IETF Logo Mail Archive

Re: [homenet] standard way of configuring homenets

"STARK, BARBARA H" <bs7652@att.com> Wed, 25 July 2018 21:49 UTC

Return-Path: <bs7652@att.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E07912F1A6 for <homenet@ietfa.amsl.com>; Wed, 25 Jul 2018 14:49:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cb6TLpobLuxF for <homenet@ietfa.amsl.com>; Wed, 25 Jul 2018 14:49:26 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD6DB1277C8 for <homenet@ietf.org>; Wed, 25 Jul 2018 14:49:26 -0700 (PDT)
Received: from pps.filterd (m0049462.ppops.net [127.0.0.1]) by m0049462.ppops.net-00191d01. (8.16.0.22/8.16.0.22) with SMTP id w6PHjWFJ044311; Wed, 25 Jul 2018 13:47:48 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049462.ppops.net-00191d01. with ESMTP id 2keve6tavu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 25 Jul 2018 13:47:47 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id w6PHllqF021142; Wed, 25 Jul 2018 13:47:47 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [135.47.91.177]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id w6PHlddD021002; Wed, 25 Jul 2018 13:47:41 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [127.0.0.1]) by zlp30486.vci.att.com (Service) with ESMTP id 8A4EC4048B48; Wed, 25 Jul 2018 17:47:39 +0000 (GMT)
Received: from GAALPA1MSGHUBAD.ITServices.sbc.com (unknown [130.8.218.153]) by zlp30486.vci.att.com (Service) with ESMTPS id 73C874048B47; Wed, 25 Jul 2018 17:47:39 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.81]) by GAALPA1MSGHUBAD.ITServices.sbc.com ([130.8.218.153]) with mapi id 14.03.0408.000; Wed, 25 Jul 2018 13:47:39 -0400
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'Ted Lemon' <mellon@fugue.com>
CC: Brian E Carpenter <brian.e.carpenter@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, homenet <homenet@ietf.org>
Thread-Topic: [homenet] standard way of configuring homenets
Thread-Index: AQHUI5gcP53omUcFxUqCducdRw8FHKSfLkiAgAAQ+ICAAFHigIAAW8MQgAB/sAD//8bCUA==
Date: Wed, 25 Jul 2018 17:47:38 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E6114DE529E5@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <27765.1532468911@localhost> <CAPt1N1mO8KFH+M-bq7LKqQcjtyigUPwdchMA11U_vPXYTzcNSw@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114DE51281@GAALPA1MSGUSRBF.ITServices.sbc.com> <d7e85f2a-b613-7e8a-a18a-c6ae79bd8d79@gmail.com> <2D09D61DDFA73D4C884805CC7865E6114DE526ED@GAALPA1MSGUSRBF.ITServices.sbc.com> <CAPt1N1kFFFA344FGWD4S66sFmwM4OdaqN2m0-nTOVMsbXALNcw@mail.gmail.com>
In-Reply-To: <CAPt1N1kFFFA344FGWD4S66sFmwM4OdaqN2m0-nTOVMsbXALNcw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.61.166.63]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-25_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807250189
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/QmOMIFByyR2ykdENbBvoQ3Og0QM>
Subject: Re: [homenet] standard way of configuring homenets
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 21:49:30 -0000

> From: Ted Lemon 
> Hm, possibly there's been some miscommunication here: we aren't talking about using tools developed for managed networks for amateurishly-managed networks.   We are talking about the problem of making it possible to do some degree of management of homenets.   I don't think anybody is assuming that we will just forklift in SNMP or Netconf/Yang; indeed, at least one suggestion was to just use HNCP.   HNCP actually possesses exactly the attack surface you are talking about if we don't have some kind of enrollment protocol.

I don't see HNCP as being usable in DDoS attacks or as being useful in compromising a device. It can give a device bad config info, which could prevent the home network from working as desired. But it can't be used for a Mirai-like DDoS attack. And it doesn't have the ability (yet) to configure login credentials for more in-depth device management. It doesn't supply a management interface so much as send around best effort config info.

I agree with the need for some kind of enrollment to protect components of the homenet solution. I'd rather not rely on this enrollment to guarantee that components of the homenet solution cannot be used for DDoS attacks. I would prefer for homenet solutions to be natively incapable of being used in DDoS attacks.
Barbara

On Wed, Jul 25, 2018 at 12:40 PM, STARK, BARBARA H <mailto:bs7652@att.com> wrote:
> > <individual hat> Since homenet is supposed to be about an unmanaged
> > network, and configuration via a management protocol requires somebody
> > who knows what they’re doing,
> 
> Traditionally, yes, but we do actually want to get away from that.
> (It's our explicit goal to do that in ANIMA, for which homenets are out of
> scope, but we assume that the starting point is a NOC staffed by people who
> know what they are doing.)
> 
> The idea of capturing a homenet config and saving it for future use doesn't
> seem outlandish to me, and using tools developed for managed networks,
> but operated robotically instead of manually, doesn't seem crazy either. But
> it might be a big effort and a distraction.

<as individual contributor>
Using tools developed for managed networks in amateurishly-managed (or unmanaged) home network environments has historically turned out very badly.
Poorly implemented management protocols and "backdoors" are a leading cause of security vulnerabilities. These poor implementations are common and prevalent. 
Improperly secured, but (otherwise) well-implemented management protocols are another leading cause of security vulnerabilities. This is also common and prevalent.
And I'm not just talking about the device's or home network's security. I'm talking about Internet security -- this is how DDoS attacks are enabled.
As a data point: providers like Comcast actively block SNMP ports because SNMP is so easy to use in DDoS attacks. (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xfinity.com_support_articles_list-2Dof-2Dblocked-2Dports&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=s27KbgGycHKQ4PdDhbU8u3hn_hJ6V8VXhZLiP1YXI-M&s=73RoZA55LrnReb6kBTz2o8DIdaoGN0pHtadgVDGVrL8&e=)
I realize netconf and restconf aren't SNMP. But please don't think that if these protocols were to be deployed in millions of consumer devices and placed under the control of end users we would discover them to be magically immune to poor implementations and being improperly secured. I have yet to see a management protocol that is immune to either of these issues.

Which isn't to say it couldn't be done or there might not be a good use case for it. I'm saying that it is a huge effort that would need to be done with extreme foresight and care. We would need to understand extremely well exactly what we do and don't want from such a management solution -- exactly what problems we are trying to solve and what our requirements are. Does it need to be a single management protocol to solve everything, or do we separate reporting of statistics from configuration backup from UI for user configuration? We would have to be rock-solid on requirements for securing any such management interface, understand what our strategy is for minimizing occurrence of poor implementations, and understand what our strategy is for minimizing occurrence of improperly-secured implementations.

On the plus side -- maybe if we were able to do this, it would keep developers from creating their own custom vulnerabilities (aka management interfaces) by giving them a viable properly secured solution.
Barbara

v2.23.0 | Report a Bug | By Email