Ted Lemon <[email protected]> wrote: >> As Mark said, if it's an ISP provided zone, then pushing the new DS is >> done under the TSIG key that the DHCP established. (So, >> ted-lemon-house.isp.example.net, and the reverse map).
> Oh, so the TSIG key sent in the clear over DHCP is the attack surface.
Yes, I agree, that is the attack surface!
Using SIG(0) with leap of faith is certainly a better thing, and I agree with
you that this then makes the "blue-smoke-got-out-of-CPE" problem more
difficult. I think that I now forget what other situations we have that
caused us to replace the CPE.
1) The leap-of-faith could be reset by the ISP when they also send out the new
router.
2) The new CPE might send a different DUID in DHCPv6, and this might cause the
ISP
to allocate a new prefix to you. This clears the leap-of-faith for the
reverse zone.
(please forgive me if DUID was the wrong term. I think I'm right here)
3) if this was really PPPoE, then the "link", while still in the clear,
was authenticated at "layer-2" from your PPPoE username/password, and
maybe something could be leveraged there to reset
"ted-lemon-house.isp.example.net".
For the WiMax with authenticated ESSID, there may be a similar layer-2
signal. I agree that this likely doesn't work ("trusts wire") for the
generic ethernet-like [cable/GPON/FTTH] cases.
> Got it. Actually during the DHC working group presentation, we asked
> Daniel to take the TSIG key out because it's not secure. The right way
> to do it is with SIG(0). But that doesn't provide a way to repudiate a
> lost key, because it relies on a leap of faith to begin trusting the
> initial key.
> If the connection between the DHCP server and DHCP client is secure,
> then a nonce sent over DHCP could be used along with SIG(0) to assist,
> but this is not the only potential configuration. Trusting the wire
> works pretty well in these scenarios in practice, but only if there
> _is_ a wire.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting for hire =-
pgp64wKyDEG9v.pgp
Description: PGP signature
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
