IETF Logo Mail Archive

Re: [homenet] HNCP security?

Markus Stenberg <markus.stenberg@iki.fi> Mon, 29 September 2014 07:39 UTC

Return-Path: <markus.stenberg@iki.fi>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5B881A700D for <homenet@ietfa.amsl.com>; Mon, 29 Sep 2014 00:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.579
X-Spam-Level: *
X-Spam-Status: No, score=1.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_PSBL=2.7, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Djpfbnl7MNgC for <homenet@ietfa.amsl.com>; Mon, 29 Sep 2014 00:39:23 -0700 (PDT)
Received: from jenni2.inet.fi (mta-out1.inet.fi [62.71.2.197]) by ietfa.amsl.com (Postfix) with ESMTP id 6FB101A7009 for <homenet@ietf.org>; Mon, 29 Sep 2014 00:39:22 -0700 (PDT)
Received: from poro.lan (84.248.80.109) by jenni2.inet.fi (8.5.142.08) (authenticated as stenma-47) id 541686920140BA58; Mon, 29 Sep 2014 10:39:16 +0300
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Markus Stenberg <markus.stenberg@iki.fi>
In-Reply-To: <21539.64046.841341.958470@fireball.kivinen.iki.fi>
Date: Mon, 29 Sep 2014 10:39:16 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <4FC3DA20-F188-4725-AC42-E8CC0D42109D@iki.fi>
References: <7BDD2D54-1058-4196-9BAD-770544096C93@iki.fi> <830.1410875532@sandelman.ca> <47647B8C-E3E6-4291-9F31-FBEE5FF53BFC@ecs.soton.ac.uk> <EMEW3|ba68076a23b44efccb32951649dba30aq8FLVJ03tjc|ecs.soton.ac.uk|47647B8C-E3E6-4291-9F31-FBEE5FF53BFC@ecs.soton.ac.uk> <alpine.DEB.2.02.1409170820460.14735@uplift.swm.pp.se> <5419A19F.1030808@mtcc.com> <alpine.DEB.2.02.1409180643250.14735@uplift.swm.pp.se> <541A7C1E.6090005@openwrt.org> <2D09D61DDFA73D4C884805CC7865E61130E839B6@GAALPA1MSGUSRBF.ITServices.sbc.com> <FD0A639D-2B33-473C-9F91-5AD39B30BBF8@fugue.com> <0F4C6033-0D1F-4B5E-B47E-72F87F888C50@townsley.net> <alpine.DEB.2.02.1409240738210.14735@uplift.swm.pp.se> <DE4A46AF-34F8-4B01-9AA8-538711162914@iki.fi> <alpine.DEB.2.02.1409241053580.14735@uplift.swm.pp.se> <ED05BC4A-E416-4370-AA5D-FCFE3AF1B24C@iki.fi> <21539.64046.841341.958470@fireball.kivinen.iki.fi>
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/iYnnvWYW2drzzZGsEHioGKg14yQ
Cc: Markus Stenberg <markus.stenberg@iki.fi>, Mark Townsley <mark@townsley.net>, "Paulina Tran (ptran)" <ptran@cisco.com>, "homenet@ietf.org" <homenet@ietf.org>, Brian Weis <bew@cisco.com>, Mikael Abrahamsson <swmike@swm.pp.se>
Subject: Re: [homenet] HNCP security?
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2014 07:39:26 -0000

On 25.9.2014, at 14.19, Tero Kivinen <kivinen@iki.fi> wrote:
> Markus Stenberg writes:
>>> Is there something else that’ll work as transport layer security
>>> for multicast, or should we send a request for the IETF leadership
>>> to investigate if this is something that needs to be developed? 
>> 
>> There is not that I know of. 
>> 
>> I believe msec work is somewhat outdated (based on IKEv1, and not
>> widely deployed), but security isn’t popular, and multicast isn’t
>> popular, so combining them is not usually win in IETF. (And
>> especially in seeing them implemented - still not sure how many msec
>> implementations there has been.)
> 
> There is also ikev2 version of group key management
> (draft-yeung-g-ikev2), but the draft seems to have expired some time
> ago. I still think it was supposed to be published.

Ah, interesting, did not know about that. Thanks ;)

> If homenet needs multicast support then it might be good idea to push
> that document forward. 

How does this solution work with e.g. link-local-only littleconf-TOFU setup?

To be more precise, I am not sure which node would be GCKS, and how other nodes would find that node. Based on cursory read of the draft, it seems to assume that non-GCKS nodes know GCKS address in advance.

> I do not think replacing the IKEv2 with TLS would help at all. If you
> go for application level protection then using DTLS or similar is
> better than getting ESP involved at all. 

DTLS has rather sad multicast story too (=manually keyed IPsec without IPsec and draft-only at the moment). Of course, whether or not we really have to secure multicast at all in case of HNCP is debatable. However, as a general solution, it is somewhat lacking, as leveraging same thing for e.g. bit more multicast-heavy routing protocols would not work in case of DTLS (then again, I am not sure if GDOI / G-IKEv2 are much better due to them being mostly draft-only vaporware at this point).

Cheers,

-Markus

v2.23.0 | Report a Bug | By Email