On 09/14/2014 09:38 AM, Markus Stenberg wrote:
Like I stated earlier in my email, if you do not assume secure L2,
just securing router-to-router traffic does little to protect the
homenet.
The subject line says "HNCP security", so I naively thought that's what
this was about.
So the real job here is to consider what the threats are first and foremost
before making blanket
statements about l2, l3, processor speed, etc, etc.
Certainly.
Routers themselves (regardless of what protocol traffic they are sending) as
_endpoints_ of traffic constitute only minor part of attack surface of your
typical home network.
Let’s consider the parties involved:
upstream router on ISP side - no crypto with them in typical case for
foreseeable future
home routers - ok, fine, we can probably do something about them
hosts - cannot assume really crypto, except maybe L2 (e.g. WPA2 or even less
likely 802.1x/MACSec)
As a meta point: "crypto" != "security".
Here’s few threats and how to mitigate them from the last IETF slides
(http://www.ietf.org/proceedings/90/slides/slides-90-homenet-8.pdf slide 3):
1. fake ISP (=> active MITM, active packet snooping)
As upstream router isn’t authenticated (DHCPv6 + RAs indicate it is an upstream
router, nothing else), only littleconf about where upstream routers can appear
protects from this. (and-or fictional DHCPv6 authentication using ISPs.)
Is this a threat to HNCP? I thought that HNCP was an IGP?
2. access to home resources (~DoS, unprivileged access)
As hosts are not authenticated (if we can’t assume secure L2 of some kind),
nothing to be done here.
Not an HNCP threat?
3. someone actively mutating in-home routing state (=> active MITM, DoS)
Definitely an HNCP threat. Seems like you might want to have some sort
of auth/authz,
but it's hard to know exactly what because I don't understand the
expected enrollment
model.
Is that all? Maybe we can recycle security threats from OSPF, etc for a
more comprehensive list?
Mike
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet