On Wed, Jul 25, 2018 at 1:47 PM, STARK, BARBARA H <[email protected]> wrote:
> > From: Ted Lemon > > Hm, possibly there's been some miscommunication here: we aren't talking > about using tools developed for managed networks for amateurishly-managed > networks. We are talking about the problem of making it possible to do > some degree of management of homenets. I don't think anybody is assuming > that we will just forklift in SNMP or Netconf/Yang; indeed, at least one > suggestion was to just use HNCP. HNCP actually possesses exactly the > attack surface you are talking about if we don't have some kind of > enrollment protocol. > > I don't see HNCP as being usable in DDoS attacks or as being useful in > compromising a device. It can give a device bad config info, which could > prevent the home network from working as desired. But it can't be used for > a Mirai-like DDoS attack. And it doesn't have the ability (yet) to > configure login credentials for more in-depth device management. It doesn't > supply a management interface so much as send around best effort config > info. > In principle it _is_ the management interface; it's just that it's automatic. You can't get login credentials because there are no login credentials. I would expect that if we come up with a way for, say, an app on your phone to manage the homenet, then that app would have to go through the same sort of enrollment process that any other homenet device would have to use (of course, the first such app might be required to *bootstrap* the enrollment process). The current model of having a web UI with a default configuration password is precisely what I'd like to make unnecessary by specifying something better. It is this sort of UI that has allowed things like the Mirai worm to proliferate. > I agree with the need for some kind of enrollment to protect components of > the homenet solution. I'd rather not rely on this enrollment to guarantee > that components of the homenet solution cannot be used for DDoS attacks. I > would prefer for homenet solutions to be natively incapable of being used > in DDoS attacks. > That would certainly be nice.
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
