Re: [homenet] homenet: what now? ... next?

Juliusz Chroboczek <jch@irif.fr> Fri, 08 March 2019 12:49 UTC

Return-Path: <jch@irif.fr>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086BD1279A9 for <homenet@ietfa.amsl.com>; Fri, 8 Mar 2019 04:49:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2RGzD5_gTOM for <homenet@ietfa.amsl.com>; Fri, 8 Mar 2019 04:49:02 -0800 (PST)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EDA51279A1 for <homenet@ietf.org>; Fri, 8 Mar 2019 04:49:01 -0800 (PST)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id x28Cmp81031905; Fri, 8 Mar 2019 13:48:51 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id C83373EF1C; Fri, 8 Mar 2019 13:49:00 +0100 (CET)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id w-ojLnsHIf21; Fri, 8 Mar 2019 13:48:58 +0100 (CET)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 121C23EF17; Fri, 8 Mar 2019 13:48:55 +0100 (CET)
Date: Fri, 08 Mar 2019 13:48:50 +0100
Message-ID: <871s3hlefh.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "homenet@ietf.org" <homenet@ietf.org>
In-Reply-To: <894b4181-c4ca-5cf1-adba-1c5fcab0d355@cs.tcd.ie>
References: <894b4181-c4ca-5cf1-adba-1c5fcab0d355@cs.tcd.ie>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Fri, 08 Mar 2019 13:48:51 +0100 (CET)
X-Miltered: at korolev with ID 5C8264B3.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5C8264B3.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5C8264B3.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/XjeI3sMMIRors_nftrJjTZP9rQ0>
Subject: Re: [homenet] homenet: what now? ... next?
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 12:49:05 -0000

Hi Stephen,

Sorry if I'm repeating myself -- I've already expressed the opinions
below, both at the mike and on the list.

> (a) work on simple naming

I think that this work should be stalled until we have an implementation
to play with and make some in vivo experiments.  (Experience shows that
the best way to break a protocol is to give an implementation to Dave.)

> (b) the drafts on handling names with help from your ISP.

I fear that these drafts are a bad case of complexity for the sake of
complexity (or perhaps a case of involving the ISP for the sake of
involving the ISP).  I still haven't seen a compelling argument that they
do solve a problem that a trivial end-to-end protocol wouldn't solve.
Back in July 2018, I wrote the following:

    This is a question that I've been asking since July 2014, and I still
    haven't received an answer I could understand.

Please see the thread starting on 18 July 2018:

    https://www.mail-archive.com/homenet@ietf.org/msg07012.html

> (We also have a chartered work item [4] on security that has seen no
> progress but you can comment on that as item (c) if you like;-)

Some pointers for the rare people who don't spend most of their leisure
time reading Internet-Drafts:

  - HNCP is based on DNCP, which includes a security mechanism designed to
    provide authenticity, integrity and confidentiality of the HNCP data:

        RFC 7525 Section 8

    I believe that this is implemented in hnetd.  (Yeah, Markus and
    Stephen did some remarkable work.)

  - Babel has two security mechanisms:

        https://tools.ietf.org/html/draft-ietf-babel-hmac
        https://tools.ietf.org/html/draft-ietf-babel-dtls

    There appear to be no standards-track key distribution and rotation
    protocols for either of OSPF, IS-IS, BGP or BFD (static keying seems
    to be the norm), so a natural question is whether HNCP could serve
    this purpose, or whether it would be better to use a dedicated key
    distribution and rotation mechanism.

  - RFC 3971 Section 6 says the following:

       To protect Router Discovery, SEND requires that routers be
       authorized to act as routers.  This authorization is provisioned in
       both routers and hosts.

    Since hosts don't participate in HNCP, it is not clear if HNCP can be
    used as a SEND trust anchor.  I believe there's the same issue with
    securing access the DNS stub resolver (DNSCrypt, DNS over TLS, etc.).

-- Juliusz