Re: [homenet] Stephen Farrell's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS and COMMENT)

[Markus Stenberg <markus.stenberg@iki.fi>]

> On 19.11.2015, at 16.21, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> (Sorry for the N-th discuss, I quite like this protocol and
> I'm sure we'll get 'em all cleared soon, but... ;-)
> 
> I'd like to chat about whether or not the DTLS recommendations
> are correct here. To me, the consensus stuff (from section 8.3
> of dncp) is not clearly baked (as I noted in iesg review of
> dncp). The PKI stuff is well known, even if it it is a PITA from
> many points of view. I don't think a SHOULD for the former and
> a MAY for the latter is appropriate now. If the consensus based
> stuff gets deployed and works, then it might be time to say
> what you're now saying, but I don't think we're there yet. (I'd
> be happy to look @ evidence that we are, and to change my
> opinion accordingly.)

Given bootstrapping PKI seems nigh impossible (home CA anyone?), I am not sure I agree with you.  I have done that few of times and do not recommend it to anyone. Of course, I guess at some point some products may make it painless but I am not sure I will live long enough to see that. (Especially so that the control stays still within home, and does not stray to some American ‘cloud server’, cough cough.)

> Please note that I think I like the consensus based scheme, I'm
> just concerned it may not be ready for prime time. I'm also not
> really convinced that all you need to do to get interop for
> that is mention it and refer to dncp. But again, I could be
> wrong and would appreciate being corrected if so.
> 
> In summary, I think you should say "when using DTLS with
> asymmetric keying, then you SHOULD support the PKI-based method
> and MAY support the consensus based method, which is still
> somewhat experimental.”

SHOULD/MAY neither provide really interoperability anyway, so I am mostly interested about MUSTs. Current PSK MUST I find rather sad, as that is clearly _not_ elegantly bootstrappable.

Trust consensus or even given some leap of faith about home CA <> cloudy CA the PKI-based method seem better in that regard. But I have not seen that much in the wild yet (see the ‘unproven’ argument in the other DISCUSS thread).

So given the context (ideally zeroconf, at least littleconf) home network, what would you pick for the PSK / PKI / trust consensus? Apparently SHOULD/MAY for the two later, but is PSK really the MUST here or is it the PKI?

> -Section 9: You should refer to HKDF and not HMAC-SHA256 though
> the reference to RFC 6234 is still right. HMAC-SHA256 itself
> is not a key derivation function, which is what you want here.

Good catch, thanks, staged for -10[1]. Essentially instead of HMAC-SHA256 recommending HMAC-SHA256 based HKDF with the ‘info’ field the protocol being keyed.

> - Please take a look at the secdir review [1] and respond to
> that as it raises one issue not (I think) otherwise mentioned.
> What is the effect (on a home) of one compromised hncp router?
> Perhaps you'll say that's obvious, or perhaps not, but I'm 
> interested in what you do say, in case it's not obvious:-)
> 
>   [1] https://www.ietf.org/mail-archive/web/secdir/current/msg06098.html

It essentially broadens a number of on-link attacks to network-wide ones. Notably you can redirect arbitrary traffic wherever you want (without HNCP, you do RA/DHCPv4 faster than router on the link -> MITM), and DoS of the network instead of on-link nodes. Additionally of course it also provides view of the topology and the services that use TLVs encoded in HNCP node data so that can be used for various nefarious things as well. 

Cheers,

-Markus

[1] https://github.com/fingon/ietf-drafts/commit/7a140efa2693d9b0138654f5ec71e5888caa6777