Re: [homenet] securing zone transfer

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 07 June 2019 20:35 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9617F120140 for <homenet@ietfa.amsl.com>; Fri, 7 Jun 2019 13:35:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.44
X-Spam-Level:
X-Spam-Status: No, score=-0.44 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eTTVW7bhzWBF for <homenet@ietfa.amsl.com>; Fri, 7 Jun 2019 13:35:07 -0700 (PDT)
Received: from tuna.sandelman.ca (unknown [209.87.249.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29493120111 for <homenet@ietf.org>; Fri, 7 Jun 2019 13:35:07 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 8E9D93818D for <homenet@ietf.org>; Fri, 7 Jun 2019 16:33:47 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 73B49F60; Fri, 7 Jun 2019 16:35:04 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 715149B0 for <homenet@ietf.org>; Fri, 7 Jun 2019 16:35:04 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: homenet <homenet@ietf.org>
In-Reply-To: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Fri, 07 Jun 2019 16:35:04 -0400
Message-ID: <17047.1559939704@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/s_INiKiwfhfipf52d3M8-dkjyso>
Subject: Re: [homenet] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 20:35:09 -0000

Daniel Migault <daniel.migault@ericsson.com> wrote:
    > Options we have considered are TSIG, IPsec, TLS, DTLS. TSIG does not
    > provide confidentiality, and we would rather go for user space security.
    > Are there any recommendation for using TLS or DTLS in that case ?

And TSIG requires the Distribution Master to have a database of private
(symmetric) keys, which if disclosed causes havok.  (yes, DNSSEC can
partially save your bacon as we propose signatures be done on the homenet routers)

Can we use RFC7858 to authorize and provide privacy for AXFR?   We don't know
yet!  I believe that SIG(0) can be used for authorization, but I've never
configured that myself, or seen it in production.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-