Re: [homenet] Creating a security association via physical link + button
I've been following this thread with interest. Some points (from someone who has a particular 802.15.4-based mesh networking viewpoint): * There probably isn't any need to specify cryptographic security for an IGP on the basis that the packets are link-local and can therefore be protected at L2. * Network access control can set up secure channels to deliver keying information. Therefore in theory this can be used to deliver keying information for any protocols, although in practice it is often just L2 keying information. The focus then turns to which credentials are used for network access control. Whilst I support the use of public key crypto., it is not essential for homenet and there are solutions (not perfect, IMHO, but adequate) which exist now for easy joining (e.g. WPS) based on a pre-shared key/passphrase. Having said that, the burden and complexity of using public key crypto. for network access and mutual authentication is perhaps not as great as one may think. * The original question was about merging networks in the home. Again, I don't think it is that complex if dealt with from a network access point of view. Whether one becomes secondary and assumes the keying information from the primary network (probably preferable if the topology is a mesh) or the two simply join at a common router and retain their own keying information, either is possible and not difficult. Robert On 26/11/2011 6:18 AM, Randy Turner wrote: You maybe right about the equivalent key-management scope, however, I believe any work in the key distribution area applied to the integrity of routing updates would pay off more than expending this effort on the confidentiality of routing update problem. One of the devices we are considering as a router in the Homenet is a Windows machine where the end user has simply turned on internet connection sharing (ICS). Assuming this machine is their home PC, we're talking about the target of practically every attack profile on the internet, so I think it's worth the effort to establish a trust model. Even an android-based phone could inject false (untrusted) routes into the Homenet, but then again I'm getting ahead of myself in pre-supposing attack vectors on the Homenet. I'm keeping an open mind on all of this until we have a document or other work that performs the due diligence on threats to the Homenet. Randy On Nov 25, 2011, at 5:17 PM, Mark Townsley wrote: On Nov 25, 2011, at 6:28 PM, Ted Lemon wrote: On Nov 25, 2011, at 7:30 AM, Randy Turner wrote: I think I agree that confidentiality of routing traffic is probably not an issue for Homenet - however, I do think we should consider integrity of routing traffic - ie, router A should trust that route updates from router B are correct. Exactly. I see no difference really between the difficulty between an integrity-only solution and a confidentiality solution. Both require keys. It's the keys that are the real problem, not the work done on the packets. And, yes, key exchange being hard is based on a certain amount of intuition for my part as well. - Mark That being said, this is just an intuitive feeling regarding security - maybe we need someone to work on a threat analysis and what the implications could be to the types of applications we anticipate Yes, I think this would be worthwhile. I'm certainly arguing based on intuition at the moment. ___ homenet mailing list homenet@ietf.org mailto:homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet smime.p7s Description: S/MIME Cryptographic Signature ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] other routing options
Op 26 nov. 2011, om 03:17 heeft Russ White het volgende geschreven: TRILL is not an IP routing protocol. It's a layer 2 bridging protocol more complicated than the spanning tree, and seems completely unnecessary for the small size of bridged networks to be expected in homenets. What might actually be ideal is something that can route both at layer 2 and at layer 3 --I.e., that can treat layer 2 and layer 3 within the home identically... Yes, route VLANs. It makes sense to bind equivalent L2 links to a single L3 link. Dummies are faced the fact that broadcasts on home link and guest link simply works. No need for new protocols, L3 multicast and app upgrades. As long as dual stack is in use, dummies don't understand different topologies for the stacks. They should not be aware of dual stack in the first place. Teco :-) Russ ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Creating a security association via physical link + button
I agree - once we have a threat document, this should one of the security models on which we map the threats. Thanks, Acee On Nov 26, 2011, at 4:52 AM, Robert Cragie wrote: I've been following this thread with interest. Some points (from someone who has a particular 802.15.4-based mesh networking viewpoint): There probably isn't any need to specify cryptographic security for an IGP on the basis that the packets are link-local and can therefore be protected at L2. Network access control can set up secure channels to deliver keying information. Therefore in theory this can be used to deliver keying information for any protocols, although in practice it is often just L2 keying information. The focus then turns to which credentials are used for network access control. Whilst I support the use of public key crypto., it is not essential for homenet and there are solutions (not perfect, IMHO, but adequate) which exist now for easy joining (e.g. WPS) based on a pre-shared key/passphrase. Having said that, the burden and complexity of using public key crypto. for network access and mutual authentication is perhaps not as great as one may think. The original question was about merging networks in the home. Again, I don't think it is that complex if dealt with from a network access point of view. Whether one becomes secondary and assumes the keying information from the primary network (probably preferable if the topology is a mesh) or the two simply join at a common router and retain their own keying information, either is possible and not difficult. Robert On 26/11/2011 6:18 AM, Randy Turner wrote: You maybe right about the equivalent key-management scope, however, I believe any work in the key distribution area applied to the integrity of routing updates would pay off more than expending this effort on the confidentiality of routing update problem. One of the devices we are considering as a router in the Homenet is a Windows machine where the end user has simply turned on internet connection sharing (ICS). Assuming this machine is their home PC, we're talking about the target of practically every attack profile on the internet, so I think it's worth the effort to establish a trust model. Even an android-based phone could inject false (untrusted) routes into the Homenet, but then again I'm getting ahead of myself in pre-supposing attack vectors on the Homenet. I'm keeping an open mind on all of this until we have a document or other work that performs the due diligence on threats to the Homenet. Randy On Nov 25, 2011, at 5:17 PM, Mark Townsley wrote: On Nov 25, 2011, at 6:28 PM, Ted Lemon wrote: On Nov 25, 2011, at 7:30 AM, Randy Turner wrote: I think I agree that confidentiality of routing traffic is probably not an issue for Homenet - however, I do think we should consider integrity of routing traffic - ie, router A should trust that route updates from router B are correct. Exactly. I see no difference really between the difficulty between an integrity-only solution and a confidentiality solution. Both require keys. It's the keys that are the real problem, not the work done on the packets. And, yes, key exchange being hard is based on a certain amount of intuition for my part as well. - Mark That being said, this is just an intuitive feeling regarding security - maybe we need someone to work on a threat analysis and what the implications could be to the types of applications we anticipate Yes, I think this would be worthwhile. I'm certainly arguing based on intuition at the moment. ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet smime.p7s Description: S/MIME cryptographic signature ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Creating a security association via physical link + button
On Nov 26, 2011, at 4:52 AM, Robert Cragie wrote: Network access control can set up secure channels to deliver keying information. It sounds like you're talking about some kind of central management software/protocol here. ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet