On 27.8.2015, at 9.26, Steven Barth <cy...@openwrt.org> wrote: >> A few issues may be a concern. The required support of UDP >> 4000 byte packets in Section 3 DNCP Profile suggests there >> may be a concern. Section 2.1.4. Amplification Issues of >> https://tools.ietf.org/html/draft-otis-dnssd-scalable-dns-sd-threats-00 >> describes considerations not covered in RFC6762, RFC6763 or >> RFC7368 when aggregate sizes of RRsets are overlooked, >> especially in such environments. > I do not think amplification attacks wrt. HNCP are particularly relevant > given you can mitigate them by using (DNCP) security. I also don't get the > RRset thing? Are you referring to SD and Naming TLVs in HNCP or was this not > intended to be relevant for HNCP?
HNCP has nothing to do with RRsets, and HNCP only runs _within_ home. In-home amplification attacks sound far-fetched, especially as HNCP itself (given DTLS at least) is relatively hard to attack in such a way. If there are concerns about the definition of home and not-home being unclear, diffs are welcome. However, at worst case, given no firewalls and wrong interface category, ISP may attack the home router _from the next hop_ only, due to link-local addresses being only ones specified (also in the Section 3). I consider this somewhat unlikely to be a real threat. Cheers, -Markus _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
