Telechat Review of draft-ietf-homenet-hncp-09
review-ietf-homenet-hncp-09-secdir-telechat-nir-2015-10-15-00

Hi

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

Summary: This document is ready

The document is a profile of the DNCP document that is being progressed at the
same time. Together they form an implementable protocol. The protocol runs
among internal routers within a home network. The document requires such
routers not to forward HNCP messages to leaves, guests, or to external
interfaces.

The Security Considerations section addresses the major threat of
mis-classification of interfaces. If an external interface is classified as
internal, hosts outside the home (or at least the home network) would be able
to reconfigure the home network by sending HNCP messages. One way to mitigate
this is by static configuration or the external interface(s) as well as guest
and leaf interfaces. Another is to use the secure mode on DNCP. The section
describes those options adequately. For some reason the wording suggests that
both of these options are exceptions to the rule: we’d like as little
configuration requirements as possible, and on the other hand the secure mode
of DNCP requires X.509 certificates. I guess in the normal case, such as a
special connection for the external interface on the CPE (say, coaxial cable or
fiber vs Ethernet) it’s easy for the CPE to identify the external interface,
and no further configuration *by the user* is needed.

One threat that is not addressed in the draft is the possibility of a rogue
router within the network (maybe it’s compromised by malware). It’s fine not to
have a mitigation for this, but I think it should be called out.

Yoav