Hi Douglas, it is a bit hard for me to decipher your mail or extract what is relevant wrt. to the HNCP I-D.
> Sorry for the delay. We were attempting to complete a > security related draft on the topic. Are you preparing a generic draft on homenet security or is this specific to HNCP or DNS-SD? Do you have an ETA or can you share the relevant pieces for HNCP (can be in private to Markus, Pierre and me) upfront so we can address them in the next HNCP revision? We'd rather like to go ahead asap, that is probably release a new revision early next week, fixing all the things that came up during LC. Most of that is already staged in our git. > A few issues may be a concern. The required support of UDP > 4000 byte packets in Section 3 DNCP Profile suggests there > may be a concern. Section 2.1.4. Amplification Issues of > https://tools.ietf.org/html/draft-otis-dnssd-scalable-dns-sd-threats-00 > describes considerations not covered in RFC6762, RFC6763 or > RFC7368 when aggregate sizes of RRsets are overlooked, > especially in such environments. I do not think amplification attacks wrt. HNCP are particularly relevant given you can mitigate them by using (DNCP) security. I also don't get the RRset thing? Are you referring to SD and Naming TLVs in HNCP or was this not intended to be relevant for HNCP? > This section, as well as the Security Considerations > section, does not ensure local resources are not externally > exposed. Which section? RFC 6092 is supposed to be followed by edge routers as HNCP references 7084 and applies it to HNCP interfaces, however it might be a good idea to explicitly reference RFC 6092 in our own Security Considerations in 12.1. where we merely state "A firewall perimeter is set up for the external interfaces" without any further references. We might as well just do that. Cheers, Steven _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
