IETF Logo Mail Archive

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Mark Baugher <mark@mbaugher.com> Tue, 25 July 2017 22:24 UTC

Return-Path: <mark@mbaugher.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACDF3131F84 for <homenet@ietfa.amsl.com>; Tue, 25 Jul 2017 15:24:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mbaugher-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCUguNHoEUFG for <homenet@ietfa.amsl.com>; Tue, 25 Jul 2017 15:23:59 -0700 (PDT)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DCCD131F89 for <homenet@ietf.org>; Tue, 25 Jul 2017 15:23:59 -0700 (PDT)
Received: by mail-pf0-x233.google.com with SMTP id h29so28319370pfd.2 for <homenet@ietf.org>; Tue, 25 Jul 2017 15:23:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mbaugher-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=rl3Ne3Uo7KuARM2MIaHnNpvaFEq5OKtOl1Dwy6dSHZM=; b=nMCgJ2oWAOJE8tOhlVRld6MR5L16VZz+DxjSa7SDOcs8gkPPR6ClV+srZ8Wb8cwYHT RNBLWg0voHIQcJpslDX1GoAB5BqR55YZomDK22TY4o6CZUvoWSkhU6Ox5Zc5cPzusOtr 2xNFVAYL+N+/rtHm0McGjnK6/R+y+/59vu6bHPuDLd5yD+biVPq+d/Sg+Qn6sP08z3Ps 9WhnvTgXUdsYQ17y74KGqEEXk6tUwNaYljM6zoJNfW4/UU9kgaJjoRbNVfN9POEZVjWt /b6iCPoV1ejKv6dBM/jO/V9OvNtH5HGVpu2WopbLnzmBqwFfGJZLsP/bMflZfCPeiiHT i35w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=rl3Ne3Uo7KuARM2MIaHnNpvaFEq5OKtOl1Dwy6dSHZM=; b=bhk9qIeaZiTLmOR1FN3Z9MnSKlkbzrAljKK2IC7GJtj7ANg678n+scClMeYxiTS11A 9NyYpGxVUoCGI7KmKkDyKOcU4B2xO8lP3ZjOzbu8htw8ysfNZZrIN2pQexkFBJuNSpjj o/Tyr+w2a4+/D/AEWZ9mEKx6sr5FRgY+blRcWFvh80oX32XGDAQ46I9f3EYLYqnPKHtb zG/SI/TYOG4vjDY7uGYcbDGmqe/0hBkNv4fhYZzvZXlKGlpsi+HJG8wy/4kQ7P8S66bA 7ER7A8HbPoYw/apiHS2Yjh1+tJCf98mWcIeFctkI8WiXwNA/0np+J/zeqopui1BZF7sZ HXqA==
X-Gm-Message-State: AIVw111IPAd3GkApuUOxZhBa8momU0tskPlNbcwIUu9puDFSUqEnhWNj vPNysOgqh2gNxKTh
X-Received: by 10.84.217.208 with SMTP id d16mr22754367plj.208.1501021438785; Tue, 25 Jul 2017 15:23:58 -0700 (PDT)
Received: from [10.232.219.12] ([73.96.114.232]) by smtp.gmail.com with ESMTPSA id t24sm19291348pfl.26.2017.07.25.15.23.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jul 2017 15:23:57 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Baugher <mark@mbaugher.com>
In-Reply-To: <874lu045zs.wl-jch@irif.fr>
Date: Tue, 25 Jul 2017 15:23:55 -0700
Cc: homenet@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <2EB62874-CC8D-4E41-80A1-1EA3978912F2@mbaugher.com>
References: <874lu045zs.wl-jch@irif.fr>
To: Juliusz Chroboczek <jch@irif.fr>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/K_q7Ou6xK8tCxkRMSTMLB3HyLi8>
Subject: Re: [homenet] Please review security considerations of draft-homenet-babel-profile
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 22:24:02 -0000

> On Jul 25, 2017, at 1:27 PM, Juliusz Chroboczek <jch@irif.fr> wrote:
> 
> Dear all,
> 
> All security wizards are kindly requested to carefully read and if
> necessary criticise the following section:
> 
>  https://tools.ietf.org/html/draft-ietf-homenet-babel-profile-02#section-4

Based on this paragraph...
"If untrusted links are used for transit, which is NOT RECOMMENDED,
   and therefore need to carry HNCP and Babel traffic, then HNCP and
   Babel MUST be secured using an upper-layer security protocol.  While
   both HNCP and Babel support cryptographic authentication, at the time
   of writing no protocol for autonomous configuration of HNCP and Babel
   security has been defined."

...one might recommend starting with "an upper-layer security protocol"
such as CMS, COSE, JOSE or some other layer-3 encapsulation.  

Mark

> 
> Nasty comments on list, please, compliments by private mail ;-)
> 
> Thanks,
> 
> -- Juliusz
> 
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet

v2.23.0 | Report a Bug | By Email