On 09/19/2014 02:06 AM, Markus Stenberg wrote:
On 19.9.2014, at 11.18, Mark Townsley <[email protected]> wrote:
My own experience attempting to use IPsec as an add-on security solution (a.k.a.
"pixie dust) for a protocol isn't all that positive. We tried that with L2TP,
and in the process failed to kill off PPTP on windows clients. I can't tell you how
many times over the years I've had to point people to the Windows Registry setting
to disable IPsec with L2TP. OSPFv3 is another one where I get complaints about
requiring IPsec. So, I agree with Ted; We should be wary of falling into the trap of
using IPsec just because it is there.
So DTLS it is? Because I do not want to reinvent any crypto wheels I do not
have to.
Without a list of threats, it's impossible to know if "DTLS is it". And
it's extremely unlikely that
DTLS will be a one-sentence "solution" even if it gets adopted because
DTLS, IPsec, etc say nothing
about enrollment and authorization. Those are by far the hard problems
with homenent security.
The thing that I'm curious about is whether we can use HNCP itself as a
way to distribute authz
for itself, and potentially for other homenet related protocols, cf
Brian's MUST a few messages ago.
Mike
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
