On 23 Nov 2016, at 15:23, Ca By <[email protected]<mailto:[email protected]>> wrote:
<snip> That said, given HOMENET's charter to be the ideal network we always wanted without the technical debt, i suggest HOMENET take a strong stance and reject "crunchy core, soft middle" security approach. Meaning, assuming that some other device is going to do security for you and you can leave a default password telnet open.... that idea needs to die. We need to make sure that HOMENET does not have a diagram that says "security done here" with an arrow pointed at the gateway. HOMENET needs to specifically mandate all nodes have sane security, and part of that is ripping off the band-aid / security blanket of "stateful firewall"... the popular notion that stateful firewall does anything meaningful is very damaging to ecosystem... mostly because it makes security the responsibility of some other node.... which is not ok. Part of the “problem” is that the Homenet security architecture is not yet documented. It was somewhat punted during the discussions towards RFC 7368, with Section 3.6 mentioning RFC 6092 and RFC 4864, without being prescriptive - https://tools.ietf.org/html/rfc7368#section-3.6. I have my doubts that any attempt to flesh that out further now would reach consensus, but given we’ve now moved on quite a way, e.g. knowing we have HNCP, Babel, etc, and having witnessed Mirai, it might be worth a try. Something for the chairs…? Tim
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
