Provisioning Initial Device Identifiers into Home Routers
draft-richardson-homerouter-provisioning-00
acme? Working Group M. Richardson
Internet-Draft Sandelman Software Works
Intended status: Best Current Practice 1 November 2020
Expires: 5 May 2021
Provisioning Initial Device Identifiers into Home Routers
draft-richardson-homerouter-provisioning-00
Abstract
This document describes a method to provisioning an 802.1AR-style
certificate into a router intended for use in the home.
The proceedure results in a certificate which can be validated with a
public trust anchor ("WebPKI"), using a name rather than an IP
address. This method is focused on home routers, but can in some
cases be used by other classes of IoT devices.
(RFCEDITOR please remove: this document can be found at
https://github.com/mcr/homerouter-provisioning)
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 5 May 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
Richardson Expires 5 May 2021 [Page 1]
Internet-Draft homertr-provision November 2020
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Primarily Home Routers . . . . . . . . . . . . . . . . . 3
1.2. Provisioning of certificates with public trust anchors . 4
1.3. Manufacturers or ISPs do provisioning . . . . . . . . . . 4
1.4. Users who use web browsers . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 5
4. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 7
5. Certificate Expiry/Renewal Protocol . . . . . . . . . . . . . 7
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
10. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 7
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
11.1. Normative References . . . . . . . . . . . . . . . . . . 7
11.2. Informative References . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
The increasing push to move all web interactions to HTTPS is a good
thing. [RFC6797] section 2.3.1 explains some of the attacks that
this defeats.
Residential use devices, particularly home routers, have some very
unfortunate challenges. The router provides access control for the
entire home network: controlling access to the router is critical.
Malware has so far, been content to attack the outside of home
routers, exploiting poor authorization controls, and the fact that so
few devices have their password changes (see [sixtypercent]).
Malware continues to arrive by email and by trojan download, and one
must assume that at least some devices within the home may be
infected. An obvious next step for malware is to attack home routers
and IoT devices from within the home. An unencrypted administrative
interface to these devices presents two problems:
Richardson Expires 5 May 2021 [Page 2]
Internet-Draft homertr-provision November 2020
1. for devices that continue to use passwords as authorization, the
passwords can easily be seen by active eavesdropping of the
network, including use of IP address spoofing attacks. In
Show full document text