Re: [homenet] Securing HNCP - comments?
Juliusz Chroboczek <jch@pps.univ-paris-diderot.fr> Mon, 30 June 2014 10:53 UTC
Return-Path: <jch@pps.univ-paris-diderot.fr>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02491A01F4 for <homenet@ietfa.amsl.com>; Mon, 30 Jun 2014 03:53:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.15
X-Spam-Level: *
X-Spam-Status: No, score=1.15 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_FR=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOUx4dYRLcNd for <homenet@ietfa.amsl.com>; Mon, 30 Jun 2014 03:53:27 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0909D1A01F9 for <homenet@ietf.org>; Mon, 30 Jun 2014 03:53:26 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/46573) with ESMTP id s5UArOwi026990; Mon, 30 Jun 2014 12:53:24 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id D42DA2BEF25; Mon, 30 Jun 2014 12:53:24 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id g2NklzSYMYVv; Mon, 30 Jun 2014 12:53:23 +0200 (CEST)
Received: from ijon.pps.univ-paris-diderot.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 030592BEF2D; Mon, 30 Jun 2014 12:53:21 +0200 (CEST)
Date: Mon, 30 Jun 2014 12:53:22 +0200
Message-ID: <87egy6brdp.wl%jch@pps.univ-paris-diderot.fr>
From: Juliusz Chroboczek <jch@pps.univ-paris-diderot.fr>
To: Markus Stenberg <markus.stenberg@iki.fi>
In-Reply-To: <6EF005E6-2DD6-4B64-904A-2D8F9F2150BC@iki.fi>
References: <54D995D5-6DC9-4AF6-98F9-42A6DC351CA5@iki.fi> <53AE7209.7080408@globis.net> <6EF005E6-2DD6-4B64-904A-2D8F9F2150BC@iki.fi>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Mon, 30 Jun 2014 12:53:25 +0200 (CEST)
X-Miltered: at korolev with ID 53B141A4.002 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 53B141A4.002 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@pps.univ-paris-diderot.fr>
X-j-chkmail-Score: MSGID : 53B141A4.002 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/0Q9L2Gp288XHTPyq21fydDXC69s
Cc: "homenet@ietf.org Group" <homenet@ietf.org>
Subject: Re: [homenet] Securing HNCP - comments?
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jun 2014 10:53:28 -0000
>> Powerline Ethernet devices have built in encryption, > Same thing with WPA* too of course. So I’m very tempted to assume L2 > takes care of security.. ;) Guest networks? However, I think it is premature to define a secure variant of HNCP before we have some operational experience with the protocol. It's only after we've played with it for some time that will we get a feel for what are reasonable and unreasonable operations to perform. > just use e.g. IPsec with manual keying Vulnerable to replay if done naively. Not sure about the configuration protocol, but definitely an issue for a routing protocol -- just capture a default route announcement with a low metric, and you've won. > [S4-3] HNCP-level PSK shared among all routers. Same bootstrap issues as > [S4-2], may be able to get rid of manually keyed IPsec dependency. It appears that you are only looking at hop-to-hop security. I'm speaking off the top of my head here, so I'm probably saying something stupid. What about end-to-end solutions, where only routers with a trusted key can originate configuration information? This could perhaps be combined with a leap-of-faith model (a la ssh). > Looking at Babel, the routing protocol spec is 45 pages, and draft > specification of HMAC security scheme for it is 55 pages. Yeah, wouldn't it be nice if we had a common layer 3 security protocol? (We would make sure that it's actually usable before standardisation, of course.) -- Juliusz
- [homenet] Securing HNCP - comments? Markus Stenberg
- Re: [homenet] Securing HNCP - comments? Dave Taht
- Re: [homenet] Securing HNCP - comments? Ray Hunter
- Re: [homenet] Securing HNCP - comments? Markus Stenberg
- Re: [homenet] Securing HNCP - comments? Juliusz Chroboczek
- Re: [homenet] Securing HNCP - comments? Michael Richardson
- Re: [homenet] Securing HNCP - comments? Ray Hunter