Re: [babel] What's up with HNCP security?
Juliusz Chroboczek <jch@irif.fr> Mon, 29 May 2017 09:15 UTC
Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A7D01200C1; Mon, 29 May 2017 02:15:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GhOkXYIf1fkJ; Mon, 29 May 2017 02:15:05 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D6F0126557; Mon, 29 May 2017 02:15:04 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/56228) with ESMTP id v4T9F2RF002215; Mon, 29 May 2017 11:15:02 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 5BEEAEB2C1; Mon, 29 May 2017 11:15:02 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id ckJfL7l8F8_Q; Mon, 29 May 2017 11:15:01 +0200 (CEST)
Received: from trurl.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 22BB6EB2CD; Mon, 29 May 2017 11:15:00 +0200 (CEST)
Date: Mon, 29 May 2017 11:15:00 +0200
Message-ID: <877f10owh7.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Markus Stenberg <markus.stenberg@iki.fi>
Cc: Ted Lemon <mellon@fugue.com>, homenet-babel-sec@ietf.org, babel@ietf.org
In-Reply-To: <EC469E5B-4E9A-4A6F-818F-EA52E654DE4C@iki.fi>
References: <87d1ask7d9.wl-jch@irif.fr> <B67775FF-31CB-42F6-ABDF-BD47BEA1DB56@iki.fi> <1F8BA8E0-7518-4288-B679-749906B1B19F@fugue.com> <87shjoihnz.wl-jch@irif.fr> <416AD4BB-7A24-41D4-9C91-96B23BE65EF3@fugue.com> <EC469E5B-4E9A-4A6F-818F-EA52E654DE4C@iki.fi>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Mon, 29 May 2017 11:15:02 +0200 (CEST)
X-Miltered: at korolev with ID 592BE696.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 592BE696.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 592BE696.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/RoP3nzUG9CU9-2SOi7SmEOt6iZk>
Subject: Re: [babel] What's up with HNCP security?
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 May 2017 09:15:07 -0000
>>>> Network wide keys are useless. >>> Depends on the size of the network, I guess. >> Yes. For networks with only two hosts, network-wide keys are adequate... > My _home_ network has plenty of network-wide shared keys (e.g. SSID > PSKs) and I do not consider them useless; while they are low barrier to > entry, I am not aware of any good alternatives that most of my devices > would support Yes, I too am somewhat puzzled by Ted's very strong stance about avoding shared keys, and cannot but wonder if it reflects WG consensus. However, it is my (perhaps mistaken) understanding that Stenberg-Schinazi security gives us asymmetric keying basically for free, as far as additions to the Babel protocol are concerned, so I suggest waiting for Ted's prototype before deciding whether the added complexity is acceptable. > (and SSID per device is not realistic). Now don't you tempt me. (Increase the beaconing interval, hack the wifi firmware to store more keys, use a master SSID with a cool protocol to securely negotiate keys with individual devices... and watch bitterly as nobody adopts your protocol.) -- Juliusz
- [babel] What's up with HNCP security? Juliusz Chroboczek
- Re: [babel] What's up with HNCP security? Markus Stenberg
- Re: [babel] What's up with HNCP security? Juliusz Chroboczek
- Re: [babel] What's up with HNCP security? Ted Lemon
- Re: [babel] What's up with HNCP security? Ted Lemon
- Re: [babel] What's up with HNCP security? Juliusz Chroboczek
- Re: [babel] What's up with HNCP security? Ted Lemon
- Re: [babel] What's up with HNCP security? Markus Stenberg
- Re: [babel] What's up with HNCP security? Juliusz Chroboczek
- Re: [babel] What's up with HNCP security? Toke Høiland-Jørgensen
- Re: [babel] What's up with HNCP security? Ted Lemon
- Re: [babel] What's up with HNCP security? Juliusz Chroboczek