On 14.9.2014, at 20.45, Michael Thomas <m...@mtcc.com> wrote: > On 09/14/2014 09:38 AM, Markus Stenberg wrote: >> Like I stated earlier in my email, if you do not assume secure L2, just >> securing router-to-router traffic does little to protect the homenet. > The subject line says “HNCP security”, so I naively thought that’s what this > was about.
Considering security in isolation for single protocol is bit naive, I think, but I do not mind indulging you. >>> So the real job here is to consider what the threats are first and foremost >>> before making blanket >>> statements about l2, l3, processor speed, etc, etc. >> Certainly. >> >> Routers themselves (regardless of what protocol traffic they are sending) as >> _endpoints_ of traffic constitute only minor part of attack surface of your >> typical home network. >> >> Let’s consider the parties involved: >> >> upstream router on ISP side - no crypto with them in typical case for >> foreseeable future >> home routers - ok, fine, we can probably do something about them >> hosts - cannot assume really crypto, except maybe L2 (e.g. WPA2 or even less >> likely 802.1x/MACSec) > As a meta point: "crypto" != “security". Oh, really? >> Here’s few threats and how to mitigate them from the last IETF slides >> (http://www.ietf.org/proceedings/90/slides/slides-90-homenet-8.pdf slide 3): >> >> 1. fake ISP (=> active MITM, active packet snooping) >> >> As upstream router isn’t authenticated (DHCPv6 + RAs indicate it is an >> upstream router, nothing else), only littleconf about where upstream routers >> can appear protects from this. (and-or fictional DHCPv6 authentication using >> ISPs.) > > Is this a threat to HNCP? I thought that HNCP was an IGP? It is a threat to HNCP’s border discovery. In automated mode, it will determine categories of interfaces, and enable (or not) some classes of attacks. >> 2. access to home resources (~DoS, unprivileged access) >> >> As hosts are not authenticated (if we can’t assume secure L2 of some kind), >> nothing to be done here. > Not an HNCP threat? Again, see border discovery. We cannot determine ‘internal’ zone securely, unless littleconf is done by either router vendor (‘’LAN ports’), or by user. Or alternatively, throw in crypto here. >> 3. someone actively mutating in-home routing state (=> active MITM, DoS) > Definitely an HNCP threat. Seems like you might want to have some sort of > auth/authz, > but it's hard to know exactly what because I don't understand the expected > enrollment > model. Just one exchange ago you said ’some magic handwave’ would provide easy authentication/authorization bootstrap for the routers. I was hoping you would clarify it. > Is that all? Maybe we can recycle security threats from OSPF, etc for a more > comprehensive list? I am looking forward to your comprehensive list. Cheers, -Markus _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
