Re: [homenet] Stephen Farrell's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS and COMMENT)

Markus Stenberg <> Fri, 20 November 2015 15:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0A42E1B2A4F; Fri, 20 Nov 2015 07:35:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mErQOzqqSYFJ; Fri, 20 Nov 2015 07:35:32 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 318D11B2A53; Fri, 20 Nov 2015 07:35:30 -0800 (PST)
Received: from poro.lan ( by ( (authenticated as stenma-47) id 5613C7B1013C0C60; Fri, 20 Nov 2015 17:33:48 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Markus Stenberg <>
In-Reply-To: <>
Date: Fri, 20 Nov 2015 17:35:27 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Stephen Farrell <>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <>
Cc:,, Mark Townsley <>, The IESG <>,
Subject: Re: [homenet] Stephen Farrell's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Homenet WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Nov 2015 15:35:35 -0000

<snipping resolved parts/earlier comments>

On 20.11.2015, at 17.13, Stephen Farrell <> wrote:
> Hmm. I've also setup many small PKIs and don't agree. I do
> think someone could easily make all that quite usable within
> the home. I agree that that hasn't happened to date though.
> (Maybe being a co-author of rfc5280 I probably find all that
> PKI nonsense easier to deal with than most developers;-)

Chuckle, I was exaggerating slightly too, but e.g. for my retired mother to deal with (even one set up by me) CA seems rather .. challenging. And that’s the level of configuration skill this solution should work with, if it is to be useful.

> Summary: I think when using DTLS for this, support for PSK ought
> be a MUST, PKI could be MUST or SHOULD and the consensus thing
> probably has to remain as a MAY, since we've not got evidence
> that it’d work well enough (yet).

Very well. I swapped the SHOULD/MAY([1]), as I do not consider having two MUSTs really good, and as PKI stuff really is relatively large, I prefer having the minimal guaranteed interoperable implementation be small.

>> It essentially broadens a number of on-link attacks to network-wide
>> ones. Notably you can redirect arbitrary traffic wherever you want
>> (without HNCP, you do RA/DHCPv4 faster than router on the link ->
>> MITM), and DoS of the network instead of on-link nodes.
> The above may be worthwhile to add to the security considerations.
> No harm to remind folks of such things.

All except traffic redirection were already in 12.2. subsection actually. Added traffic redirection there in [1] (it is not intrisic property of HNCP, but given HNCP carries routing protocol keys and/or it is unsecured, ..)