Re: [homenet] Kathleen Moriarty's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS)

Ted Lemon <> Wed, 18 November 2015 15:46 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AC1DE1B384A; Wed, 18 Nov 2015 07:46:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.487
X-Spam-Status: No, score=-2.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.585, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xqBzou3S1lc5; Wed, 18 Nov 2015 07:46:32 -0800 (PST)
Received: from ( [IPv6:2a01:7e01::f03c:91ff:fee4:ad68]) by (Postfix) with ESMTP id 2A67F1B3845; Wed, 18 Nov 2015 07:46:31 -0800 (PST)
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----sinikael-?=_1-14478615880470.2060809030663222"
From: Ted Lemon <>
In-Reply-To: <>
References: <> <>
Date: Wed, 18 Nov 2015 15:46:28 +0000
Message-Id: <>
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [homenet] Kathleen Moriarty's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Homenet WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Nov 2015 15:46:33 -0000

Wednesday, Nov 18, 2015 9:20 AM Steven Barth wrote:
> The basic idea behind the SHOULD is that there may be cases where either
> physical security of links (e.g. cables) can be ensured or link-layer
> security such as WPA for WiFi is present. In these cases (e.g. some sort
> homenet wifi repeater) the DTLS would be redundant.

WPA2, at least in PSK mode, does not provide confidentiality from attackers who have the PSK.   WPA isn't even as good as WPA2.   I think relying on this level of security makes sense if we have no alternative, but in no other case.

>   On links where this is not practical and lower layers do not provide
>   adequate protection from attackers, DNCP secure mode MUST be used to
>   secure traffic.
> which should ensure that devices MUST use HNCP security over both
> physically and link-layer-wise unsecured links. I guess this could be
> reflected in the DNCP profile section as well if that makes it more clear.

So doesn't that make DTLS MTI already?   If so, maybe we should just say so explicitly.

Sent from Whiteout Mail -

My PGP key: