Re: [homenet] HNCP security?
Tero Kivinen <kivinen@iki.fi> Thu, 25 September 2014 11:19 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13BCB1A02EA for <homenet@ietfa.amsl.com>; Thu, 25 Sep 2014 04:19:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXZI_8jN5emh for <homenet@ietfa.amsl.com>; Thu, 25 Sep 2014 04:19:29 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A412E1A6F51 for <homenet@ietf.org>; Thu, 25 Sep 2014 04:19:28 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s8PBJBdh020041 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 25 Sep 2014 14:19:11 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s8PBJB39017774; Thu, 25 Sep 2014 14:19:11 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <21539.64046.841341.958470@fireball.kivinen.iki.fi>
Date: Thu, 25 Sep 2014 14:19:10 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Markus Stenberg <markus.stenberg@iki.fi>
In-Reply-To: <ED05BC4A-E416-4370-AA5D-FCFE3AF1B24C@iki.fi>
References: <7BDD2D54-1058-4196-9BAD-770544096C93@iki.fi> <830.1410875532@sandelman.ca> <47647B8C-E3E6-4291-9F31-FBEE5FF53BFC@ecs.soton.ac.uk> <EMEW3|ba68076a23b44efccb32951649dba30aq8FLVJ03tjc|ecs.soton.ac.uk|47647B8C-E3E6-4291-9F31-FBEE5FF53BFC@ecs.soton.ac.uk> <alpine.DEB.2.02.1409170820460.14735@uplift.swm.pp.se> <5419A19F.1030808@mtcc.com> <alpine.DEB.2.02.1409180643250.14735@uplift.swm.pp.se> <541A7C1E.6090005@openwrt.org> <2D09D61DDFA73D4C884805CC7865E61130E839B6@GAALPA1MSGUSRBF.ITServices.sbc.com> <FD0A639D-2B33-473C-9F91-5AD39B30BBF8@fugue.com> <0F4C6033-0D1F-4B5E-B47E-72F87F888C50@townsley.net> <alpine.DEB.2.02.1409240738210.14735@uplift.swm.pp.se> <DE4A46AF-34F8-4B01-9AA8-538711162914@iki.fi> <alpine.DEB.2.02.1409241053580.14735@uplift.swm.pp.se> <ED05BC4A-E416-4370-AA5D-FCFE3AF1B24C@iki.fi>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 12 min
X-Total-Time: 28 min
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/Ts_jimHDcUtWe7LSyIyUB7GC8fE
Cc: "Paulina Tran (ptran)" <ptran@cisco.com>, "homenet@ietf.org" <homenet@ietf.org>, "Brian Weis (bew)" <bew@cisco.com>, Mark Townsley <mark@townsley.net>, Mikael Abrahamsson <swmike@swm.pp.se>
Subject: Re: [homenet] HNCP security?
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2014 11:19:31 -0000
Markus Stenberg writes: > > Is there something else that’ll work as transport layer security > > for multicast, or should we send a request for the IETF leadership > > to investigate if this is something that needs to be developed? > > There is not that I know of. > > I believe msec work is somewhat outdated (based on IKEv1, and not > widely deployed), but security isn’t popular, and multicast isn’t > popular, so combining them is not usually win in IETF. (And > especially in seeing them implemented - still not sure how many msec > implementations there has been.) There is also ikev2 version of group key management (draft-yeung-g-ikev2), but the draft seems to have expired some time ago. I still think it was supposed to be published. If homenet needs multicast support then it might be good idea to push that document forward. > > I just can't help seeing this problem popping up all over the > > place and everybody solving it by writing their own code and doing > > their own implementation. IPSEC isn't widely used because it > > doesn't have ports so it can't be NATed (so its now run over UDP > > to workaround that problem) and also because key management is > > hard because keys are managed by the operating system and not by > > the application? NATs should not be problem here in the homenet, I would assume all this runs inside the home, and the boxes in homenet are not going to do nat for ipv6 addresses... > > So, do we need a mix between IPSEC and TLS that can be done on a > > per-application level, but it’s still a generic framework so that > > someone can develop generic code that projects like HNCP can use, > > for instance by linking to libraries? I do not think replacing the IKEv2 with TLS would help at all. If you go for application level protection then using DTLS or similar is better than getting ESP involved at all. > TLS + (pure) multicast is more or less impossible. You could > probably define pure-multicast key negotiation scheme too using > multi-party D-H (for example), but I am not sure if there is any > standard protocols for that. Still, it would not look like TLS so > calling it e.g. MTLS would be somewhat misleading. You could use > some packet encoding features, but that would be that. If secure multicast is needed, I think going for the g-ikev2 and ESP would most likely be best way. The g-ikev2 specification is as far as I can see ready, so it should be something that can be published quite soon. It will run over separate port from normal IKEv2, so it can be deployed quite easily (meaning it does not mess up existing IPsec in the box), and as msec was not really very widely deployed the changes that the box already has exsiting msec implementation running on that port, is small. > I guess you could do some sort of msec GDOI-like solution for it too > - perform unicast exchanges using something like DTLS encoding of > TLS handshakes to agree on multicast encryption key to be used on > DTLS-ish ESP-ish UDP multicast traffic with per-source replay > windows. If I remember right g-ikev2 supports multiple group key management protocols and allows download keys from the group controller / key server (GCKS) using IKEv2 to the devices. -- kivinen@iki.fi
- [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Brian E Carpenter
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Acee Lindem (acee)
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Brian E Carpenter
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Curtis Villamizar
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Brian E Carpenter
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Pierre Pfister
- Re: [homenet] Quality time with Mike Markus Stenberg
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Tim Chown
- Re: [homenet] HNCP security? Mark Baugher (mbaugher)
- Re: [homenet] HNCP security? Mikael Abrahamsson
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Brian E Carpenter
- Re: [homenet] HNCP security? Acee Lindem (acee)
- Re: [homenet] HNCP security? Brian E Carpenter
- Re: [homenet] HNCP security? Mikael Abrahamsson
- Re: [homenet] HNCP security? Steven Barth
- Re: [homenet] HNCP security? STARK, BARBARA H
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? STARK, BARBARA H
- Re: [homenet] HNCP security? Michael Sweet
- Re: [homenet] HNCP security? Rene Struik
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Steven Barth
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Rene Struik
- Re: [homenet] HNCP security? David R Oran
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? STARK, BARBARA H
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Randy Turner
- Re: [homenet] HNCP security? STARK, BARBARA H
- Re: [homenet] HNCP security? Mark Baugher
- Re: [homenet] HNCP security? Mark Baugher
- Re: [homenet] HNCP security? Mark Baugher
- Re: [homenet] HNCP security? Brian E Carpenter
- Re: [homenet] HNCP security? Randy Turner
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Mark Baugher
- Re: [homenet] HNCP security? Randy Turner
- Re: [homenet] HNCP security? Mark Townsley
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Mark Baugher
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Steven Barth
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Steven Barth
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Mark Baugher
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Douglas Otis
- Re: [homenet] HNCP security? Randy Turner
- Re: [homenet] HNCP security? Mark Baugher
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Brian E Carpenter
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Tim Chown
- Re: [homenet] HNCP security? Steven Barth
- Re: [homenet] HNCP security? Mark Baugher
- Re: [homenet] HNCP security? Acee Lindem (acee)
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? STARK, BARBARA H
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Douglas Otis
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Mikael Abrahamsson
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Mikael Abrahamsson
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Mark Townsley
- Re: [homenet] HNCP security? Mark Townsley
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Steven Barth
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Tero Kivinen
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Stephen Farrell
- Re: [homenet] HNCP security? Tero Kivinen
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Stephen Farrell
- Re: [homenet] HNCP security? Ted Lemon
- Re: [homenet] HNCP security? Michael Thomas
- Re: [homenet] HNCP security? Michael Richardson
- Re: [homenet] HNCP security? Markus Stenberg
- Re: [homenet] HNCP security? Tero Kivinen