Re: [homenet] Kathleen Moriarty's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS)

Ted Lemon <> Fri, 20 November 2015 18:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BD5A51B3C27; Fri, 20 Nov 2015 10:22:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.487
X-Spam-Status: No, score=-2.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.585, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3fmc-CLzRShF; Fri, 20 Nov 2015 10:22:48 -0800 (PST)
Received: from ( [IPv6:2a01:7e01::f03c:91ff:fee4:ad68]) by (Postfix) with ESMTP id 41BBC1B3C25; Fri, 20 Nov 2015 10:22:47 -0800 (PST)
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----sinikael-?=_1-14480437639730.01551808463409543"
From: Ted Lemon <>
In-Reply-To: <>
References: <> <> <> <>
Date: Fri, 20 Nov 2015 18:22:43 +0000
Message-Id: <>
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [homenet] Kathleen Moriarty's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Homenet WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Nov 2015 18:22:49 -0000

Wednesday, Nov 18, 2015 11:04 AM Henning Rogge wrote:
> On Wed, Nov 18, 2015 at 4:46 PM, Ted Lemon <> wrote:
>> WPA2, at least in PSK mode, does not provide confidentiality from attackers who have the PSK.   WPA isn't even as good as WPA2.   I think relying on this level of security makes sense if we have no alternative, but in no other case.
> I don't think DTLS with PSK is much better than WPA2 with PSK...

I bought this argument when I first saw it, but when reading Stephen's comment just now (arguing that PSK should be MTI) I realized that I was wrong.  The PSK in the case of HNCP is being shared amongst infrastructure devices, _not_ amongst end users, unlike the WPA2 PSK, which everybody using the network must know.

So while it is certainly _possible_ for the PSK to be vulnerable in the way you describe, it is not _necessary_ for it to be vulnerable in that way, and therefore even the DTLS/PSK mode of secure HNCP is preferable to no security at all.

Sent from Whiteout Mail -

My PGP key: