[Tfug] Static/Dynamic (IP,name) bindings enupu1er

Bexley Hall bexley401 at yahoo.com
Fri Sep 14 00:41:51 MST 2012 

Hi Nathan,

--- On Thu, 9/13/12, Nathan Hruby <nhruby at gmail.com> wrote:

> That sounds really complicated.

Why?  It's just adding a digest to each transaction (hashed with a
private key) to vouch for the content of that transaction.
 
> Why not just make the DHCP server
> update DNS vis DDNS using a preshared key?  Examples:
> - http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/
> - http://hackerific.net/2007/12/24/dynamic-dns-with-dhcp-and-bind-9/
> 
> Yes, a rouge DHCP server could still poison your clients and do bad
> things.  If you believe that's an attack vector that you're at risk
> for, using WPA-enterprise on private WIFi, captive portals + traffic
> limiting on public networks, port-based security / mac filtering,
> 802.11x, and good old good physical security are good things to do to
> limit your risks.  Most of these features are available on
> out-of-the-box consumer grade network hardware and only require a
> minimal amount of setup (some features assume you have things like
> ldap or radius available and may not be immediately useful).
 
A lot of dependencies whereas the *one* feature addresses all of
these concerns.  I.e., "sign" each transaction -- including the
normal run-time traffic that the device would encounter!
(i.e., the authentication also protects "commands" issued to
the device *after* it has booted)

The scheme I've come up with so far:
- devices are manufactured as "identical units" (perhaps with
  unique MAC's -- though not required)
- device is "introduced" to the HA system via a secure communication
  mechanism (i.e., a crossover cable connecting it's NIC to that
  of the HA system WITH NO POSSIBILITY OF EAVESDROPPING).
- device and HA system negotiate private keys and unique identifiers
  (HA system can just keep incrementing a wide counter each time it
  encounters a device.  You don't care if the identifier is globally
  unique as long as it never conflicts with another ID that you
  have issued locally!)
- device stores its ID and key in nonvolatile memory; HA similarly
  records the key associated with that ID (disk, etc.)
- HA system expects all incoming requests with that ID to be signed
  based on this pair of keys and generates its replies similarly.
- device knows reply originates from HA system (no forgeries) based
  on these keys as well

Now, a DHCP request is nothing more than any *other* transaction
between the device and the HA system.  A binary executable
downloaded to the device isn't acted upon (i.e., loaded and
executed) unless it similarly passes its authentication.

Similarly, a command to "change temperature setpoint to XXX" is
ignored[1] if it fails this authentication.

I.e., there is nothing "special" about a DHCP request.  Or a
change setpoint command.  Or...

And, there is no added requirement imposed on the devices that
make up the network infrastructure!  E.g., you can replace a wired
network with an ad-hoc *wireless* network without having to change
any of the software in the device or HA system!

Finally, its simple for the user: "register" the device with the
HA system, then deploy it.  Just like "registering" a cordless
phone with its base before use!  I can't think of anything
more straightforward (especially one that allows identical devices
to be mass-produced!)

----------

[1] The command is not acted upon but it is not "ignored".  You
track the frequency of these authentication failures and use
that knowledge to determine if you have a communications problem,
software bug *or* a potential attack underway.

More information about the tfug mailing list