to take that > leap of faith > which requires actually considering the possibility that something bad might > happen. Right. Minimal touch, not zero-touch. > What I'd really like is for my device to "home" itself on a network or server > with > my human participation to, like ssh, say "yes, it's ok" because I'm at home on > my wifi when I first bought it, and "no, it's not ok because I'm still at > Bestbuy". Agreed. I think this is a good model. I'd like to see the working group work on something like this (ad hat off). > Further, I'd say that it really isn't the "Network" that I want to trust, but > some server (or two), probably running on my home network but not necessarily. > In fact, I think we should stop talking about trusting a "network" altogether > because > it's really distinct hosts that we ought to trust or not, even if one of > those hosts > happens to be my home router (router != "network", of course). Yup. > As far as I can tell, the draft is still ISP-DHCP centric which to my mind is > a non-starter, > for many, many reasons. I haven't read the newest version, so apologies if > I'm out of date. > I'd suggest to the authors to rethink the entire scheme *without* DHCP, and > without any > requirement that there's a link-level relationship to do what they're trying > to do: it should > work from the other end of the internet directly addressed with a nice shiny > ipv6 address. Yeah, I _think_ Daniel is just addressing the provisioning of the customer edge home gateway, not hosts on the homenet. So in that context it makes a little more sense, but I still think it's problematic in any case where the provider isn't shipping customers devices with custom firmware. _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
