On 15.9.2014, at 2.09, Michael Thomas <m...@mtcc.com> wrote: > On 09/14/2014 03:39 PM, Markus Stenberg wrote: >>> The subject line says “HNCP security”, so I naively thought that’s what >>> this was about. >> Considering security in isolation for single protocol is bit naive, I think, >> but I do not mind indulging you. > We're not mind readers here. If you mean security for all aspect of the > homenet, change the > subject line.
I assume you didn’t bother to read the initial message content. I changed the subject accordingly now so people can filter accordingly. The original message was about HNCP security _in terms of what is specified in architecture draft_ (or realistic real-world deployment), but that sounded like a long title so I hoped someone would just read the text. > And there are plenty examples of "considering security in isolation for a > single protocol" and > I can assure you that it is not “a bit naive". I am sure there is lots of locksmith work going on with windows left wide open too, and I am also certain it is a good idea if you say so. >> Just one exchange ago you said ’some magic handwave’ would provide easy >> authentication/authorization bootstrap for the routers. I was hoping you >> would clarify it. > I said no such thing. And I didn't say we could use leap of faith "easily", I > said > that depending on the threats that it might be an option. You stated WPA2 key is not insurmountable problem, but elsewhere in the thread, the biggest problem is that (in a home, typically wireless) L2 is not secure (=WPA2 key seems to be a considerable burden or outdated WEP infrastructure is in use). Leap of faith enrollment is usually “hard”, given no vendor lock-in or dedicated hardware (and even then it can fail horribly, see WPS for examples of how it does not work out in real world even if some of the original specs were sane). >>> Is that all? Maybe we can recycle security threats from OSPF, etc for a >>> more comprehensive list? >> I am looking forward to your comprehensive list. > How exactly did this turn into a request for guidance on your part, to an > onus for a comprehensive > list on my part? Because you sound as if you had answers to things, until asked for them, and then you ask for others to do something. I _did_ and _do_ look for guidance; I am looking forward to your guidance on the threats here, for example. So far I am the only one who produced some output on them, and you considered them too briefly explained. You turned ‘we’ to ‘you’ easily enough. Could you consider using the ‘I’ part of ‘we’ instead? Cheers, -Markus _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
