On 09/12/2014 03:23 AM, Markus Stenberg wrote:
I decided to take a look at the homenet architecture draft and compare the
requirements there with what is defined for HNCP as of now.
Section 3.6 describes security. It seems to be concerned mainly with filtering
of traffic between different networks - for example, guest, home, and Internet.
Section 3.8.2 adds potential need for manual provisioning of wireless keys.
Current HNCP draft provides for both automated border discovery (to determine
between home and Internet being plugged on different ports) that is not really
dependant on HNCP itself, but neither is it very secure, as in the
zero-configuration case there is no way to authenticate ISP _or_ the hosts.
Given provisioning by manufacturer/ISP, or configuration by the end user, the
automated border discovery can be disabled, and fixed categories assigned to
interfaces. In that mode, HNCP fullfills the security specified in the draft.
What the draft does not cover is what is the assumption about security of
protocols within it. If HNCP is run only over either physically or
cryptographically secured link layer, there are no real extra requirements for
HNCP.
I'm pretty certain that the answer to this is going to be "no". does
zigbee even have link layer
crypto, for example? and even if it does, new ones as they come on line
are likely to have flaws
for a long time (cf wifi).
So, question time:
1) Can we assume secure L2 and/or appropriate device configuration by the
manufacturer/ISP(/user)? (This is what I can assume in my own home.)
2) If not, should the solution be some sort of pre-shared key scheme? (If not,
please explain your alternative solution.)
2.1) And if so, should it be manually keyed IPsec (multicast prevents e.g.
IKE)? (This is what is in the draft currently.)
2.2) Or should we roll our own in-HNCP scheme?
It would be better to turn this around and ask what the attacks you're
trying to defend against,
and who the actors are. Also: PSK are not very zeroconf like, and
they're not even particularly
friendly littleconf if they are meant as strong machine-machine keying
(rather than crappy human
to machine password-like things).
Mike
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
