IETF Logo Mail Archive

Re: [homenet] webauthn for routers

Michael Thomas <mike@fresheez.com> Thu, 13 June 2019 18:33 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 281F4120170 for <homenet@ietfa.amsl.com>; Thu, 13 Jun 2019 11:33:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fresheez.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvQZYIYiKCdS for <homenet@ietfa.amsl.com>; Thu, 13 Jun 2019 11:33:50 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 988EE12002E for <homenet@ietf.org>; Thu, 13 Jun 2019 11:33:50 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id f25so11433112pgv.10 for <homenet@ietf.org>; Thu, 13 Jun 2019 11:33:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fresheez.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=ywvPgyZ+I11Oji1cSxtJVF3rHKHRYsRbuInfua2LlDE=; b=k2nfsW2xUAWqxAbWMqWhoMEXC7oyKppO+vYyIVTeqsbAdNLiwqDTMB8fCLIiMsmFko stDFXQl0yhF2r5i01zzRynA+5uv6Ahw7PVVP2/o4TDDcfxC1SUPk8JnY2ZdthLlOxZvD RDnz+32K+aTjj6poXPGip9KO0iPWO9RvwKxkE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ywvPgyZ+I11Oji1cSxtJVF3rHKHRYsRbuInfua2LlDE=; b=N35TxtEJ5dBEGhfxjcDtmmrSvD8b+0CCsoN4hjbfqFEHL1tSAt1EW9YxbL4UWr7Zrc sHRSl2XSSu1iyRZaKWE9DpNUBFPwwVEam/HMDUsr4lsyG9gxqgzFHVOKGIOx7dKu1/oM cJajNB8Qpp1ATDdOXOZVVamDIfgJRNqSPPhfASN2pmeXsH+WhSCxXq0Kz8YykvHezOur LOC5KbM+zu+fDEgaH2DE7oZrZzJXExqe8/RMhRz6/50iwTR1BZuF2jfjxBfjGw+lOCO/ 1p1YCFWwQP9iemPHMVasZ7NMuRPg7odHYnmIAtppZPLNbq970luT9Zeg1QI5s7GSsFMu C3iA==
X-Gm-Message-State: APjAAAVo/ktX6g+2oJ85pm2SCbHwh2TSsmeNNyje5qUH51PCYF4yA8zG CffUYIl9I0uUTT7Ei/34sGXN6xU2OT8=
X-Google-Smtp-Source: APXvYqwZry1qrSb17SGL/Pbs/Rgs/herBgd7/WYm3Uu1ypHr/v0jHSp5qMKp1Hu6ghpnQNsmmDa4fw==
X-Received: by 2002:a17:90a:258b:: with SMTP id k11mr6664543pje.110.1560450829756; Thu, 13 Jun 2019 11:33:49 -0700 (PDT)
Received: from Michaels-MacBook.local (107-182-42-248.volcanocom.com. [107.182.42.248]) by smtp.gmail.com with ESMTPSA id s24sm381839pfh.133.2019.06.13.11.33.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jun 2019 11:33:48 -0700 (PDT)
To: Ted Lemon <mellon@fugue.com>
Cc: Michael Richardson <mcr@sandelman.ca>, homenet@ietf.org
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <878su8fj24.wl-jch@irif.fr> <2348.1560261275@localhost> <87ftofwqut.wl-jch@irif.fr> <27503.1560302791@localhost> <87ef3zwoew.wl-jch@irif.fr> <4109.1560349340@localhost> <EC7FDA4F-1859-4B35-A8AC-D33E1A96F979@fugue.com> <ff7f2700-3862-59bd-abfb-22589562bddb@mtcc.com> <20218.1560366783@localhost> <288a310b-3b99-748d-74ce-a878ff43ee77@fresheez.com> <6179.1560377924@localhost> <604b4062-f2c5-30af-73ff-2e97b7541a9b@fresheez.com> <30470.1560435490@localhost> <cde3329b-cc06-b4eb-5d87-cf74f21368ea@fresheez.com> <496DBED4-24E6-49FE-B9D3-C2BFC7ACEE98@fugue.com>
From: Michael Thomas <mike@fresheez.com>
Message-ID: <20d72a3f-0b8f-c958-2482-25358854a96e@fresheez.com>
Date: Thu, 13 Jun 2019 11:33:46 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <496DBED4-24E6-49FE-B9D3-C2BFC7ACEE98@fugue.com>
Content-Type: multipart/alternative; boundary="------------4E8034EA50A3A157ABA369CC"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/vR42D7ldC-2WZs2XPIQdIf6H4hU>
Subject: Re: [homenet] webauthn for routers
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 18:33:52 -0000

On 6/13/19 8:47 AM, Ted Lemon wrote:
> On Jun 13, 2019, at 11:15 AM, Michael Thomas <mike@fresheez.com 
> <mailto:mike@fresheez.com>> wrote:
>> All of which require authentication of some form, which the router 
>> itself doesn't have the credentials. But home routers do have a few 
>> different characteristics: proximity and local addressing. Maybe your 
>> work you pointed out might be applicable?
>
> “how you are connected” plus “no conflict” is a fairy effective ad-hoc 
> method for establishing trust.
>
> E.g., for a very long time, ISPs have used the fact that you are 
> connected to their network as a basis for authorizing your DHCP 
> transaction.   If the ISP is doing the front-end naming, then that 
> mechanism could work here as well. If someone else is doing front-end 
> naming, then you probably have to have put a credit card in somewhere…
>

Yeah, the router clearly knows whether something is on the local net, 
but it doesn't know if it's a visitor. Requiring that you put the 
visitors on a guest net is not exactly ideal either.

I'm thinking that a lot  of my hand-wringing here is only for adding 
more devices to the router's list of devices that can log in. I'd assume 
that the router would be in "peer mode" by default when it doesn't have 
any enrolled devices. Worst case, you can always log into the router 
with the primary device and press a button to permit other devices. 
Which is to say, I may be overthinking this :)

Mike

v2.23.0 | Report a Bug | By Email