Re: [homenet] HNCP security?

[Michael Richardson]

Markus Stenberg markus.stenb...@iki.fi wrote:
markus 1) Can we assume secure L2 and/or appropriate device
markus configuration by the manufacturer/ISP(/user)? (This is what I can
markus assume in my own home.)

 I think that we can assume that wired links are secure.
 The only time we care if wireless is secured is when we want to form an
 adjacency over the wireless link.   I think it is acceptable to refuse
 to form an adjancency over an insecured wireless link.

 This can also be automated (for first-hop wireless). However, in the
 ‘what-if’ land, wired - wireless bridges, and wireless - wireless
 extenders that do things insecurely cannot be detected.

Yes, I agree.
Let me restate that I think we can securely to do TOFU across the wired
link.  If that link turns into something less secure, then that's okay.

 I think it is acceptable to do some kind of TOFU (using IPsec with IKEv2
 even)  point to point across wired links, and having done that, if there
 is an adjancy later possible between those two devices over what would
 otherwise be an insecure link,  that the previously exchanged keys work.
 That means one can plug two routers together with a cable, and then
 separate them, knowning that the two routers will remain entangled
 (I’m making allusions to 
http://en.m.wikipedia.org/wiki/Quantum_entanglement)

 I assume you mean:

 - On wired links: opportunistic IKEv2 attempt, fallback to non-IPsec
 (if no IPsec available? if no key?), and update the SPD dynamically
 based on successful IKEv2 attempts.

 - On the wireless (all? only insecure?): force IPsec using the known
 good SPD entries.

 That is interesting scheme. Implementation-wise, it sounds somewhat 
painful though.

yes, I agree that it's probably difficult with the available implementation of 
openwrt
IKEv2 daemons...  I don't think it's architecturally that hard.

 I  further suggest that if two routers have wireless that they might well
 have a WPA2/PSK available to them, and that they can and SHOULD use 
something
 derived from that key to authenticate each other.  Could be over IKEv2, 
yes.

 I _think_ we have to assume some passwords somewhere.

 - WPA2 PSK on almost all home routers by default (most home network
 access these days is wireless)

yes, agree.  And if they have multiple routers, they likely have the same 
WPA2-PSK.

 - admin password (for those user actually has access to, and are not
 part of some super-fancy PKI scheme for authenticating administrator)

I'm less thrilled about using the admin password.  They have less likely hood
of being changed, and ideally, they are encrypted/hashed in a way that the
raw password can't be seen.

markus 2) If not, should the solution be some sort of pre-shared key
markus scheme? (If not, please explain your alternative solution.)

 If we assume the abovekey, we could use it to derive a pre-shared key 
for a
 multicast IPsec SA using AH.  Can we assume, declare, that if you don't 
know
 the key, that you skip the AH header, and process the HNCP that is 
inside as
 if it wasn't secured at all?  We wanted to do that for SEND, but there 
were
 IPsec implementations that could do that, because we overspecified AH 
back in
 2401.  Given that home routers are purpose built boxes, and not generic
 random hosts, perhaps we can specify this behaviour.

 Hmm. I wonder if that assumption would work bidirectionally,
 though. That is, the not-key-knowing router sending plaintext traffic,
 and the others using the information? If so, what is the value of
 having the (optional) authentication at all?

 If assumption is not bidirectional, then the distributed algorithms
 would not work very well over such protocol - unless the
 unauthenticated messages were just used for bootstrapping the trust
 somehow, but it is not clear to me how that would happen either. Of
 course, they could be used to show user some error (if the router
 actually had UI of some kind) but not much else that I can see.

That's what I would suggest: unauthenticated messages are to bootstrap trust.
Possibly that involves an item on a web page saying, Router XYZ wants to
join Stenberg House, permit Y/N, perhaps can flash attention LED on front.

That would only be used if the network had been set to paranoid secure,
and/or if the wired-TOFU didn't work.

markus 2.1) And if so, should it be manually keyed IPsec (multicast
markus prevents e.g. IKE)? (This is what is in the draft currently.)

 Yes, if we can make this AH assumption of skipping, so that we can get 
TOFU
 to work.

 If we assume some psk on all routers, we can probably bootstrap
 ’something’ without TOFU too?

I agree; but I think that TOFU would be useful here, particularly if the
router isn't wireless capable.  Maybe it is a bridge to 

Re: [homenet] HNCP security?

[Michael Richardson]

Steven Barth cy...@openwrt.org wrote:
 And it's extremely unlikely that
 DTLS will be a one-sentence solution even if it gets adopted because
 DTLS, IPsec, etc say nothing
 about enrollment and authorization. Those are by far the hard problems 
with
 homenent security.

 I wouldn't really want to lock HNCP to any trust scheme at this point 
where
 we are not even sure what we want. I'd rather choose the underlying
 mechanism, either DTLS or IPsec/IKE and leave the rest out-of-scope. Maybe
 mention PSK-usage as baseline option and say various other 
certificate-based
 approached are possible but out-of-scope of the HNCP draft itself.

With respect,  if you leave the trust scheme out of scope, what you are
really doing is leaving all of the security out of scope, because it won't be
deployable.

--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
 -= IPv6 IoT consulting =-





pgpf_Imlo3UTo.pgp
Description: PGP signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] HNCP security?

[Ted Lemon]

On Sep 23, 2014, at 1:23 PM, Michael Richardson mcr+i...@sandelman.ca wrote:
 With respect,  if you leave the trust scheme out of scope, what you are
 really doing is leaving all of the security out of scope, because it won't be
 deployable.

+1

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] HNCP security?

[Michael Richardson]

Randy Turner rtur...@amalfisystems.com wrote:
 Are we assuming that the home router is purchased retail, and not
 fulfilled or provided by an ISP? The method to establish trust
 relationships would hinge on the answer

1) if there only one home router from the ISP, then there is no problem.
2) ISP-provided router has to be willing to trust retail purchased router,
   or nothing works.
3) ISP-A-provided router has to be willing to trust ISP-fullfilled router
   from ISP-B-provided router.

If you have secrets (including WPA-PSK keys) that are on your ISP-fullfilled
router, that you want to keep secret from your ISP, then you lost.
If you don't trust your ISP, then you can't use your ISP provided router.

So the answer does *not* hinge on the answer.
It has to work, and I think we can make it work.

--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
 -= IPv6 IoT consulting =-





pgpxs_cjQQrXo.pgp
Description: PGP signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] HNCP security?

[Michael Thomas]

On 9/23/14, 10:59 AM, Michael Richardson wrote:

2) ISP-provided router has to be willing to trust retail purchased router,
or nothing works.



So what about the other way around? To what degrees should my homenet trust
ISP-maintained CPE?

Or more succinctly, what are the things the ISP and Retail CPE need to 
collaborate on
and what are the things they need to take an adversarial stance on? 
Neither me, nor

my ISP are similarly motivated, after all.

Mike

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] HNCP security?

[Michael Richardson]

Michael Thomas m...@mtcc.com wrote:
 2) ISP-provided router has to be willing to trust retail purchased 
router,
 or nothing works.

 So what about the other way around? To what degrees should my homenet 
trust
 ISP-maintained CPE?

That's up to you.  Seriously.
Your ISP-maintained CPE totally p0wns your network.  If you don't trust them,
even just a little bit, then you can't use their equipment.

--
Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works
 -= IPv6 IoT consulting =-





pgpH9HSCmZ7vR.pgp
Description: PGP signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Working Group draft adoptions

[Michael Richardson]

Late, but:

I have read draft-pfister-homenet-prefix-assignment.  Adopt it.
I thought I read it before, but maybe not.  It all seems familiar, but what's
with all the IPv4 stuff?  I guess we are doing an IPv4 thing, because we can,
and it's useful to be able to turn off detect that have multiple potential
DHCPv4 servers, and turn them off if we can.

I think that we should remove:
  If the delegated prefix is too small
  given the size of the network, prefixes of arbitrary lengths may
  be used.

and stick to 64-bit for all the why-64 reasons.  Let's not talk about any
other options.This document also seems to interoperate with (CableLabs)
HIP.

draft-mglt-homenet-front-end-naming-delegation
draft-mglt-homenet-naming-architecture-dhc-options

I have read previous versions of these documents, and upon looking again, I
see lots of shiny new text, and I like it all.   While there are many people
who are very scared of having home devices in DNS, and many are worried that
they will be forced somehow to do so, I don't think any such comments matter.
This is, like almost all protocols the IETF creates, optional to enable.
Please adopt these documents.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[



___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] HNCP security?

[Douglas Otis]

On Sep 23, 2014, at 3:39 PM, Michael Thomas m...@mtcc.com wrote:

 
 On 9/23/14, 1:07 PM, Michael Richardson wrote:
 Michael Thomas m...@mtcc.com wrote:
  2) ISP-provided router has to be willing to trust retail purchased 
 router,
  or nothing works.
 
  So what about the other way around? To what degrees should my homenet 
 trust
  ISP-maintained CPE?
 
 That's up to you.  Seriously.
 Your ISP-maintained CPE totally p0wns your network.  If you don't trust them,
 even just a little bit, then you can't use their equipment.
 
 
 
 And there's nothing we can do about that, even if we define a boundary
 such that they are outside it?
 
 Do they *have* to participate in the IGP in order for homenet routing to work?
 
 I'm no expert here, but it seems to me that the normal first hop ISP router 
 doesn't
 have these characteristics of p0nwage for in-home traffic?

Dear Michael,

Actually, it is better to assume there is a long list of vulnerable home 
routers being p0wned by entities beyond their ISP.   Leaving that problem aside 
and assuming this can be handled using a KISS approach, even setting up 
firewalls when their are multiple routers involved becomes somewhat problematic 
whenever overlaid networking is not being used.  After all, how can each 
router's assigned prefixes be exchanged.  How can mDNS proxy information be 
communicated?  It is important to consider many of the contained devices might 
be vulnerable to Internet access.  Not all devices are updated beyond their 
warranty period.  In some cases, this period might be a 20/20 guarantee, 20 
feet or 20 seconds, whichever comes first.  While some printers might be able 
to handle direct Internet access, most can't.  Many of these devices announce 
their routable address via mDNS, hence the need for a network overlay.  By 
using a network overlay, Trust on First Use (TOFU) is less essential although 
nice
  to have as an additional layer of protection.

Regards,
Douglas Otis
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] HNCP security?

[Ted Lemon]

On Sep 23, 2014, at 7:57 PM, Douglas Otis doug.mtv...@gmail.com wrote:
 Actually, it is better to assume there is a long list of vulnerable home 
 routers being p0wned by entities beyond their ISP.

This is to some extent true, but not something we can really address in homenet.

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] HNCP security?

[Mikael Abrahamsson]

On Fri, 19 Sep 2014, Mark Townsley wrote:

My own experience attempting to use IPsec as an add-on security solution 
(a.k.a. pixie dust) for a protocol isn't all that positive. We tried 
that with L2TP, and in the process failed to kill off PPTP on windows 
clients. I can't tell you how many times over the years I've had to 
point people to the Windows Registry setting to disable IPsec with L2TP. 
OSPFv3 is another one where I get complaints about requiring IPsec. So, 
I agree with Ted; We should be wary of falling into the trap of using 
IPsec just because it is there.


As far as I can see, there are 2 ways of doing security. Either each 
protocol does its own security completely (both auth and encryption), or 
we have generic ways of doing these. The generic ways can be either a new 
protocol and method, or a method that any protocol can use, so at least 
the method is standard.


What I have seen so far, it seems most implementations are doing things 
from scratch, but with known methods, but with little code re-use?


What I would like to see is an implementation that is generic, but perhaps 
where the information is carried over a lot of different protocols, for 
instance HNCP, ND and others.


There is no security and zero configuration at the same time. It just 
doesn't work. I still think we need user intervention to set policy for 
each device. What trust do I put in this device and what role should it 
have is something the user has to answer. The result of this answer sets 
policy for the devices in relation to this new device. This has to be 
really simple and easy to use. Since a lot of people have smartphones 
nowadays, I still think that the device popping up in an App they have, 
and then configuring it there, is the best way. Perhaps in combination 
with some kind of device key fingerprint using QR codes or alike to really 
make sure this is the device you're trying to configure policy for.


So my proposal is that we make HNCP capable of using several methods, one 
is unsecure, one is secure by means of a shared secret, and then add other 
optional methods using PKI that would enable the above mentioned accept 
each device manually more secure way.


On paper it still seems IPSEC should be able to do this (I mean, isn't 
this what Microsoft does with Direct Access, ie run IPSEC and have keys 
handled by AD? From a theoretical level, it seems bad that we can't 
implement generic security and then let other protocols run on top of 
that. What is it that IPSEC is lacking? Is it the key/auth exchange that 
is lacking?


--
Mikael Abrahamssonemail: swm...@swm.pp.se

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet