Provisioning Initial Device Identifiers into Home Routers
draft-richardson-homerouter-provisioning-00

Document Type Active Internet-Draft (individual)
Author Michael Richardson 
Last updated 2020-11-01
Stream (None)
Intended RFC status (None)
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
acme? Working Group                                        M. Richardson
Internet-Draft                                  Sandelman Software Works
Intended status: Best Current Practice                   1 November 2020
Expires: 5 May 2021

       Provisioning Initial Device Identifiers into Home Routers
              draft-richardson-homerouter-provisioning-00

Abstract

   This document describes a method to provisioning an 802.1AR-style
   certificate into a router intended for use in the home.

   The proceedure results in a certificate which can be validated with a
   public trust anchor ("WebPKI"), using a name rather than an IP
   address.  This method is focused on home routers, but can in some
   cases be used by other classes of IoT devices.

   (RFCEDITOR please remove: this document can be found at
   https://github.com/mcr/homerouter-provisioning)

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 5 May 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights

Richardson                 Expires 5 May 2021                   [Page 1]
Internet-Draft              homertr-provision              November 2020

   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Primarily Home Routers  . . . . . . . . . . . . . . . . .   3
     1.2.  Provisioning of certificates with public trust anchors  .   4
     1.3.  Manufacturers or ISPs do provisioning . . . . . . . . . .   4
     1.4.  Users who use web browsers  . . . . . . . . . . . . . . .   5
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   5
   3.  Protocol Overview . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Protocol Details  . . . . . . . . . . . . . . . . . . . . . .   7
   5.  Certificate Expiry/Renewal Protocol . . . . . . . . . . . . .   7
   6.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   10. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . .   7
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   7
     11.2.  Informative References . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   The increasing push to move all web interactions to HTTPS is a good
   thing.  [RFC6797] section 2.3.1 explains some of the attacks that
   this defeats.

   Residential use devices, particularly home routers, have some very
   unfortunate challenges.  The router provides access control for the
   entire home network: controlling access to the router is critical.
   Malware has so far, been content to attack the outside of home
   routers, exploiting poor authorization controls, and the fact that so
   few devices have their password changes (see [sixtypercent]).

   Malware continues to arrive by email and by trojan download, and one
   must assume that at least some devices within the home may be
   infected.  An obvious next step for malware is to attack home routers
   and IoT devices from within the home.  An unencrypted administrative
   interface to these devices presents two problems:

Richardson                 Expires 5 May 2021                   [Page 2]
Internet-Draft              homertr-provision              November 2020

   1.  for devices that continue to use passwords as authorization, the
       passwords can easily be seen by active eavesdropping of the
       network, including use of IP address spoofing attacks.  In
Show full document text