IETF Logo Mail Archive

Re: [homenet] securing zone transfer

"Ray Hunter (v6ops)" <v6ops@globis.net> Sat, 08 June 2019 11:17 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DDDE120094 for <homenet@ietfa.amsl.com>; Sat, 8 Jun 2019 04:17:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.026
X-Spam-Level:
X-Spam-Status: No, score=-1.026 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sso95S9ocGj6 for <homenet@ietfa.amsl.com>; Sat, 8 Jun 2019 04:17:25 -0700 (PDT)
Received: from globis01.globis.net (unknown [IPv6:2001:470:1f15:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 7BDBC120019 for <homenet@ietf.org>; Sat, 8 Jun 2019 04:17:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id C1D7B401CC; Sat, 8 Jun 2019 13:17:24 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNg-vyV1JYon; Sat, 8 Jun 2019 13:17:21 +0200 (CEST)
Received: from MacBook-Pro-3.local (h9041.upc-h.chello.nl [62.194.9.41]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPA id AE13A401BA; Sat, 8 Jun 2019 13:17:21 +0200 (CEST)
To: Ted Lemon <mellon@fugue.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, homenet@ietf.org, Ray Bellis <ray@bellis.me.uk>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <73d98e8d-4496-98dd-350f-28b93692b1bc@bellis.me.uk> <3195.1559964971@localhost> <C0205C3D-6FA4-4B39-9602-5AF4EC4D3BF5@fugue.com>
From: "Ray Hunter (v6ops)" <v6ops@globis.net>
Message-ID: <ac7b6d43-32e8-6995-35aa-108d630648a9@globis.net>
Date: Sat, 08 Jun 2019 13:17:20 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.18
MIME-Version: 1.0
In-Reply-To: <C0205C3D-6FA4-4B39-9602-5AF4EC4D3BF5@fugue.com>
Content-Type: multipart/alternative; boundary="------------FA1AA97A1E9CDBCDE36A73F6"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/SeV-CwQ6xPn-PQsq6uCw_70whgI>
Subject: Re: [homenet] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jun 2019 11:17:27 -0000


Ted Lemon wrote on 08/06/2019 05:50:
> On Jun 7, 2019, at 11:36 PM, Michael Richardson <mcr+ietf@sandelman.ca 
> <mailto:mcr+ietf@sandelman.ca>> wrote:
>> Can we use TLS for authorization, assuming that we have trusted 
>> certificates
>> at both ends?  Perhaps this is more of a: did anyone implement this?
>
> How is trust established?   Sure, doing TSIG over TLS is no problem.

Bootstrapping trust is always going to be an issue no matter what we do.

There can be multiple ways to bootstrap this, and multiple possible 
providers pre-configured in the GUI.

Possible alternatives for further investigation:

1) something burned in at manufacturing time + trust between the 
manufacturer and the DNS Outsourcing Infra provider.

An initial query from the HNA to the infra could include a proposed 
domain name e.g. an AXFR or SOA query for <hn-ULA>.example.com sent to 
the DM together with SIG(0) signing of this name.

The signing could be done by a private key held at the manufacturer.

SIG(0) doesn't protect the wrapper, only the query data, so the query 
can be signed in advance off-line before anything like the homenet IP 
address is known.

The DNS outsourcing infra can check this signature either using an 
associated public key that is hosted on the manufacturer's DNS in a 
pre-agreed location. e.g. homenet-keys.manufacturer.com. Or the 
manufacturer could pre-share this public key with the DNS outsourcing 
provider out of band.

2) Out of band sign up using a public/private key held at the DNS 
outsourcing service provider at service sign up time (https + credit 
card + CGI script on the service provider's web site -> delegated domain 
name + SIG(0) signed delegated domain name query on the HNA for the 
initial query to the DM). The DM only needs to know the current valid 
public keys used for the SIG(0), and the private key and credit card 
details can be held elsewhere and regularly rotated.

3) Trust based on the TLS + certificate chain, rather than anything at 
the DNS application level. Currently very much hand waving on my part up 
until now. I've seen DANE being able to validate TLS connections based 
on a certificate chain (e.g. RFC 6698 DANE-TA(2) Trust anchor assertion, 
with a common trust anchor like let's encrypt X3 root) and was thinking 
we could leverage that somehow for mutual authentication, along with 
perhaps DNS over HTTPS (RFC8484). On the DM end that could use standard 
TLSA records published in the parent zone to validate the DM to the HNA. 
In the other direction we'd have to somehow to process a certificate 
from the HNA to identify the manufacturer or end user to the DM. But 
that's a well-known problem in web server land.

Thoughts?

-- 
regards,
RayH
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>

v2.23.0 | Report a Bug | By Email