Re: [homenet] version of -13 of draft-ietf-homenet-front-end-naming-delegation posted

On 3/26/21 12:47 PM, Michael Richardson wrote: Hi, I completed the CDDL description for section 14. We hummed and hawed about YANG vs CDDL for describing this non-normative bit of JSON, and settled on CDDL. I think that I need to revise Appendix B to be sure it matches. We have posted -13

Re: [homenet] Support for RFC 7084 on shipping devices...

On 10/6/19 2:41 PM, Ted Lemon wrote: On Oct 6, 2019, at 10:58 AM, Ole Troan > wrote: Are you saying there might be gaps in HNCP? Or things we could do to make it more deployable? If it's just a matter of running code missing, I'm not sure defining anything else new

Re: [homenet] DoH??

On 9/18/19 3:12 PM, Ted Lemon wrote: On Sep 18, 2019, at 6:07 PM, Michael Thomas <mailto:m...@mtcc.com>> wrote: So I'm a little unclear about the specifics of Firefox using DNS over HTTP, but wouldn't this affect homenet naming, or any split horizon kind of naming? In orde

[homenet] DoH??

So I'm a little unclear about the specifics of Firefox using DNS over HTTP, but wouldn't this affect homenet naming, or any split horizon kind of naming? Mike ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [babel] Éric Vyncke's Discuss on draft-ietf-babel-applicability-07: (with DISCUSS and COMMENT)

On 8/6/19 11:13 AM, STARK, BARBARA H wrote: Removing unnecessary participants from the discussion (I don't think its relevant to the IESG review of babel-applicability?), and adding homenet... How does the HOMENET usage of babel fit into this? I would be surprised if they were expecting

Re: [homenet] webauthn for routers

On 6/13/19 1:16 PM, Ted Lemon wrote: On Jun 13, 2019, at 4:08 PM, Michael Thomas <mailto:m...@fresheez.com>> wrote: It would be good to do this on openwrt, that's for sure. I've never tried to hack on it, but it can't be too horrible. It’s dead easy if you have a Linux VM.   J

Re: [homenet] webauthn for routers

On 6/13/19 12:51 PM, Ted Lemon wrote: On Jun 13, 2019, at 3:46 PM, Michael Thomas <mailto:m...@fresheez.com>> wrote: Possibly, but I think there are hardware based solutions (eg "press to pair") and pure software based ones. The main point is to have somethi

Re: [homenet] webauthn for routers

On 6/13/19 12:43 PM, Ted Lemon wrote: On Jun 13, 2019, at 3:40 PM, Michael Thomas <mailto:m...@fresheez.com>> wrote: I don't think this needs to be very involved. I would think that a short bcp which lays out why webauthn is a huge advance, and a set of different enrollment m

Re: [homenet] webauthn for routers

On 6/13/19 12:18 PM, Ted Lemon wrote: TBH I don’t know anything about OBA other than that I heard it discussed.  If you want to write up a draft, that can’t hurt. I’m not promising to support it—it depends on what you come up with.   But it’s always good to have a place to start, and

Re: [homenet] webauthn for routers

On 6/13/19 12:02 PM, Ted Lemon wrote: On Jun 13, 2019, at 2:57 PM, Michael Thomas <mailto:m...@fresheez.com>> wrote: The meta-question is whether there is something to be done here, and if this wg is the right place to do it. I know there was a security part of the charter... it s

Re: [homenet] webauthn for routers

On 6/13/19 11:46 AM, Ted Lemon wrote: On Jun 13, 2019, at 2:40 PM, Michael Thomas <mailto:m...@fresheez.com>> wrote: Are we talking about the same thing? I'm not sure what naming has to do with dealing with crappy/default passwords on router web interfaces? If your router has a nam

Re: [homenet] webauthn for routers

On 6/13/19 11:37 AM, Ted Lemon wrote: On Jun 13, 2019, at 2:33 PM, Michael Thomas <mailto:m...@fresheez.com>> wrote: Yeah, the router clearly knows whether something is on the local net, but it doesn't know if it's a visitor. Requiring that you put the visitors on a guest net is no

Re: [homenet] webauthn for routers

On 6/13/19 8:47 AM, Ted Lemon wrote: On Jun 13, 2019, at 11:15 AM, Michael Thomas <mailto:m...@fresheez.com>> wrote: All of which require authentication of some form, which the router itself doesn't have the credentials. But home routers do have a few different characteristics:

Re: [homenet] webauthn for routers

On 6/13/19 7:18 AM, Michael Richardson wrote: Michael Thomas wrote: > Thanks, it's probably pretty dated by now, especially all of the crypto > hackery :). The thing that I'm not sure about is whether the out-of-band > method for adding clients would work in a ho

Re: [homenet] webauthn for routers

On 6/12/19 3:18 PM, Michael Richardson wrote: Michael Thomas wrote: >> Secondary admins are encouraged to guard against loss/destruction of mobile >> phone, and it is also possible to enroll a second time, provided the >> manufacturer agrees (this is both a

Re: [homenet] webauthn for routers

On 6/12/19 12:13 PM, Michael Richardson wrote: MIchael Thomas wrote: >>> There are no passwords. >> Yes please. > Speaking of which, should we be encouraging router vendors to implement > webauthn? Considering that probably half of home rou

Re: [homenet] webauthn for routers (was: securing zone transfer)

On 6/12/19 7:42 AM, Ted Lemon wrote: On Jun 12, 2019, at 10:22 AM, Michael Richardson mailto:mcr+i...@sandelman.ca>> wrote: There are no passwords. Yes please. Speaking of which, should we be encouraging router vendors to implement webauthn? Considering that probably half of home routers

Re: [homenet] Homenet market gap analysis...

On 3/13/19 11:35 AM, Ted Lemon wrote: In Bangkok I gave a talk about what Homenet gets right, what new solutions have emerged in the market since homenet started, and what is better about those solutions, as well as what homenet still adds.   I’ve written up a document that discusses this in a

Re: [homenet] homenet: what now? ... next?

On 3/2/19 8:30 AM, Juliusz Chroboczek wrote: What I meant is that homenet router protocols are v6 only. No, they're not. Both HNCP and Babel carry their control traffic over link-local IPv6, but they support both IPv4 and IPv6 with almost equal functionality. (The only significant

Re: [homenet] homenet: what now? ... next?

On 3/1/19 4:14 PM, Michael Richardson wrote: When we started this effort we heard of real situations such as Fred's original FUN BOF slides on how dual-geek households are forced not to share printers due to corporate home firewall requirements. And that we should expect the situation to get

Re: [homenet] homenet: what now? ... next?

On 3/1/19 3:49 PM, STARK, BARBARA H wrote: I would guess that even after 5 years, we still don't have much v6 deployment into homes and that's a pretty big problem. That's an interesting statement to make. Do you have evidence of that? https://www.worldipv6launch.org/measurements/ shows

Re: [homenet] homenet: what now? ... next?

On 3/1/19 2:25 PM, Ted Lemon wrote: On Mar 1, 2019, at 4:21 PM, Stephen Farrell > wrote: If one of those positions captures your opinion, feel free to respond in shorthand. Otherwise, please tell us where you think we ought be going, as a WG, with (a), (b)

Re: [homenet] writeup of my 2018 homenet experience on openwrt

On 11/8/18 11:52 PM, Markus Stenberg wrote: On 09.11.2018, at 9.48, Ted Lemon wrote: My edge router is an Ubuntu machine. I haven’t been able to get Marcus’ HNCP daemon to build there. It’s possible that that has changed since I last tried it, but that was what stopped me last time. It

Re: [homenet] writeup of my 2018 homenet experience on openwrt

On 11/8/18 4:03 PM, Ted Lemon wrote: The issue with the code (IIRC) is that it requires cmake to compile, for no obvious reason, and cmake is hard to get working, so e.g. building it on MacOS X is a major porting task.   And it depends on libraries that I don't have.   And there's no layering

Re: [homenet] (no subject)

On 07/23/2018 05:45 PM, STARK, BARBARA H wrote: You're concerned with the homenet losing state when the master is unplugged.   By having the master in the cloud, this problem is eliminated. I can't speak for Juliusz, but my first question was "what if i don't want it in the cloud"? For one

Re: [homenet] (no subject)

On 07/23/2018 03:36 PM, Ted Lemon wrote: On Jul 23, 2018, at 6:10 PM, Juliusz Chroboczek > wrote: What? You're concerned with the homenet losing state when the master is unplugged.   By having the master in the cloud, this problem is eliminated. I can't speak for

Re: [homenet] I-D Action: draft-ietf-homenet-simple-naming-02.txt

might mean i'm not alone. Like i said, i'm a fan of ascii art, and love ladder diagrams. I know they're a pain, but they're really helpful, imo. Mike On Tue, Jul 3, 2018 at 2:16 PM, Michael Thomas <mailto:m...@mtcc.com>> wrote: On 07/02/2018 05:21 PM, Ted Lemon wrote:

Re: [homenet] one other security related thing

On 07/02/2018 05:19 PM, Ted Lemon wrote: Hm, I think that’s mentioned explicitly in the document I agree that that’s a possible solution. Let me know if you want to work on a draft. Can you tell me where? I'm not seeing it? Mike On Mon, Jul 2, 2018 at 8:10 PM Michael Thomas <mailt

Re: [homenet] I-D Action: draft-ietf-homenet-simple-naming-02.txt

On 07/02/2018 05:21 PM, Ted Lemon wrote: I didn’t get all the updates I wanted to into this version. A lot of the issues you mention here were discussed in my presentation in London. Will you be in Montreal? No. Mike On Mon, Jul 2, 2018 at 7:43 PM Michael Thomas <mailto:m...@mtcc.

[homenet] one other security related thing

If every homenet has a local.arpa, then with mobility (eg, my phone) will possibly get confused by the currently attached homenet's naming, and my "home" homenet's naming. Say, for example, i try to reference (explicitly, implicitly) printer.local.arpa and i'm at, oh say, my neighbor's house.

Re: [homenet] I-D Action: draft-ietf-homenet-simple-naming-02.txt

One thing that confuses me reading this is where (if any) is the "caching resolver" expected to reside. in section 2.2, last bullet it makes mention of an ISP resolver, but it's not clear whether that resolver is the same as the homenet resolver. if it's not that resolver, maybe it would be

Re: [homenet] Introduction to draft-ietf-homenet-simple-naming

On 05/31/2018 05:39 PM, Ted Lemon wrote: On May 31, 2018, at 4:27 PM, Michael Thomas <mailto:m...@mtcc.com>> wrote: With a CNAME, you wouldn't need to deprecate the other... it's just an alias that you have control of. From the UI perspective, whatever is presenting names to the user ca

Re: [homenet] Introduction to draft-ietf-homenet-simple-naming

/2018 04:27 PM, Michael Thomas wrote: On 05/31/2018 04:00 PM, Ted Lemon wrote: That's one way of doing the renaming, sure. It's not that simple though. You'd probably have to populate both names and mark one of them as deprecated. The problem is that this creates a bit of a mess. With a CNAME, you

Re: [homenet] Introduction to draft-ietf-homenet-simple-naming

bits around using a web browser :) Mike On Thu, May 31, 2018, 15:06 Michael Thomas <mailto:m...@mtcc.com>> wrote: On 05/31/2018 02:32 PM, Ted Lemon wrote: > In practice, you just change the device's name in its web ui. Then > it's starts advertising the new name, a

Re: [homenet] Introduction to draft-ietf-homenet-simple-naming

On 05/31/2018 02:32 PM, Ted Lemon wrote: In practice, you just change the device's name in its web ui. Then it's starts advertising the new name, and the old name stops working. If you have enough of a model of this to change the name, you also know enough to select the printer under it's new

Re: [homenet] Introduction to draft-ietf-homenet-simple-naming

and cons up a web page on its very own and give me a nice shiny "homenet" button. Mike On Thu, May 31, 2018, 14:41 Michael Thomas <mailto:m...@mtcc.com>> wrote: On 05/31/2018 02:32 PM, Ted Lemon wrote: > In practice, you just change the device's name in its web ui.

Re: [homenet] Introduction to draft-ietf-homenet-simple-naming

On 05/31/2018 02:32 PM, Ted Lemon wrote: In practice, you just change the device's name in its web ui. Then it's starts advertising the new name, and the old name stops working. If you have enough of a model of this to change the name, you also know enough to select the printer under it's new

Re: [homenet] Introduction to draft-ietf-homenet-simple-naming

On 5/25/18 10:34 AM, Ted Lemon wrote: the ability to publish services on the Internet" seems like a reasonable first attempt at specifying that, but I agree that it's insufficient.   Do you have a theory to offer?   What I think I meant by this was: - Has a globally-scoped delegation for

Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]

On 11/22/2016 06:54 PM, Lorenzo Colitti wrote: On Tue, Nov 22, 2016 at 5:34 PM, james woodyatt > wrote: The recent IoT DDoS publicity is a good example; the devices that are the Mirai botnet are devices that had/have open ports facing the

Re: [homenet] About Ted's naming architecture presentation and document

On 11/22/2016 01:12 AM, Tim Chown wrote: On 21 Nov 2016, at 19:34, james woodyatt > wrote: On Nov 16, 2016, at 17:31, Michael Richardson > wrote: But, do you agree that publishing your home

Re: [homenet] About Ted's naming architecture presentation and document

You mean i have to dogleg through a provider who i don't trust? For whom I'm the product? yuck. Mike On 11/21/2016 11:34 AM, james woodyatt wrote: On Nov 16, 2016, at 17:31, Michael Richardson > wrote: But, do you agree that publishing

Re: [homenet] New Version Notification for draft-barth-homenet-wifi-roaming-00.txt

On 11/26/2015 07:15 AM, Mikael Abrahamsson wrote: On Thu, 26 Nov 2015, Ray Hunter (v6ops) wrote: I have read this draft and find it interesting. The use of host routes would seem appealing to avoid 1) any need for stateful "home agent" and multiple forwarding 2) renumbering of the end nodes

Re: [homenet] Stephen Farrell's Discuss on draft-ietf-homenet-hncp-09: (with DISCUSS and COMMENT)

On 11/26/2015 08:49 AM, Juliusz Chroboczek wrote: Hmm. I've also setup many small PKIs and don't agree. I do think someone could easily make all that quite usable within the home. Have you ever walked a non-specialist through the process? I'm not Stephen, and I don't play Stephen on teevee,

Re: [homenet] Host naming in Homenet

On 08/27/2015 11:46 PM, Markus Stenberg wrote: You still have just said existing solutions suck. Still no new solution. Waiting with bated breath for the ‘homenet’ solution, -Markus And still Marcus cannot separate out this from anything except about me. The classic -- and unprofessional --

Re: [homenet] Host naming in Homenet

On 08/28/2015 04:42 AM, Steven Barth wrote: Furthermore, as Markus noted, the IETF has MDNS and stateful DHCPv6 (or rather RFC 4704) in standards track and these protocols are widely supported by all kinds of clients already. So is plain old DNS. That doesn't mean that the effects on host

Re: [homenet] Host naming in Homenet

On 08/28/2015 08:56 AM, Steven Barth wrote: On 08/28/2015 04:42 AM, Steven Barth wrote: Furthermore, as Markus noted, the IETF has MDNS and stateful DHCPv6 (or rather RFC 4704) in standards track and these protocols are widely supported by all kinds of clients already. So is plain old DNS.

Re: [homenet] Host naming in Homenet

On 08/27/2015 09:18 AM, Markus Stenberg wrote: Well, feel free to come up with your magic pixie dust solution, as you seem to keen to pipe up every time on the topic, I have been waiting for it years (literally). This has nothing to do with me, your ongoing ad hominems aside. *None* of

Re: [homenet] Host naming in Homenet

On 08/27/2015 08:33 AM, Markus Stenberg wrote: Requires host changes. Out of scope. This is *complete* bs. *None* of this -- MDNS included -- is well supported (please spare me the bleating about Apple, blah blah blah, it sucks too). Any real solution will require host changes. Period.

Re: [homenet] Host naming in Homenet

On 08/27/2015 06:13 AM, Juliusz Chroboczek wrote: how DNS can be bootstrapped and parent domains delegated to a Homenet Border Router. I think we're speaking about different things. You're speaking about exporting the naming of the Homenet into the ISP (the single ISP, sigh) and from there

Re: [homenet] Selecting a routing protocol for HOMENET

On 3/31/15 2:44 PM, Margaret Wasserman wrote: On a more general matter, IIRC both our candidates (and I think most IETF routing protocols) have equally non-existent asymmetric authentication and that is not even talking about encryption. If you want to have encrypted routing protocol

Re: [homenet] Quality of vendor implementations [was: T.M.S. proudly presents]

On 03/27/2015 04:31 AM, Juliusz Chroboczek wrote: More precisely, here's the approach I've taken in RFC 6126 (credit to Joel Halpern for helping me with that): * if something is required to ensure the integrity of the network, it's a MUST. In particular, bidirectional reachability

Re: [homenet] T.M.S. proudly presents - Babel: the 2nd implementation

On 03/26/2015 11:19 AM, Ted Lemon wrote: On Mar 26, 2015, at 10:07 AM, Michael Thomas m...@mtcc.com wrote: At the very least, I think it's totally fair to subject it to any torture tests you have :) I would suggest that you do interop tests, rather than trying to give him hints. Just

Re: [homenet] T.M.S. proudly presents - Babel: the 2nd implementation

On 03/26/2015 04:45 PM, Juliusz Chroboczek wrote: Is this mentioned in the spec? :) When a Babel router arbitrarily drops a packet for a destination to which it advertises a route with finite metric, it MUST send a short series of pulses of 220V AC current over all active

Re: [homenet] T.M.S. proudly presents - Babel: the 2nd implementation

On 03/26/2015 08:00 AM, Juliusz Chroboczek wrote: On Tuesday, there was much whining about single Babel implementation. Luckily T.M.S.[1] to the rescue - ~15 hours after start, routes synchronized unidirectionally, and after fixing bug or two this morning they go both ways, loop-free, etc. So I

Re: [homenet] routing protocol comparison document and hncp

On 03/03/2015 05:55 AM, David Oran wrote: On Mar 2, 2015, at 9:05 PM, Michael Thomas m...@mtcc.com wrote: On 03/02/2015 01:21 PM, Brian E Carpenter wrote: On 03/03/2015 09:12, Michael Thomas wrote: I'm doubtful that routing protocols need PSK's. They almost certainly would like to share

Re: [homenet] routing protocol comparison document and hncp

On 03/02/2015 01:21 PM, Brian E Carpenter wrote: On 03/03/2015 09:12, Michael Thomas wrote: I'm doubtful that routing protocols need PSK's. They almost certainly would like to share a symmetric key(s) but is not the same thing. But they need to agree on the shared key(s) securely

Re: [homenet] routing protocol comparison document and hncp

On 03/02/2015 06:50 PM, Brian E Carpenter wrote: so you're mollified if somebody's cert says hi i'm 1232345245213452345...@lkajsdlfjasdfds.clasjdflakjsdfk.ladsjflakjsfdls.xxx instead? the possession of a cert does nothing in and of itself to make an enrollment decision. No, of course not. That

Re: [homenet] routing protocol comparison document and hncp

On 03/02/2015 11:34 AM, Michael Behringer (mbehring) wrote: -Original Message- From: homenet [mailto:homenet-boun...@ietf.org] On Behalf Of Markus Stenberg Sent: 02 March 2015 15:11 To: Mikael Abrahamsson Cc: homenet@ietf.org; Markus Stenberg; Margaret Wasserman; Christian Hopps Subject:

Re: [homenet] routing protocol comparison document and hncp

On 03/02/2015 11:54 AM, Brian E Carpenter wrote: On 03/03/2015 08:38, Michael Thomas wrote: Well, draft-pritikin-anima-bootstrapping-keyinfra-01 describes a way to bootstrap a certificate infrastructure, zero touch. Once every device in a domain has a domain certificate, two devices can

Re: [homenet] Routing protocol comparison document

On 02/18/2015 11:54 PM, Mikael Abrahamsson wrote: On Wed, 18 Feb 2015, Michael Thomas wrote: But we're not talking about an interpreted language in the forwarding plane, right? Is the load from routing protocols we're talking about likely to have any noticeable effect on the the forwarding

Re: [homenet] A poll

On 02/20/2015 08:50 AM, Dave Taht wrote: The homenet working group has been laboring for several years now to find ways to make ipv6 more deployable to home (and presumably small business) users. In addition to multiple specification documents some code has been produced to try and make things

Re: [homenet] Routing protocol comparison document

On 02/18/2015 03:22 PM, Dave Taht wrote: I wanted to note that I embrace and endorse Juliusz´s and Markus´s comments on this thread, and most of the rest of the discussion seems pretty sensible. Some random comments: * I miss the days when rip was ubiquitous. When you needed a routing

Re: [homenet] draft-cheshire-homenet-dot-home-01

On 11/13/2014 08:08 AM, Dave Taht wrote: At least on the now 7 year old cpe gear I work on, it proved utterly feasible to run an outward facing bind dns server, something like 3 years back. As continuing proof of concept lab.bufferbloat.net http://lab.bufferbloat.net still runs bind with

Re: [homenet] draft-cheshire-homenet-dot-home-01

On 11/13/14, 12:09 PM, Michael Richardson wrote: Ted Lemon mel...@fugue.com wrote: 4) you can't just fill the zone with all the names -- it won't be secure. (4A - things that don't want global reachability, perhaps, shouldn't have globally reachable addresses) There is

Re: [homenet] draft-cheshire-homenet-dot-home-01

On 11/13/14, 12:36 PM, Ted Lemon wrote: On Nov 13, 2014, at 10:23 AM, Michael Thomas m...@mtcc.com wrote: Nor do I think that the obscurity of not having a DNS name provides much in the way of privacy. There's way too much that can go wrong to count on either of these properties. Not having

Re: [homenet] draft-cheshire-homenet-dot-home-01

On 11/13/14, 3:15 PM, Ted Lemon wrote: On Nov 13, 2014, at 12:12 PM, Michael Thomas m...@mtcc.com wrote: That said, I really do wonder -- given how trivial it is with v6 to get a GUA, -- how easy it is to keep things within, say, the home that we don't want to accidentally leaking out onto

Re: [homenet] draft-cheshire-homenet-dot-home-01

On 11/12/14, 3:03 PM, Andrew Sullivan wrote: [] So I have a high level question: the routing area of this working group is predicated on the ability for a homenet to get a prefix delegated to them from its upstream provider(s). Why can't we make a similar assumption that a homenet can get a

Re: [homenet] draft-cheshire-homenet-dot-home-01

On 11/12/14, 3:30 PM, Andrew Sullivan wrote: On Wed, Nov 12, 2014 at 03:23:27PM -0800, Michael Thomas wrote: Why can't we make a similar assumption that a homenet can get a dns delegation from some upstream provider as well, be it an ISP, or some other DNS serving entity? I think you can make

Re: [homenet] I-D Action: draft-barth-homenet-hncp-security-trust-01.txt

On 10/22/14, 12:46 PM, Brian E Carpenter wrote: On 22/10/2014 23:54, Ray Bellis wrote: On 22 Oct 2014, at 02:02, Brian E Carpenter brian.e.carpen...@gmail.com wrote: Up one more level: the charter looks pretty out of date in general. Hi Brian, The charter itself still reflects our primary

Re: [homenet] Let's make in-home ULA presence a MUST !?

On 10/15/2014 09:28 AM, Ted Lemon wrote: On Oct 15, 2014, at 10:48 AM, Gert Doering g...@space.net wrote: Could you remind me what your point was? My point was that homenets should have ULAs, and should not use GUAs for local communication, because GUAs can be flash renumbered, and the use of

Re: [homenet] Let's make in-home ULA presence a MUST !?

On 10/15/2014 10:50 AM, Ted Lemon wrote: On Oct 15, 2014, at 11:35 AM, Michael Thomas m...@mtcc.com wrote: What about when my device is wandering back and forth between my ap and my neighbor's? I don't think that's a problem that we're scoped to solve, unless your and your neighbors

Re: [homenet] Let's make in-home ULA presence a MUST !?

On 10/15/14, 11:57 AM, Ted Lemon wrote: Ideally your device should not be hopping back and forth between networks. If it does, there is no work for homenet to do to address the problems that arise. See, I don't find that ideal at all. If I'm swinging around on my backyard trapeze

Re: [homenet] Let's make in-home ULA presence a MUST !?

On 10/15/14, 1:28 PM, James Woodyatt wrote: On Wed, Oct 15, 2014 at 1:01 PM, Michael Thomas m...@mtcc.com mailto:m...@mtcc.com wrote: [...] I really don't want to have my network break connectivity because I happened to switch to my neighbor's wifi and I was using a ULA when I

Re: [homenet] Let's make in-home ULA presence a MUST !?

On 10/15/14, 3:49 PM, Ted Lemon wrote: On Oct 15, 2014, at 3:01 PM, Michael Thomas m...@mtcc.com wrote: See, I don't find that ideal at all. If I'm swinging around on my backyard trapeze watching the flying wallendas instructional video from my home jukebox, I really don't want to have my

Re: [homenet] Let's make in-home ULA presence a MUST !?

On 10/15/14, 4:06 PM, Ted Lemon wrote: On Oct 15, 2014, at 5:57 PM, Michael Thomas m...@mtcc.com wrote: If I use a GUA to my jukebox, the routing will just work regardless of which AP I'm currently connected to. With ULA's, not so much. That's hardly a non-sequitur. You appear to have some

Re: [homenet] HNCP Security Trust Draft

1) i was hopeful that this might be a threats kind of draft which is sorely needed. i was disappointed. 2) there is a huge set of possibilities in between PSK and PKI in section 6.1 and 6.2. see #1. Mike On 10/14/2014 12:37 AM, Steven Barth wrote: I just pushed a new revision of the draft.

Re: [homenet] [Anima] Ted Lemon's Block on charter-ietf-anima-00-09: (with BLOCK)

On 10/05/2014 05:09 PM, Stephen Farrell wrote: Hiya, On 05/10/14 22:55, Brian E Carpenter wrote: So, in my opinion, model #1 (a shared secret known to every device) is pretty weak. It might be acceptable for a small home network with a very careful human owner, but not beyond that limit. This

Re: [homenet] HNCP security?

On 09/29/2014 06:24 AM, Ted Lemon wrote: On Sep 29, 2014, at 9:16 AM, Stephen Farrell stephen.farr...@cs.tcd.ie wrote: If, OTOH, you can say that you would in fact also require origin authentication, then that is also of interest. (It'd mean that your use case could not be met by the initially

Re: [homenet] HNCP security?

On 9/23/14, 10:59 AM, Michael Richardson wrote: 2) ISP-provided router has to be willing to trust retail purchased router, or nothing works. So what about the other way around? To what degrees should my homenet trust ISP-maintained CPE? Or more succinctly, what are the things the ISP

Re: [homenet] HNCP security?

On 09/19/2014 01:18 AM, Mark Townsley wrote: Another lesson learned was exposing two passwords to the user vs. one. In a retail/wholesale LAC/LNS deployment model, it made perfect sense for the L2TP tunnel to have a password separate from the PPP user password (and L2TP fully supplanted L2F

Re: [homenet] HNCP security?

On 09/19/2014 07:52 AM, Steven Barth wrote: Am 19.09.2014 um 16:29 schrieb Michael Thomas: Punting on one of the hardest problems would be a travesty. There are plenty of people in IETF that are plenty smart about this subject; we will never get an opportunity to do the right thing again if we

Re: [homenet] HNCP security?

On 9/19/14, 12:38 PM, Ted Lemon wrote: On Sep 19, 2014, at 1:22 PM, Mark Baugher m...@mbaugher.com wrote: AFAICT, we've been discussing key format or DLTS vs IPsec. That discussion presumes that you have some way for a CPE from ISP-a to securely accept HNCP from ISP-b, or the user's new

Re: [homenet] HNCP security?

On 09/18/2014 08:31 AM, Markus Stenberg wrote: whether your authorization policy is leap of faithy, or strict ’these are the authorized CAs/individual certs’, there is no way to express same things with raw public keys (or you wind up with new X509, which is in nobody’s best interest).

Re: [homenet] HNCP security?

On 9/18/14, 8:57 AM, David R Oran wrote: On Sep 18, 2014, at 11:46 AM, Rene Struik rstruik@gmail.com wrote: It seems that the cryptographic literature needs to be rewritten now ... == Anything you can do with a cert, you can do with raw public keys, and you don't need CA's. See RFC4871

Re: [homenet] HNCP security?

On 9/18/14, 2:10 PM, STARK, BARBARA H wrote: Self-signed certs bring only confusion, IMO: they are nothing more than a raw key with an unsubstantiated claim to another name, along with a whole lot more ASN.1 baggage beyond what is needed to parse the modulo and exponent. And you don't get

Re: [homenet] HNCP security?

On 9/18/14, 3:39 PM, Brian E Carpenter wrote: Yes, I agree and that's why self-signed and/or manufacturer certs are of no help. Surely they are of help for secure *identification* of devices? No more so than the naked public key. Authorisation is a separate step. Yes. There is no

Re: [homenet] HNCP security?

On 9/18/14, 3:43 PM, Randy Turner wrote: Are we assuming that the home router is purchased retail, and not fulfilled or provided by an ISP? The method to establish trust relationships would hinge on the answer I should be able prepurpose an old PC with linux running homenet software. We

Re: [homenet] HNCP security?

On 09/17/2014 06:37 AM, Michael Richardson wrote: Michael Thomas m...@mtcc.com wrote: I further suggest that if two routers have wireless that they might well have a WPA2/PSK available to them, and that they can and SHOULD use something derived from that key to authenticate

Re: [homenet] HNCP security?

On 09/16/2014 11:31 PM, Mikael Abrahamsson wrote: As was presented in.. err, London?, shared secrets are bad. To really do this properly, we need device specific keys and some kind of list of devices that are allowed to connect, perhaps by having their public keys in HNCP. I don't know. I am

Re: [homenet] HNCP security?

On 9/17/14, 10:24 AM, Michael Richardson wrote: Michael Thomas m...@mtcc.com wrote: If I have more than one SSID, which PSK should the router use? Whichever ones authenticates the message. The PSK is not transmitted. I'm about to send a routing update, or whatever

Re: [homenet] HNCP security?

On 09/14/2014 09:38 AM, Markus Stenberg wrote: Like I stated earlier in my email, if you do not assume secure L2, just securing router-to-router traffic does little to protect the homenet. The subject line says HNCP security, so I naively thought that's what this was about. So the real

Re: [homenet] HNCP security?

On 09/13/2014 10:16 AM, Acee Lindem (acee) wrote: I agree with Markus. The conflicting goals of self-configuration and security seem to be a recurring theme in homenet. I reread the security section in the ³Homenet Architecture² and it mainly covers with security at the edges (which presumes

Re: [homenet] Clarification on Routing Thoughts

On 07/26/2014 04:42 PM, Juliusz Chroboczek wrote: Tossacoin, i.e. random routing, is of course a valid routing algorithm in itself. Isn't that the original reason why we had a TTL/hop count? It would probably work quite well in a small homenet. I call it hot potato routing, and I define it as

Re: [homenet] New version draft-mglt-homenet-naming-architecture-dhc-options-02.txt

On 07/14/2014 11:47 PM, Markus Stenberg wrote: On 9.7.2014, at 18.01, Juliusz Chroboczek j...@pps.univ-paris-diderot.fr wrote: There's still something I don't understand. If I'm understanding Steve's and Markus' work correctly, HNCP performs prefix delegation to internal routers over HNCP,

Re: [homenet] New version draft-mglt-homenet-naming-architecture-dhc-options-02.txt

On 7/15/14, 12:00 PM, Ted Lemon wrote: On Jul 15, 2014, at 2:45 PM, Markus Stenberg markus.stenb...@iki.fi wrote: The mechanism should not be tied to the particular ISPs either, except perhaps optionally. I think the motivation with Daniel's draft was to provide support for the optional case

Re: [homenet] New version draft-mglt-homenet-naming-architecture-dhc-options-02.txt

On 7/15/14, 12:43 PM, Ted Lemon wrote: On Jul 15, 2014, at 3:38 PM, Michael Thomas m...@mtcc.com wrote: That pretty much means that you need a solution that isn't bolted to DHCP, right? Or at least, that DHCP is only providing a default discovery mechanism which my CPE is completely free

Re: [homenet] New version draft-mglt-homenet-naming-architecture-dhc-options-02.txt

On 7/15/14, 1:09 PM, Ted Lemon wrote: On Jul 15, 2014, at 3:55 PM, Michael Thomas m...@mtcc.com wrote: What I'm trying to say is that DHCP as a way of advertising a service that will host my zone, or in some way make my homenet names globally available is OK, but it should just be about

Re: [homenet] New version draft-mglt-homenet-naming-architecture-dhc-options-02.txt

On 7/15/14, 1:53 PM, Ted Lemon wrote: We can safely assume that any device that is monetized through the cloud will do everything in its power to prevent us from accessing it, so that's really not the interesting test case. The interesting test case is whether a Nest-like device that isn't

Re: [homenet] New version draft-mglt-homenet-naming-architecture-dhc-options-02.txt

On 07/15/2014 04:42 PM, Ted Lemon wrote: On Jul 15, 2014, at 5:12 PM, Michael Thomas m...@mtcc.com wrote: I believe we are at least in the fortunate situation that nobody's tried hard to do a naming provider land grab yet, so there may yet be time to do the right thing. That's not the point

Re: [homenet] Updates to Homenet Architecture Principles doc

On 06/12/2014 07:54 AM, Townsley.net wrote: I think for an arch document, we should talk generally about how a routing protocol could plug into the rest of the system, but stop short of details within the routing protocol itself. If routing experts are concerned the working group is going to

  1   2   3   >