On Sep 18, 2014, at 12:34 PM, Ted Lemon <[email protected]> wrote: > On Sep 18, 2014, at 4:27 AM, STARK, BARBARA H <[email protected]> wrote: >> UPnP Device Protection uses X.509 certificates (which can be self-signed, >> and in order not to assume a WAN connection, really should be self-signed) >> and TLS. > > I think that something like this, in combination with the promiscuous > registration mechanism that I think Michael described earlier, would do the > trick. It's not clear that we need X.509 certs, since I have trouble > imagining that the keys these devices have would ever be signed by a CA. A > bare key might be plenty. But I think this is a better option than trying > to shoehorn this functionality into IPsec, which was designed for a _very_ > different security context.
My own experience attempting to use IPsec as an add-on security solution (a.k.a. "pixie dust) for a protocol isn't all that positive. We tried that with L2TP, and in the process failed to kill off PPTP on windows clients. I can't tell you how many times over the years I've had to point people to the Windows Registry setting to disable IPsec with L2TP. OSPFv3 is another one where I get complaints about requiring IPsec. So, I agree with Ted; We should be wary of falling into the trap of using IPsec just because it is there. Another lesson learned was exposing two passwords to the user vs. one. In a retail/wholesale LAC/LNS deployment model, it made perfect sense for the L2TP tunnel to have a password separate from the PPP user password (and L2TP fully supplanted L2F in these types of deployments). But when the L2TP tunnel and the PPP session are are at the same point it just looks redundant to the end user to have separate security config for each (let alone IPsec on top). Knowing the difference between a tail and a dog is important[1], and it was a very bad idea to let the protocol design influence the UI. In retrospect, allowing one protocol to bootstrap the security in another would have been a good thing for us to have considered more. - Mark [1] http://www.urbandictionary.com/define.php?term=the+tail+wagging+the+dog > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
