Re: [saag] Fw:Fw:New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt

[Nico Williams <nico@cryptonector.com>]

On Thu, Jul 30, 2015 at 04:47:53AM +0900, Randy Bush wrote:
> within an enterprise, one is tempted to suggest enterprise-controlled
> credential distribution; i get a cert (or whatever) oob to let my laptop
> authenticate the dhcp service and vice versa.  but enterprises are
> seeing a lot of byod, and i am not sure how they are dealing with that.
> do they really want to authenticate all mobiles?

Authenticating the enterprise and DHCP servers to the mobiles is one
thing.  Authenticating the latter to the former is another.  I've no
idea if enterprises want to do this, but my experience is that many
enterprises that offer wifi want to force users to then VPN and/or else
to accept MITM trust anchors ("you want to use our network, you pay a
privacy price" is de rigeur).

> in the coffee shop, one would like the mobile device to be given the
> dhcp server's credentials out of band; i suggested a QR code on the wall
> as one (i.e. there could be others) example.  and, unlike the
> enterprise, i think the mobile device should reveal as little as
> possible about itself.

The QR code thing works for enterprises that allows BYOD.

There's also "install this app from the store using 3G/4G then you can
get on our wifi".  There are plenty of options; none perfect.

> bottom line: i do not think there are easy solutions in the introduction
> space.  but it is our responsibility.  and i am trying to think about
> it and others should too.

Yes.

> [0] - i am remonded of the plethora of documents with insecure
>       transports where the sec cons says "use ipsec" with no hint about
>       keying, how the upper layer can even tell if ipsec is being used,
>       ...

Yes, that approach is a disaster [because of a lack of standard, useful
set of IPsec APIs].  But I'm like a broken record as to this.