IETF Logo Mail Archive

Re: [homenet] security work items - what do we want to do?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 24 January 2018 15:03 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60FB91250B8 for <homenet@ietfa.amsl.com>; Wed, 24 Jan 2018 07:03:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MtplqDjz0SoS for <homenet@ietfa.amsl.com>; Wed, 24 Jan 2018 07:03:31 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FC16124D68 for <homenet@ietf.org>; Wed, 24 Jan 2018 07:03:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id F236FBE4C; Wed, 24 Jan 2018 15:03:28 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v-pGa8jWinaL; Wed, 24 Jan 2018 15:03:28 +0000 (GMT)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A785ABE4D; Wed, 24 Jan 2018 15:03:28 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1516806208; bh=OxzFSikenK6m7jPn4YOuT7nXFLrwKp5vwWyKGa+u7do=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=Q1Gv5Ibz/+hYWFih2rIWh2lSNBDIXNKOhxg/NQRZS9X4O3JBrQg1jsxUvkYP3o0Eu kUeQ6awefBmyIdR1rz7BwC1AE0+X9l1MZYkuslYIBgZbUzkEmKjxqNHg87zCltJq4X uWTeNA1E7Auj05+RbdrsTkGCzHjS0ylg9BwoskKA=
To: Ted Lemon <mellon@fugue.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "homenet@ietf.org" <homenet@ietf.org>
References: <cd3042c4-e213-feb2-47ea-00f5fb6ab3ab@cs.tcd.ie> <3348.1516762103@obiwan.sandelman.ca> <00a33dc6-ad12-3a9b-cdab-086268a45882@cs.tcd.ie> <10646.1516800778@dooku.sandelman.ca> <f2102db2-87b5-eae8-b2c0-aa13ba6fc6c1@cs.tcd.ie> <9F46C0C4-8092-4504-913E-8AA8666E7D65@fugue.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Message-ID: <530976ef-479d-2a1a-1cc3-64a1ca2c143e@cs.tcd.ie>
Date: Wed, 24 Jan 2018 15:03:27 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <9F46C0C4-8092-4504-913E-8AA8666E7D65@fugue.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="ODXzVOMNaKkaDZjURzS41V7Tvg9dYY23G"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/zEYbbaDE6uyMGxQ4qnJQWqOf_Is>
Subject: Re: [homenet] security work items - what do we want to do?
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 15:03:34 -0000

Hiya,

On 24/01/18 14:55, Ted Lemon wrote:
> I don't know what unmanaged enrollment really looks like, but sure.
> We've mostly been talking about models for managed enrollment, and
> that seems to be the way the market has been going (with remarkable
> suck-itude, if the Google Home enrollment process is typical). 

A question for ya: I'm not sure if by "enrollment" you
include such things as two routers deciding to agree
that some key material is sufficient for subsequently
protecting hncp or babel packets between themselves?
(I don't want to get into discussion now as to how
either might happen, I just wonder if we'd be better
off using different terms for these problems.)

>  I
> think it might be worth having someone give a presentation on the
> anima enrollment model, if someone is willing to do that.

Sure. If someone wants to volunteer to do that, just
ping Barbara and I and we can throw that into pile for
agenda construction.

Cheers,
S.


> 
>> On Jan 24, 2018, at 8:51 AM, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie> wrote:
>> 
>> 
>> Hiya,
>> 
>> On 24/01/18 13:32, Michael Richardson wrote:
>>> 
>>> Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>>>> On 24/01/18 02:48, Michael Richardson wrote:
>>>>> 
>>>>> Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > - Does
>>>>> this sound roughly right or off the wall?
>>>>> 
>>>>> It sounds right.  I think that bootstrap of security should
>>>>> become an recharter item in the future.  Some kind of BCP on
>>>>> interactions with MUD, SUIT, etc. IN THE FUTURE. NOT NOW.
>>> 
>>>> Can you say more? Eg. what would be needed before you think
>>>> it'd be sensible for homenet to start work in this space?
>>> 
>>> a) finish (really finish) Babel work, that might mean interacting
>>> with BABEL WG
>>> 
>>> b) DNS naming and delegation in Last Call.
>>> 
>>> c) ANIMA and related groups publish *managed* enrollment, so that
>>> HOMENET can consider how *unmanaged* enrollment might work.
>> 
>> Reasonable points. Do others (dis)agree?
>> 
>> Without a chair hat on, I'm not sure that some of those other bits
>> of work need to be fully finished - if we know what kind of keying
>> that'll be used in the final results, we could make some progress,
>> but I do agree we'd need to know e.g. whether Babel implementations
>> would plan to support what flavours of DTLS (e.g. pre-shared keys
>> vs. bare public keys vs. certs if they do plan to use DTLS), and
>> other similar things, so I tend to agree those bits of work would
>> need to be at least nearly-done.
>> 
>>> 
>>>>>> 2. We have this milestone in our charter:
>>>>> 
>>>>>> "Nov 2018 - Submission of the perimeter security draft > to
>>>>>> the IESG
>>>>> as Informational RFC"
>>>>> 
>>>>> Yes.  Are the authors still engaged?
>>> 
>>>> I'm not aware that we have authors;-( I guess someone could
>>>> have volunteered in the past before I was helping out as chair
>>>> (if so, please do let us know).
>>> 
>>> Ah, so it was Erik and some other people.  I see that the draft
>>> has even expired.  I'm thinking about:
>>> https://datatracker.ietf.org/doc/draft-kline-homenet-default-perimeter/
>>>
>>> 
Maybe you are thinking about something else?
>> 
>> Nope, I'd not seen that draft before.
>> 
>> Do others still consider we should work on this topic? (based on
>> that draft or not) and we'd still like to know who's willing to do
>> stuff, if so.
>> 
>> Cheers, S.
>> 
>>> 
>>> -- ]               Never tell me the odds!                 | ipv6
>>> mesh networks [ ]   Michael Richardson, Sandelman Software Works
>>> | network architect  [ ]     mcr@sandelman.ca
>>> http://www.sandelman.ca/        |   ruby on rails    [
>>> 
>>> 
>>> -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software
>>> Works -= IPv6 IoT consulting =-
>>> 
>>> 
>>> 
>> 
>> -- PGP key change time for me. New-ID 7B172BEA; old-ID 805F8DA2
>> expires Jan 24 2018. NewWithOld sigs in keyservers. Sorry if that
>> mucks something up;-) 
>> <0x7B172BEA.asc>_______________________________________________ 
>> homenet mailing list homenet@ietf.org <mailto:homenet@ietf.org> 
>> https://www.ietf.org/mailman/listinfo/homenet
>> <https://www.ietf.org/mailman/listinfo/homenet>
> 
> 
> 
> _______________________________________________ homenet mailing list 
> homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
> 

-- 
PGP key change time for me.
New-ID 7B172BEA; old-ID 805F8DA2 expires Jan 24 2018.
NewWithOld sigs in keyservers.
Sorry if that mucks something up;-)

v2.23.0 | Report a Bug | By Email