Hi Stephen, Sorry if I'm repeating myself -- I've already expressed the opinions below, both at the mike and on the list.
> (a) work on simple naming I think that this work should be stalled until we have an implementation to play with and make some in vivo experiments. (Experience shows that the best way to break a protocol is to give an implementation to Dave.) > (b) the drafts on handling names with help from your ISP. I fear that these drafts are a bad case of complexity for the sake of complexity (or perhaps a case of involving the ISP for the sake of involving the ISP). I still haven't seen a compelling argument that they do solve a problem that a trivial end-to-end protocol wouldn't solve. Back in July 2018, I wrote the following: This is a question that I've been asking since July 2014, and I still haven't received an answer I could understand. Please see the thread starting on 18 July 2018: https://www.mail-archive.com/homenet@ietf.org/msg07012.html > (We also have a chartered work item [4] on security that has seen no > progress but you can comment on that as item (c) if you like;-) Some pointers for the rare people who don't spend most of their leisure time reading Internet-Drafts: - HNCP is based on DNCP, which includes a security mechanism designed to provide authenticity, integrity and confidentiality of the HNCP data: RFC 7525 Section 8 I believe that this is implemented in hnetd. (Yeah, Markus and Stephen did some remarkable work.) - Babel has two security mechanisms: https://tools.ietf.org/html/draft-ietf-babel-hmac https://tools.ietf.org/html/draft-ietf-babel-dtls There appear to be no standards-track key distribution and rotation protocols for either of OSPF, IS-IS, BGP or BFD (static keying seems to be the norm), so a natural question is whether HNCP could serve this purpose, or whether it would be better to use a dedicated key distribution and rotation mechanism. - RFC 3971 Section 6 says the following: To protect Router Discovery, SEND requires that routers be authorized to act as routers. This authorization is provisioned in both routers and hosts. Since hosts don't participate in HNCP, it is not clear if HNCP can be used as a SEND trust anchor. I believe there's the same issue with securing access the DNS stub resolver (DNSCrypt, DNS over TLS, etc.). -- Juliusz _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet