Re: [homenet] Kathleen Moriarty's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS)

Kathleen Moriarty <> Wed, 18 November 2015 18:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DFF781A6EF4; Wed, 18 Nov 2015 10:40:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qpqw9S2FNaQV; Wed, 18 Nov 2015 10:39:56 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 95B341A6EED; Wed, 18 Nov 2015 10:39:56 -0800 (PST)
Received: by vkbs1 with SMTP id s1so1074463vkb.0; Wed, 18 Nov 2015 10:39:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=PJ5b6sxkYFpR1Zav0LdYD4UNxIFmmp/w6cJbWuvDCh8=; b=tkTVtdeQEuqw8fQagADMelQ5YTVzhXC3Vq6TCM/UJZ5Jku2McUiWHP/iEOL6RnWtqk LhGjbxSQ1x+tc5DZLjuVUjDVLVioF20/LttyedHBueb+SGlORPpy5c7201DWRo4dhr8S n7BqkEjaP7ypvY7aD30SS+wVKM98v7RJaoFqGRbZuqP4C/c/I/txQEwuhIhB8AuouP7q CjBFRjmh/oipvyD40gsrekvpI2m+t8F1QsVKV39YUPMxXIL9yzwhzbazE1lcD2Sy7QT4 U/izkY4LVIUdYA/QSDV7aqa3vp1UdrDya1AHKYSRDkKTuSr/Np60eS9oRhscPBGN4JUS b3Pg==
X-Received: by with SMTP id m82mr234936vke.158.1447871995720; Wed, 18 Nov 2015 10:39:55 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id j26sm185790vki.0.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 18 Nov 2015 10:39:55 -0800 (PST)
From: Kathleen Moriarty <>
X-Google-Original-From: Kathleen Moriarty <>
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (12H143)
In-Reply-To: <>
Date: Wed, 18 Nov 2015 13:39:53 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Steven Barth <>
Archived-At: <>
Cc: "" <>, "" <>, "" <>, The IESG <>, "" <>
Subject: Re: [homenet] Kathleen Moriarty's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Homenet WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Nov 2015 18:40:01 -0000

Hi Steven,

Thanks for your response and text suggestions.  Inline.

Sent from my iPhone

> On Nov 18, 2015, at 9:20 AM, Steven Barth <> wrote:
> Hello Kathleen,
> thanks for the review.
>> 1. I'm not clear on one of the bullets in section 3, 
>>  o  HNCP nodes MUST use the leading 64 bits of MD5 [RFC1321] as DNCP
>>      non-cryptographic hash function H(x).
>> Is this meant to use a message digest (RFC1321) or a cryptographic hash
>> for authentication (RFC2104)?  If it's the former, can you make this more
>> clear in the bullet?  If it's the latter, can you update the reference
>> and the number of bits to use for truncation is 80 for the minimum.  You
>> do explicitly mention HMACs later on for PSKs using SHA256, so maybe the
>> reference is correct and the wording should just be a bit more clear?
> I have staged this text now:
>  HNCP nodes MUST use the leading 64 bits of the <xref
>  target="RFC1321">MD5 message digest</xref> as the DNCP hash function
>  H(x) used in building the DNCP hash tree.
> I hope that makes it more clear, that the hash is only used for
> comparison and to detect changes, not as a form of signature or
> authentication.

This does help, thank you!
>> 2. Can you explain why DTLS is a SHOULD and not a MUST?  The bullet in
>> section 3 reads as if this is for use, not implementation.  Is there a
>> MUST for implementation (I didn't see one, but maybe I missed that)?
> The basic idea behind the SHOULD is that there may be cases where either
> physical security of links (e.g. cables) can be ensured or link-layer
> security such as WPA for WiFi is present. In these cases (e.g. some sort
> homenet wifi repeater) the DTLS would be redundant.
> In the Security Considerations sections we currently have a requirement:
>  On links where this is not practical and lower layers do not provide
>  adequate protection from attackers, DNCP secure mode MUST be used to
>  secure traffic.

This may be okay.  I will have to look at the draft again to see the references for DNCP security and will get back yo you as soon as I can do that.  I've had some day job responsibilities this morning.
> which should ensure that devices MUST use HNCP security over both
> physically and link-layer-wise unsecured links. I guess this could be
> reflected in the DNCP profile section as well if that makes it more clear.
> Would that work better or do you have something different in mind?

More later.  Thanks again!
>> Could you add a reference to RFC7525 to help with configuration and
>> cipher suite recommendations?  This could be in section 12, security
>> considerations.
> Staged for next revision.
> Cheers,
> Steven