On Sep 18, 2014, at 4:27 AM, STARK, BARBARA H <bs7...@att.com> wrote: > UPnP Device Protection uses X.509 certificates (which can be self-signed, and > in order not to assume a WAN connection, really should be self-signed) and > TLS.
I think that something like this, in combination with the promiscuous registration mechanism that I think Michael described earlier, would do the trick. It's not clear that we need X.509 certs, since I have trouble imagining that the keys these devices have would ever be signed by a CA. A bare key might be plenty. But I think this is a better option than trying to shoehorn this functionality into IPsec, which was designed for a _very_ different security context. _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet