Re: [homenet] [DNSOP] Fwd: New Version Notification for draft-mglt-homenet-dnssec-validator-dhc-options-02.txt
Michael Thomas <mike@mtcc.com> Tue, 22 October 2013 19:29 UTC
Return-Path: <mike@mtcc.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 013DD11E823A for <homenet@ietfa.amsl.com>; Tue, 22 Oct 2013 12:29:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9SlcX71ab1G for <homenet@ietfa.amsl.com>; Tue, 22 Oct 2013 12:29:16 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id C3A7A11E821F for <homenet@ietf.org>; Tue, 22 Oct 2013 12:29:06 -0700 (PDT)
Received: from michael-thomass-macbook.local (c-50-148-182-215.hsd1.ca.comcast.net [50.148.182.215]) (authenticated bits=0) by mtcc.com (8.14.7/8.14.7) with ESMTP id r9MJT12H024948 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 22 Oct 2013 12:29:04 -0700
Message-ID: <5266D1F8.1050609@mtcc.com>
Date: Tue, 22 Oct 2013 12:28:56 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: Ted Lemon <mellon@fugue.com>
References: <20131021071220.8650.43280.idtracker@ietfa.amsl.com> <CADZyTknNZD_L8Jr1zndAH7_Ckd7Ga-d=y1twF4KT9=NONXzjpA@mail.gmail.com> <alpine.LFD.2.10.1310211341050.24547@bofh.nohats.ca> <CADZyTkmRZwdYrMo93SKOd5KNBp0pX3w1SGXfrX0KgtNc0X0jtQ@mail.gmail.com> <60D5957C-C482-49DB-864F-0623602D3151@fugue.com> <526699F3.20908@mtcc.com> <4254A47D-520F-4C3E-B26B-0FC15E61154A@fugue.com> <5266B09F.9020208@mtcc.com> <F17B8071-A345-4A78-A43F-CBB22E157558@fugue.com>
In-Reply-To: <F17B8071-A345-4A78-A43F-CBB22E157558@fugue.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: homenet@ietf.org
Subject: Re: [homenet] [DNSOP] Fwd: New Version Notification for draft-mglt-homenet-dnssec-validator-dhc-options-02.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 19:29:22 -0000
On 10/22/13 10:22 AM, Ted Lemon wrote: > On Oct 22, 2013, at 1:06 PM, Michael Thomas <mike@mtcc.com> wrote: >> At least there is a security model on my home network, such as it is: wired needs physical >> access, wireless needs a password. For roaming, wireless is a closer model. So at least we >> have shared credentials. > You have shared credentials with the wrong thing. They don't serve to authenticate a DHCP packet you receive on the WiFi. Furthermore, since they are shared, it makes no sense to use them to authenticate the server—everybody on the network by definition knows the password, so anybody can prove that they have it. Passwords of this sort strictly function to prevent unauthorized access to the network—they can't be used for anything else. > > I suppose we could mandate WPA2 enterprise on the homenet, but we still don't have a way to use that to secure the DHCP transaction. > I didn't say anything about DHCP; I was purposefully vague about what a configuration/whatever protocol ought to be. I was only pointing out that there already exists a shared credential between my phone, say, and my home router, say. And you could use the initial contact with the holder of a shared secret (eg router) to bootstrap a 1:1 key (diffie helman is probably our friend). So you have an initial leap of faith, but beyond that you're enrolled. No AAA required. Mike
- [homenet] Fwd: New Version Notification for draft… Daniel Migault
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Paul Wouters
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Joe Abley
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Tony Finch
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Daniel Migault
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Daniel Migault
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Daniel Migault
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Michael Thomas
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Paul Wouters
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… joel jaeggli
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Michael Thomas
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Michael Thomas
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Michael Thomas
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Michael Thomas
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Michael Thomas
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Michael Thomas
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Michael Thomas
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Daniel Migault
- Re: [homenet] [DNSOP] Fwd: New Version Notificati… Paul Wouters