Re: [homenet] securing zone transfer
"Ray Hunter (v6ops)" <v6ops@globis.net> Sat, 08 June 2019 11:17 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DDDE120094 for <homenet@ietfa.amsl.com>; Sat, 8 Jun 2019 04:17:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.026
X-Spam-Level:
X-Spam-Status: No, score=-1.026 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sso95S9ocGj6 for <homenet@ietfa.amsl.com>; Sat, 8 Jun 2019 04:17:25 -0700 (PDT)
Received: from globis01.globis.net (unknown [IPv6:2001:470:1f15:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 7BDBC120019 for <homenet@ietf.org>; Sat, 8 Jun 2019 04:17:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id C1D7B401CC; Sat, 8 Jun 2019 13:17:24 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNg-vyV1JYon; Sat, 8 Jun 2019 13:17:21 +0200 (CEST)
Received: from MacBook-Pro-3.local (h9041.upc-h.chello.nl [62.194.9.41]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPA id AE13A401BA; Sat, 8 Jun 2019 13:17:21 +0200 (CEST)
To: Ted Lemon <mellon@fugue.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, homenet@ietf.org, Ray Bellis <ray@bellis.me.uk>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <73d98e8d-4496-98dd-350f-28b93692b1bc@bellis.me.uk> <3195.1559964971@localhost> <C0205C3D-6FA4-4B39-9602-5AF4EC4D3BF5@fugue.com>
From: "Ray Hunter (v6ops)" <v6ops@globis.net>
Message-ID: <ac7b6d43-32e8-6995-35aa-108d630648a9@globis.net>
Date: Sat, 08 Jun 2019 13:17:20 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.18
MIME-Version: 1.0
In-Reply-To: <C0205C3D-6FA4-4B39-9602-5AF4EC4D3BF5@fugue.com>
Content-Type: multipart/alternative; boundary="------------FA1AA97A1E9CDBCDE36A73F6"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/SeV-CwQ6xPn-PQsq6uCw_70whgI>
Subject: Re: [homenet] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jun 2019 11:17:27 -0000
Ted Lemon wrote on 08/06/2019 05:50: > On Jun 7, 2019, at 11:36 PM, Michael Richardson <mcr+ietf@sandelman.ca > <mailto:mcr+ietf@sandelman.ca>> wrote: >> Can we use TLS for authorization, assuming that we have trusted >> certificates >> at both ends? Perhaps this is more of a: did anyone implement this? > > How is trust established? Sure, doing TSIG over TLS is no problem. Bootstrapping trust is always going to be an issue no matter what we do. There can be multiple ways to bootstrap this, and multiple possible providers pre-configured in the GUI. Possible alternatives for further investigation: 1) something burned in at manufacturing time + trust between the manufacturer and the DNS Outsourcing Infra provider. An initial query from the HNA to the infra could include a proposed domain name e.g. an AXFR or SOA query for <hn-ULA>.example.com sent to the DM together with SIG(0) signing of this name. The signing could be done by a private key held at the manufacturer. SIG(0) doesn't protect the wrapper, only the query data, so the query can be signed in advance off-line before anything like the homenet IP address is known. The DNS outsourcing infra can check this signature either using an associated public key that is hosted on the manufacturer's DNS in a pre-agreed location. e.g. homenet-keys.manufacturer.com. Or the manufacturer could pre-share this public key with the DNS outsourcing provider out of band. 2) Out of band sign up using a public/private key held at the DNS outsourcing service provider at service sign up time (https + credit card + CGI script on the service provider's web site -> delegated domain name + SIG(0) signed delegated domain name query on the HNA for the initial query to the DM). The DM only needs to know the current valid public keys used for the SIG(0), and the private key and credit card details can be held elsewhere and regularly rotated. 3) Trust based on the TLS + certificate chain, rather than anything at the DNS application level. Currently very much hand waving on my part up until now. I've seen DANE being able to validate TLS connections based on a certificate chain (e.g. RFC 6698 DANE-TA(2) Trust anchor assertion, with a common trust anchor like let's encrypt X3 root) and was thinking we could leverage that somehow for mutual authentication, along with perhaps DNS over HTTPS (RFC8484). On the DM end that could use standard TLSA records published in the parent zone to validate the DM to the HNA. In the other direction we'd have to somehow to process a certificate from the HNA to identify the manufacturer or end user to the DM. But that's a well-known problem in web server land. Thoughts? -- regards, RayH <https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
- [homenet] securing zone transfer Daniel Migault
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ray Bellis
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Mark Andrews
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] [EXT] securing zone transfer Jacques Latour
- Re: [homenet] [EXT] securing zone transfer Ted Lemon
- Re: [homenet] [EXT] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] [EXT] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] [EXT] securing zone transfer Daniel Migault
- Re: [homenet] number of devices in homenet Daniel Migault
- Re: [homenet] [EXT] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] webauthn for routers (was: securing… MIchael Thomas
- Re: [homenet] webauthn for routers (was: securing… Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] webauthn for routers Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] [EXT] securing zone transfer Ray Hunter (v6ops)