Re: [homenet] [Anima] Ted Lemon's Block on charter-ietf-anima-00-09: (with BLOCK)
> -Original Message- > From: homenet [mailto:homenet-boun...@ietf.org] On Behalf Of Stephen > Farrell > Sent: 02 October 2014 15:15 > To: Michael Behringer (mbehring); Ted Lemon; The IESG > Cc: homenet@ietf.org; an...@ietf.org > Subject: Re: [homenet] [Anima] Ted Lemon's Block on charter-ietf-anima- > 00-09: (with BLOCK) > > > > On 02/10/14 13:49, Michael Behringer (mbehring) wrote: > > My personal goal is that what we do in ANIMA is fully compatible with > > and ideally used in homenet. It would feel wrong to me to have an > > infrastructure that doesn't work in a homenet. > > > > The security bootstrap is a good example of what we can achieve, with > > reasonable effort. > > FWIW, it is not clear to me that the reasonable requirements for > provisioning device security information (or bootstrapping if we wanted to > call it that) are the same. > > In enterprise environments we see fewer larger vendors of devices. > In the home where we additionally have a large range of vendors many of > whom are tiny and leverage a lot of OSS and who could perhaps not take > part in the kind of provisioning infrastructure that is quite reasonable for > enterprises and their vendors. > > I do think both want to end up in the same state, where devices are > authorised for connection to the network and where there is some keying > material usable for security, but I'd be surprised if one approach to getting > there worked the same way for both homes and enterprises. Good points, thanks Stephen. I don't think we have clear answers at this point, but this is the job of the ANIMA group (together with the groups that were mentioned) to figure out whether there should be a single approach, and if so, what it should be. Personally my starting point is "let's try whether a joint approach works", but clearly there is no guarantee. Michael > S. > > ___ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [Anima] Ted Lemon's Block on charter-ietf-anima-00-09: (with BLOCK)
On Thu, Oct 2, 2014 at 9:15 AM, Stephen Farrell wrote: > > > On 02/10/14 13:49, Michael Behringer (mbehring) wrote: > > My personal goal is that what we do in ANIMA is fully compatible with > > and ideally used in homenet. It would feel wrong to me to have an > > infrastructure that doesn't work in a homenet. > > > > The security bootstrap is a good example of what we can achieve, with > > reasonable effort. > > FWIW, it is not clear to me that the reasonable requirements > for provisioning device security information (or bootstrapping > if we wanted to call it that) are the same. > This is where we would have overlap with SACM and I2NSF. I've spoken in Ops and Dan R has helped to try to recruit some folks to help in SACM. It would be good to not solve this in multiple places. SACM and I2NSF are de-conflicting what they cover. Provisioning and assessing security information is part of those efforts already, hence my questions on the charter as well. > > In enterprise environments we see fewer larger vendors of devices. > In the home where we additionally have a large range of vendors > many of whom are tiny and leverage a lot of OSS and who could > perhaps not take part in the kind of provisioning infrastructure > that is quite reasonable for enterprises and their vendors. > There is a push in the vendor space for this type of automation and I'm all for it, let's just coordinate on it so we don't wind up with too many ways to do it. > > I do think both want to end up in the same state, where devices > are authorised for connection to the network and where there is > some keying material usable for security, but I'd be surprised > if one approach to getting there worked the same way for both > homes and enterprises. > I'd like to see this discusses more, but maybe it's not in this group? Thanks, Kathleen > > S. > > -- Best regards, Kathleen ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [Anima] Ted Lemon's Block on charter-ietf-anima-00-09: (with BLOCK)
One thing we need to do in homenet is agree on the network administration model. I believe many of us started with the assumption of plug and play but are now accepting the fact that minimal configuration will be required to vet devices on the homenet. If we can agree on similar network admin models and, as Ted pointed out, requirements on connecting devices, then we be may able to use similar solutions. Acee On 10/2/14, 9:33 PM, "Sheng Jiang" wrote: >I also think ISP networks and enterprise networks are different from home >networks. Although many requirements may looks similar, particularly >considering the auto operation target, there are many preconditions are >different. It could result on different solution though some components >may be reusable among these networks. > >For ANIMA, we should surely study what homenet is working on and identify >the differentia. Only after then, we can produce necessary solution with >confusing the world. > >Best regards, > >Sheng > >From: homenet [homenet-boun...@ietf.org] on behalf of Toerless Eckert >[eck...@cisco.com] >Sent: 02 October 2014 22:41 >To: Leddy, John >Cc: Michael Behringer (mbehring); The IESG; homenet@ietf.org; Stephen >Farrell; an...@ietf.org; Ted Lemon >Subject: Re: [homenet] [Anima] Ted Lemon's Block on >charter-ietf-anima-00-09: (with BLOCK) > >Fully agreed. But does this imply that we will make most progress by >blocking out a working group that is actively chartered to look at >the problems in the market segments Homenet is not addressing ? > >If the BLOCK is meant to suggest a charter improvements for anima to >better define our mutual desire to share whatever is applicable and >not reinvent unnecessarily, then where is the proposed charter text >change ? > >Cheers >Toerless > >P.S.: Also, if i may throw in some random tidbit of technology thoughts: > >I love home networks (and the WG for it), because it is the best place >for IPv6 to eliminate IPv4 and start creating fresh, better IP >network. I have a lot of doubt that we are anywhere close to going that >route especially in larger enterprises, so the address management for >IPv4 in those networks is going to be a crucial requirement where i don't >think homenet could (or should) be any big help. And i am not sure if i >would >want to hold my breath for a lot of IPv4 adress complexity reduction in >IoT either. But certainly autonomic processes cold rather help than hurt >in that matter. > > >On Thu, Oct 02, 2014 at 01:50:13PM +, Leddy, John wrote: >> My worry on this topic is that we are referring to ³the Home² and ³the >> Enterprise². >> It isn¹t that clear of a distinction. This isn¹t just a simple L2 flat >> home vs. a Fortune 1000 enterprise. >> >> The home is getting more complex and includes work from home; IOT, home >> security, hot spots, cloud services, policies, discovery etc. >> Large numbers of SMB¹s look like more high end residential than they do >> large enterprises. >> >> It would be ideal to have a solution that spans the range of size and >> complexity for both residential and enterprise. >> Perhaps enabling features/capabilities where required. >> >> Also, as far as IPV6 connectivity residential is probably ahead of >> enterprises in adopting V6 centric architectures and services. >> Residential doesn¹t have much of a choice, it just happens. >> >> 2cents, John >> >> On 10/2/14, 9:15 AM, "Stephen Farrell" >>wrote: >> >> > >> > >> >On 02/10/14 13:49, Michael Behringer (mbehring) wrote: >> >> My personal goal is that what we do in ANIMA is fully compatible with >> >> and ideally used in homenet. It would feel wrong to me to have an >> >> infrastructure that doesn't work in a homenet. >> >> >> >> The security bootstrap is a good example of what we can achieve, with >> >> reasonable effort. >> > >> >FWIW, it is not clear to me that the reasonable requirements >> >for provisioning device security information (or bootstrapping >> >if we wanted to call it that) are the same. >> > >> >In enterprise environments we see fewer larger vendors of devices. >> >In the home where we additionally have a large range of vendors >> >many of whom are tiny and leverage a lot of OSS and who could >> >perhaps not take part in the kind of provisioning infrastructure >> >that is quite reasonable for enterprises and their vendors. >> > >> >I do think both want to end up in the same state, where devices >> >are authorised for connection to the network and where there is >> >some keying material usable for security, but I'd be surprised >> >if one approach to getting there worked the same way for both >> >homes and enterprises. >> > >> >S. >> > > >___ >homenet mailing list >homenet@ietf.org >https://www.ietf.org/mailman/listinfo/homenet >___ >homenet mailing list >homenet@ietf.org >https://www.ietf.org/mailman/listinfo/homenet _
[homenet] HNCP Security & Trust Draft
Hi everyone, I took the last few days to gather some thoughts about threats, security and trust management in the context of HNCP and wrote it up under http://tools.ietf.org/html/draft-barth-homenet-hncp-security-trust-00 Quick overview over the topics: * Homenet Border * HNCP Payload Security * Trust Management * IGP-Considerations Please note that this draft is in a very early stage so please help to make additions, provide feedback and point out mistakes. Regards, Steven ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [Anima] Ted Lemon's Block on charter-ietf-anima-00-09: (with BLOCK)
I voiced the opinion that someone has to own the homenet, as distinct from who might own the CPEs and routers on the homenet. In the same way that some ISP CPEs let the user set the Wi-Fi password, the user or an agent for the use needs to take homenet ownership (or in the case of autonomic devices, transfer ownership). This cannot be done plug and play, there needs to be some ceremony. It's encouraging that the vast majority of users in homes, small offices and small businesses manage to configure their Wi-Fi Protected Access. Some ceremonies work to improve privacy and security. The home network needs to be owned by the home user(s) or agent (could be the ISP or some over-the-top retail solution, etc.). Mark On Oct 3, 2014, at 6:39 AM, Acee Lindem (acee) wrote: > One thing we need to do in homenet is agree on the network administration > model. I believe many of us started with the assumption of plug and play > but are now accepting the fact that minimal configuration will be required > to vet devices on the homenet. If we can agree on similar network admin > models and, as Ted pointed out, requirements on connecting devices, then > we be may able to use similar solutions. > > Acee > > On 10/2/14, 9:33 PM, "Sheng Jiang" wrote: > >> I also think ISP networks and enterprise networks are different from home >> networks. Although many requirements may looks similar, particularly >> considering the auto operation target, there are many preconditions are >> different. It could result on different solution though some components >> may be reusable among these networks. >> >> For ANIMA, we should surely study what homenet is working on and identify >> the differentia. Only after then, we can produce necessary solution with >> confusing the world. >> >> Best regards, >> >> Sheng >> >> From: homenet [homenet-boun...@ietf.org] on behalf of Toerless Eckert >> [eck...@cisco.com] >> Sent: 02 October 2014 22:41 >> To: Leddy, John >> Cc: Michael Behringer (mbehring); The IESG; homenet@ietf.org; Stephen >> Farrell; an...@ietf.org; Ted Lemon >> Subject: Re: [homenet] [Anima] Ted Lemon's Block on >> charter-ietf-anima-00-09: (with BLOCK) >> >> Fully agreed. But does this imply that we will make most progress by >> blocking out a working group that is actively chartered to look at >> the problems in the market segments Homenet is not addressing ? >> >> If the BLOCK is meant to suggest a charter improvements for anima to >> better define our mutual desire to share whatever is applicable and >> not reinvent unnecessarily, then where is the proposed charter text >> change ? >> >> Cheers >> Toerless >> >> P.S.: Also, if i may throw in some random tidbit of technology thoughts: >> >> I love home networks (and the WG for it), because it is the best place >> for IPv6 to eliminate IPv4 and start creating fresh, better IP >> network. I have a lot of doubt that we are anywhere close to going that >> route especially in larger enterprises, so the address management for >> IPv4 in those networks is going to be a crucial requirement where i don't >> think homenet could (or should) be any big help. And i am not sure if i >> would >> want to hold my breath for a lot of IPv4 adress complexity reduction in >> IoT either. But certainly autonomic processes cold rather help than hurt >> in that matter. >> >> >> On Thu, Oct 02, 2014 at 01:50:13PM +, Leddy, John wrote: >>> My worry on this topic is that we are referring to ³the Home² and ³the >>> Enterprise². >>> It isn¹t that clear of a distinction. This isn¹t just a simple L2 flat >>> home vs. a Fortune 1000 enterprise. >>> >>> The home is getting more complex and includes work from home; IOT, home >>> security, hot spots, cloud services, policies, discovery etc. >>> Large numbers of SMB¹s look like more high end residential than they do >>> large enterprises. >>> >>> It would be ideal to have a solution that spans the range of size and >>> complexity for both residential and enterprise. >>> Perhaps enabling features/capabilities where required. >>> >>> Also, as far as IPV6 connectivity residential is probably ahead of >>> enterprises in adopting V6 centric architectures and services. >>> Residential doesn¹t have much of a choice, it just happens. >>> >>> 2cents, John >>> >>> On 10/2/14, 9:15 AM, "Stephen Farrell" >>> wrote: >>> On 02/10/14 13:49, Michael Behringer (mbehring) wrote: > My personal goal is that what we do in ANIMA is fully compatible with > and ideally used in homenet. It would feel wrong to me to have an > infrastructure that doesn't work in a homenet. > > The security bootstrap is a good example of what we can achieve, with > reasonable effort. FWIW, it is not clear to me that the reasonable requirements for provisioning device security information (or bootstrapping if we wanted to call it that) are the same. In enterprise e
