<snipping resolved parts/earlier comments> On 20.11.2015, at 17.13, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > Hmm. I've also setup many small PKIs and don't agree. I do > think someone could easily make all that quite usable within > the home. I agree that that hasn't happened to date though. > (Maybe being a co-author of rfc5280 I probably find all that > PKI nonsense easier to deal with than most developers;-)
Chuckle, I was exaggerating slightly too, but e.g. for my retired mother to deal with (even one set up by me) CA seems rather .. challenging. And that’s the level of configuration skill this solution should work with, if it is to be useful. > Summary: I think when using DTLS for this, support for PSK ought > be a MUST, PKI could be MUST or SHOULD and the consensus thing > probably has to remain as a MAY, since we've not got evidence > that it’d work well enough (yet). Very well. I swapped the SHOULD/MAY([1]), as I do not consider having two MUSTs really good, and as PKI stuff really is relatively large, I prefer having the minimal guaranteed interoperable implementation be small. >> It essentially broadens a number of on-link attacks to network-wide >> ones. Notably you can redirect arbitrary traffic wherever you want >> (without HNCP, you do RA/DHCPv4 faster than router on the link -> >> MITM), and DoS of the network instead of on-link nodes. > > The above may be worthwhile to add to the security considerations. > No harm to remind folks of such things. All except traffic redirection were already in 12.2. subsection actually. Added traffic redirection there in [1] (it is not intrisic property of HNCP, but given HNCP carries routing protocol keys and/or it is unsecured, ..) Cheers, -Markus [1] https://github.com/fingon/ietf-drafts/commit/f8275e165802a9c310f0bbde98e42087ecc891b1 _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
