Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Thomas
On 6/13/19 1:16 PM, Ted Lemon wrote: On Jun 13, 2019, at 4:08 PM, Michael Thomas > wrote: It would be good to do this on openwrt, that's for sure. I've never tried to hack on it, but it can't be too horrible. It’s dead easy if you have a Linux VM.   Just build a

Re: [homenet] webauthn for routers

2019-06-13 Thread Ted Lemon
On Jun 13, 2019, at 4:08 PM, Michael Thomas wrote: > It would be good to do this on openwrt, that's for sure. I've never tried to > hack on it, but it can't be too horrible. > > It’s dead easy if you have a Linux VM. Just build a package, and have a place it can be downloaded from. When

Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Thomas
On 6/13/19 12:51 PM, Ted Lemon wrote: On Jun 13, 2019, at 3:46 PM, Michael Thomas > wrote: Possibly, but I think there are hardware based solutions (eg "press to pair") and pure software based ones. The main point is to have something to point vendors at. They are

Re: [homenet] webauthn for routers

2019-06-13 Thread Ted Lemon
On Jun 13, 2019, at 3:46 PM, Michael Thomas wrote: > Possibly, but I think there are hardware based solutions (eg "press to pair") > and pure software based ones. The main point is to have something to point > vendors at. They are probably clueless that this is a possibility now. > > Ah. I

Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Thomas
On 6/13/19 12:43 PM, Ted Lemon wrote: On Jun 13, 2019, at 3:40 PM, Michael Thomas > wrote: I don't think this needs to be very involved. I would think that a short bcp which lays out why webauthn is a huge advance, and a set of different enrollment mechanisms that

Re: [homenet] webauthn for routers

2019-06-13 Thread Ted Lemon
On Jun 13, 2019, at 3:40 PM, Michael Thomas wrote: > I don't think this needs to be very involved. I would think that a short bcp > which lays out why webauthn is a huge advance, and a set of different > enrollment mechanisms that have some vetting would probably be enough. You mean so that we

Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Thomas
On 6/13/19 12:18 PM, Ted Lemon wrote: TBH I don’t know anything about OBA other than that I heard it discussed.  If you want to write up a draft, that can’t hurt. I’m not promising to support it—it depends on what you come up with.   But it’s always good to have a place to start, and

Re: [homenet] webauthn for routers

2019-06-13 Thread Ted Lemon
TBH I don’t know anything about OBA other than that I heard it discussed. If you want to write up a draft, that can’t hurt. I’m not promising to support it—it depends on what you come up with. But it’s always good to have a place to start, and something to pick apart and fix up. So by

Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Thomas
On 6/13/19 12:02 PM, Ted Lemon wrote: On Jun 13, 2019, at 2:57 PM, Michael Thomas > wrote: The meta-question is whether there is something to be done here, and if this wg is the right place to do it. I know there was a security part of the charter... it sure would

Re: [homenet] webauthn for routers

2019-06-13 Thread Ted Lemon
On Jun 13, 2019, at 2:57 PM, Michael Thomas wrote: > The meta-question is whether there is something to be done here, and if this > wg is the right place to do it. I know there was a security part of the > charter... it sure would be nice to set an example for all of this IoT > mischief on how

Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Thomas
On 6/13/19 11:46 AM, Ted Lemon wrote: On Jun 13, 2019, at 2:40 PM, Michael Thomas > wrote: Are we talking about the same thing? I'm not sure what naming has to do with dealing with crappy/default passwords on router web interfaces? If your router has a name, it can

Re: [homenet] webauthn for routers

2019-06-13 Thread Ted Lemon
On Jun 13, 2019, at 2:40 PM, Michael Thomas wrote: > Are we talking about the same thing? I'm not sure what naming has to do with > dealing with crappy/default passwords on router web interfaces? > If your router has a name, it can get a cert. If it doesn’t have a name, it can’t. That cert

Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Thomas
On 6/13/19 11:37 AM, Ted Lemon wrote: On Jun 13, 2019, at 2:33 PM, Michael Thomas > wrote: Yeah, the router clearly knows whether something is on the local net, but it doesn't know if it's a visitor. Requiring that you put the visitors on a guest net is not exactly

Re: [homenet] webauthn for routers

2019-06-13 Thread Ted Lemon
On Jun 13, 2019, at 2:33 PM, Michael Thomas wrote: > Yeah, the router clearly knows whether something is on the local net, but it > doesn't know if it's a visitor. Requiring that you put the visitors on a > guest net is not exactly ideal either. > > That’s not relevant for front-end naming.

Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Thomas
On 6/13/19 8:47 AM, Ted Lemon wrote: On Jun 13, 2019, at 11:15 AM, Michael Thomas > wrote: All of which require authentication of some form, which the router itself doesn't have the credentials. But home routers do have a few different characteristics: proximity and

Re: [homenet] securing zone transfer

2019-06-13 Thread Juliusz Chroboczek
> No, we are assuming that there are one or more homenet routers that either > come with a delegated domain from the manufacturer (probably a very ugly > one), or which that CPE's ISP will delegate via DHCPv6. (or both) I see. (I still disagree with the technical choices, especially that of

Re: [homenet] webauthn for routers

2019-06-13 Thread Ted Lemon
On Jun 13, 2019, at 11:15 AM, Michael Thomas wrote: > All of which require authentication of some form, which the router itself > doesn't have the credentials. But home routers do have a few different > characteristics: proximity and local addressing. Maybe your work you pointed > out might be

Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Thomas
On 6/13/19 7:18 AM, Michael Richardson wrote: Michael Thomas wrote: > Thanks, it's probably pretty dated by now, especially all of the crypto > hackery :). The thing that I'm not sure about is whether the out-of-band > method for adding clients would work in a home router

Re: [homenet] webauthn for routers

2019-06-13 Thread Michael Richardson
Michael Thomas wrote: > Thanks, it's probably pretty dated by now, especially all of the crypto > hackery :). The thing that I'm not sure about is whether the out-of-band > method for adding clients would work in a home router situation. My solution > required the server (ie, the

Re: [homenet] securing zone transfer

2019-06-13 Thread Ray Hunter (v6ops)
Michael Richardson wrote on 13/06/2019 03:25: Juliusz Chroboczek wrote: > Are you assuming here there's a central Homenet controller that presents > a web interface where the "house owner" can choose which names get > published? No, we are assuming that there are one or more