Re: [homenet] Working Group draft adoptions
Hi, Regarding * draft-mglt-homenet-front-end-naming-delegation * draft-mglt-homenet-naming-architecture-dhc-options I think this is useful work and support its adoption. However, I'd like to see these drafts generalized so that mechanisms to provide authorization credentials towards the DNS are not limited to only being provided via DHCP, so that the architecture could also be used within other configuration management approaches as well, e.g. via Netconf/Yang. Thanks, Normen Kowalewski Deutsche Telekom AG Group Headquarters P.S. My apologies to the email reviewer(s), since I have needlessly clobbered your review queue with a copy of this content instead of subscribing to this list before sending it. Re: [homenet] Working Group draft adoptions [X] * From: Ray Bellis Ray.Bellis at nominet.org.ukmailto:Ray.Bellis@DOMAIN.HIDDEN * To: homenet at ietf.orgmailto:homenet@DOMAIN.HIDDEN Group homenet at ietf.orgmailto:homenet@DOMAIN.HIDDEN * Date: Wed, 3 Sep 2014 13:38:16 + * List-id: homenet.ietf.org [X] This email commences a two week period for comments relating to the adoption of the following drafts by the HOMENET Working Group, as promised during our WG session in Toronto: draft-pfister-homenet-prefix-assignmenthttp://datatracker.ietf.org/doc/draft-pfister-homenet-prefix-assignment/ draft-mglt-homenet-front-end-naming-delegationhttp://datatracker.ietf.org/doc/draft-mglt-homenet-front-end-naming-delegation/ draft-mglt-homenet-naming-architecture-dhc-optionshttp://datatracker.ietf.org/doc/draft-mglt-homenet-naming-architecture-dhc-options/ If you have any comments please reply to this message, but please do not mix up comments on the PA draft and the two Naming drafts in a single reply. thanks, Ray and Mark ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] HNCP security?
Michael Thomas m...@mtcc.com wrote: I'm pretty certain that the answer to this is going to be no. does zigbee even have link layer crypto, for example? and even if it does, new ones as they come on line are likely to have flaws for a long time (cf wifi). zigbeeIP mandates link layer crypto, but it's a non-sequitor, because HNCP would run up to the ethernet/zigbee boundary, but not beyond it. -- Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works -= IPv6 IoT consulting =- pgp2o0JozrGXn.pgp Description: PGP signature ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] HNCP security?
Markus Stenberg markus.stenb...@iki.fi wrote: markus What the draft does not cover is what is the assumption about markus security of protocols within it. If HNCP is run only over either markus physically or cryptographically secured link layer, there are no markus real extra requirements for HNCP. markus So, question time: markus 1) Can we assume secure L2 and/or appropriate device markus configuration by the manufacturer/ISP(/user)? (This is what I can markus assume in my own home.) I think that we can assume that wired links are secure. The only time we care if wireless is secured is when we want to form an adjacency over the wireless link. I think it is acceptable to refuse to form an adjancency over an insecured wireless link. I think it is acceptable to do some kind of TOFU (using IPsec with IKEv2 even) point to point across wired links, and having done that, if there is an adjancy later possible between those two devices over what would otherwise be an insecure link, that the previously exchanged keys work. That means one can plug two routers together with a cable, and then separate them, knowning that the two routers will remain entangled (I'm making allusions to http://en.m.wikipedia.org/wiki/Quantum_entanglement) I further suggest that if two routers have wireless that they might well have a WPA2/PSK available to them, and that they can and SHOULD use something derived from that key to authenticate each other. Could be over IKEv2, yes. markus 2) If not, should the solution be some sort of pre-shared key markus scheme? (If not, please explain your alternative solution.) If we assume the abovekey, we could use it to derive a pre-shared key for a multicast IPsec SA using AH. Can we assume, declare, that if you don't know the key, that you skip the AH header, and process the HNCP that is inside as if it wasn't secured at all? We wanted to do that for SEND, but there were IPsec implementations that could do that, because we overspecified AH back in 2401. Given that home routers are purpose built boxes, and not generic random hosts, perhaps we can specify this behaviour. markus 2.1) And if so, should it be manually keyed IPsec (multicast markus prevents e.g. IKE)? (This is what is in the draft currently.) Yes, if we can make this AH assumption of skipping, so that we can get TOFU to work. markus 2.2) Or should we roll our own in-HNCP scheme? No. I realize that there is an issue with cable modems and FTTH systems such that the ISP boundary can be hard to recognize. I propose that HNCP use scope-5 multicast, and that we try to convince the Broadband forum that it's cable modems should drop scope-5 multicast, if they see it. Further, we have the heuristic that if we saw DHCPv6PD on that interface, it might be an ISP. (If we also saw DHCPv6PD, and we saw authenticated HNCP, then it is internal) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ -- Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works -= IPv6 IoT consulting =- pgpqn07qm0khx.pgp Description: PGP signature ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] HNCP security?
On 16 Sep 2014, at 14:52, Michael Richardson mcr+i...@sandelman.ca wrote: I think that we can assume that wired links are secure. The only time we care if wireless is secured is when we want to form an adjacency over the wireless link. I think it is acceptable to refuse to form an adjancency over an insecured wireless link. A little side story… I have an old house with quite thick walls. Standard 802.11 doesn't reach all rooms. Not that long ago I bought a pair of Netgear powerline Ethernet adaptors to extend coverage between rooms. I’d used an older version before, and it worked well, giving more throughout than the wireless and with the extended range. The interesting thing was that soon after plugging them in I noticed I’d lost connectivity on a laptop, and my desktop was behaving oddly. I looked at the network config to remind myself of the IP address of my default ADSL router. I used a browser to connect to the default router by IP to check its configuration. And got quite a surprise as it was a Sky router - a surprise as I’m not a customer of theirs! To cut a long story short, my powerline adaptors had formed a single network with powerline adaptors in a neighbour’s house. At which point my devices were getting responses from two DHCP servers, and some were routing out via the neighbour’s router. And that included some of my wireless devices - no point having WPA2 to protect against unwanted ‘guests’ if they can come in a power line Ethernet back door :) Now, what I should have done, but it’s easy to get distracted and forget(!), was use the magic ‘auto configure a shared secret’ button on each of my adaptors to avoid them merging with my neighbour’s devices, or manually configure shared secrets (yuk). But clearly neither of us had done that. The interesting thing was I could see the neighbour’s SSID from their Sky router splash screen, but having walked around the nearest streets, I couldn’t find it. I wonder how far away that house was... There’s obviously some interesting implications of this. One is that there are insecure wired links too! Tim ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] HNCP security?
On Sep 16, 2014, at 1:29 PM, Tim Chown t...@ecs.soton.ac.uk wrote: There’s obviously some interesting implications of this. One is that there are insecure wired links too! That's a good point. And I wonder about malware on end systems as well. Mark ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet