On 09/16/2014 06:52 AM, Michael Richardson wrote:
I further suggest that if two routers have wireless that they might well
have a WPA2/PSK available to them, and that they can and SHOULD use something
derived from that key to authenticate each other. Could be over IKEv2, yes.
If I have more than one SSID, which PSK should the router use?
And if it's a simple derivation, that means that anybody with the right PSK
can derive that key and participate in routing whether we want them to or
not, right? That is, where is the authz?
Given that I have to input my SSID passwords somehow, is it really too
much to ask that they also have to input, say, a homenet control plane
password/key
to allow things like router updates, dns xfers, etc, to be authenticated?
Yes, if we can make this AH assumption of skipping, so that we can get TOFU
to work.
markus> 2.2) Or should we roll our own in-HNCP scheme?
No.
I realize that there is an issue with cable modems and FTTH systems such that
the ISP boundary can be hard to recognize. I propose that HNCP use scope-5
multicast, and that we try to convince the Broadband forum that it's cable
modems should drop scope-5 multicast, if they see it. Further, we have the
heuristic that if we saw DHCPv6PD on that interface, it might be an ISP.
(If we also saw DHCPv6PD, and we saw authenticated HNCP, then it is internal)
Maybe we can turn the boundary problem on its head by defining it as
"those who are in my tribe".
That is, if I can't authenticate them as a control plane speaker, they
are definitionally "outside".
Mike
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
