Re: [homenet] standard way of configuring homenets
Ted Lemon <mellon@fugue.com> Wed, 25 July 2018 18:05 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 976FF130EBE for <homenet@ietfa.amsl.com>; Wed, 25 Jul 2018 11:05:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JV2hny-a--sg for <homenet@ietfa.amsl.com>; Wed, 25 Jul 2018 11:05:41 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B02E130EDB for <homenet@ietf.org>; Wed, 25 Jul 2018 11:05:41 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id s7-v6so9970564itb.4 for <homenet@ietf.org>; Wed, 25 Jul 2018 11:05:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eP+fW0jEx+wa3qZis/VFoJYFjt1Ofjdpw1VNyMPHEuw=; b=MJI8yhnmX2j0/8WuLsY/4134QGPW3bBvptBhHALBbuvEtnCTxIz1c6WhobC9n90I5z yZG88vFmdt1IwWd+9E0+nXaJNAlKzpiDwRFLsVJWv2QAEXzB1Ur7Le4SbW1TO0OPUCSD TRvpBQTJkcNRksVTIPVkbwUigJlsOsRWdZmlOb0YBwJmBmxKUA7YCAxiwJxPNaLQMQns Y0dml/QO+4CA10m/+B9RS1Z52s9qZWWm1m5pOHMh4DuR0I2cTUoDem//4ZUsvnBB+DI2 Dbf1F36cUzGz1zIsE8Pi38Zp35boZNAJs0+0/hfn89KdobyVGFFzFe3Ut+zGxt0w+YmP FmAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eP+fW0jEx+wa3qZis/VFoJYFjt1Ofjdpw1VNyMPHEuw=; b=OnWbHaCYmVvAxY6NpBzzX3r1YxE9vpE0jtxRUvn1HzWFhxFpVftIUCogaAcrLOlg81 inoe9y8zxN8gjpgr8CMGUtZxEm++dxy/vlmy9Lx8yyhAzzqmjAEdH9c3oAQtw03kLqvk x86oPVfa7rHYNVbaL22W2h0LDEvvxDHgolONZ8Qw9Rb8rnQFFYVTPMqyA//m7vpAz3s8 HiGJgKr2AsLlmgu3wpPksR9TjVkioYSf3oltx3vnjL89zsrN2jQ1uGkCPovWcL7csxKe 6hrz/iZO7+6TSuwbcCfFqNW2ldfo4PMEV5np7sxakJ/SYcek/nqef2kXN3bqy/XSGnZG qrTQ==
X-Gm-Message-State: AOUpUlE1QwldIQQyE6Sfacv1X7bxiLzbkiD56a+SceUa+dHZNEVJAVwh XN0xx7FXqNn4S0tngyrA+EhMSWto/hHiFKJRR+NG0Q==
X-Google-Smtp-Source: AAOMgpeHZN0ZrRFij6vPppu7xWWxMb3T7rXc7elBUxHf4SzL3CgtgVYI9/j1tH9Sf6nADVk1x8vPb1i+ZsH9MXKdmeQ=
X-Received: by 2002:a02:1bdc:: with SMTP id 89-v6mr20300989jas.72.1532541940523; Wed, 25 Jul 2018 11:05:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:b442:0:0:0:0:0 with HTTP; Wed, 25 Jul 2018 11:04:59 -0700 (PDT)
In-Reply-To: <2D09D61DDFA73D4C884805CC7865E6114DE529E5@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <27765.1532468911@localhost> <CAPt1N1mO8KFH+M-bq7LKqQcjtyigUPwdchMA11U_vPXYTzcNSw@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114DE51281@GAALPA1MSGUSRBF.ITServices.sbc.com> <d7e85f2a-b613-7e8a-a18a-c6ae79bd8d79@gmail.com> <2D09D61DDFA73D4C884805CC7865E6114DE526ED@GAALPA1MSGUSRBF.ITServices.sbc.com> <CAPt1N1kFFFA344FGWD4S66sFmwM4OdaqN2m0-nTOVMsbXALNcw@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114DE529E5@GAALPA1MSGUSRBF.ITServices.sbc.com>
From: Ted Lemon <mellon@fugue.com>
Date: Wed, 25 Jul 2018 14:04:59 -0400
Message-ID: <CAPt1N1msxtWT-ip8TgqQCpv-eyO8ACDYm7E9+yeBC00DVrRR3Q@mail.gmail.com>
To: "STARK, BARBARA H" <bs7652@att.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, homenet <homenet@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f8037e0571d6b944"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/pPc4qLSa0fbg3MMrjoumwq7IxI0>
Subject: Re: [homenet] standard way of configuring homenets
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 18:05:44 -0000
On Wed, Jul 25, 2018 at 1:47 PM, STARK, BARBARA H <bs7652@att.com> wrote: > > From: Ted Lemon > > Hm, possibly there's been some miscommunication here: we aren't talking > about using tools developed for managed networks for amateurishly-managed > networks. We are talking about the problem of making it possible to do > some degree of management of homenets. I don't think anybody is assuming > that we will just forklift in SNMP or Netconf/Yang; indeed, at least one > suggestion was to just use HNCP. HNCP actually possesses exactly the > attack surface you are talking about if we don't have some kind of > enrollment protocol. > > I don't see HNCP as being usable in DDoS attacks or as being useful in > compromising a device. It can give a device bad config info, which could > prevent the home network from working as desired. But it can't be used for > a Mirai-like DDoS attack. And it doesn't have the ability (yet) to > configure login credentials for more in-depth device management. It doesn't > supply a management interface so much as send around best effort config > info. > In principle it _is_ the management interface; it's just that it's automatic. You can't get login credentials because there are no login credentials. I would expect that if we come up with a way for, say, an app on your phone to manage the homenet, then that app would have to go through the same sort of enrollment process that any other homenet device would have to use (of course, the first such app might be required to *bootstrap* the enrollment process). The current model of having a web UI with a default configuration password is precisely what I'd like to make unnecessary by specifying something better. It is this sort of UI that has allowed things like the Mirai worm to proliferate. > I agree with the need for some kind of enrollment to protect components of > the homenet solution. I'd rather not rely on this enrollment to guarantee > that components of the homenet solution cannot be used for DDoS attacks. I > would prefer for homenet solutions to be natively incapable of being used > in DDoS attacks. > That would certainly be nice.
- [homenet] standard way of configuring homenets Michael Richardson
- Re: [homenet] standard way of configuring homenets Ted Lemon
- Re: [homenet] standard way of configuring homenets STARK, BARBARA H
- Re: [homenet] standard way of configuring homenets Ted Lemon
- Re: [homenet] standard way of configuring homenets Brian E Carpenter
- Re: [homenet] standard way of configuring homenets Tim Chown
- Re: [homenet] standard way of configuring homenets Mikael Abrahamsson
- Re: [homenet] standard way of configuring homenets STARK, BARBARA H
- Re: [homenet] standard way of configuring homenets Ted Lemon
- Re: [homenet] standard way of configuring homenets Michael Richardson
- Re: [homenet] standard way of configuring homenets STARK, BARBARA H
- Re: [homenet] standard way of configuring homenets Ted Lemon
- Re: [homenet] standard way of configuring homenets STARK, BARBARA H