Re: [Cerowrt-devel] odhcp6c went crazy flooding Comcast with DHCPv6 SOLICITs

Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed

From: "Török Edwin" <edwin+ml-cerowrt@etorok.net>
To: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] odhcp6c went crazy flooding Comcast with DHCPv6 SOLICITs
Date: Wed, 26 Mar 2014 14:20:08 +0200	[thread overview]
Message-ID: <5332C5F8.9050806@etorok.net> (raw)
In-Reply-To: <CALQXh-PPrt5oFqGnK5feRhqaa_mNxS5hGM_AvavsEOz_NF__DA@mail.gmail.com>

On 03/26/2014 12:36 PM, Aaron Wood wrote:
> I also don't consider the ntp/dnssec issue a blocker, not at the moment.  It's a larger problem to solve, and one that needs solving in a wider context than just CeroWRT, and so we should keep working on a solution, but not make it a "release blocking" issue.  It's a known issue, a known bit of research to continue chiseling away it, but not a major blocker.
> 
> Especially since we can always switch to raw-ip addresses for the ntp servers, as a workaround.
> 
> But I like some of the workarounds suggested such as starting secure, and then slowly ratching down the security as things fail.  So long as we don't expose a way to cripple the unit, or otherwise coerce it into misbehavior, I think we'll find a solution along those routes.

This suggests using 'tlsdate', or the dhcp time option (if provided by another DHCP server):
http://tools.ietf.org/id/draft-mglt-homenet-dnssec-validator-dhc-options-01.txt

tlsdate looks interesting, as you'd still have *some* protection from the TLS certificate check,
even if you patch it to fallback to an insecure DNS lookup.

Best regards,
--Edwin

     prev parent reply	other threads:[~2014-03-26 12:20 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-01 13:29 Chuck Anderson
2014-02-01 16:43 ` Dave Taht
2014-02-01 16:54   ` Dave Taht
2014-02-01 19:33   ` Jim Gettys
2014-03-26  2:40 ` Chuck Anderson
2014-03-26  3:19   ` Dave Taht
2014-03-26  3:41     ` Dave Taht
2014-03-26  4:42       ` Valdis.Kletnieks
2014-03-26  6:38         ` Dave Taht
2014-03-26 10:36         ` Aaron Wood
2014-03-26 12:20           ` Török Edwin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5332C5F8.9050806@etorok.net \
    --to=edwin+ml-cerowrt@etorok.net \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox