From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 4108521F150 for ; Wed, 26 Mar 2014 03:36:26 -0700 (PDT) Received: by mail-ig0-f182.google.com with SMTP id uy17so359052igb.15 for ; Wed, 26 Mar 2014 03:36:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DhyXLznlo4dZ416PK/MEL/5tNK0coDIpjcAX39ty1JQ=; b=DHJjUUJ6FqGanCYaNRlpMdpzre6xzmzW8yy81bGp5bILCWDhpbWay5rTGt7HMK8ZDl Hw87qtHiYM8SjCJcIrctPIFPmVuoMPoE408tOuX7w/tX/pLUNRCbQHI050gMBURTqL/Z EwL/JMHn9lrA3j1rA+DELQ6ybzDibNtPSrbRiBC0fvucbxgpcLFahHBAEsHE2y16prqW 9ueXj+oV3IiflX/CGEB5Z/d2QTYXLttt7HO/WJYxuudmc5U/XY+NV/NNENmI+EFFQuC2 Qg56Lz/veOX/6Krxsfcihrafks58qxx5QpBe69L9yvnS09kV2VQruL+NqAunBImwNCCS 5e7w== MIME-Version: 1.0 X-Received: by 10.50.12.100 with SMTP id x4mr22911607igb.15.1395830185557; Wed, 26 Mar 2014 03:36:25 -0700 (PDT) Received: by 10.64.238.70 with HTTP; Wed, 26 Mar 2014 03:36:25 -0700 (PDT) In-Reply-To: <9250.1395808974@turing-police.cc.vt.edu> References: <20140201132948.GU15505@angus.ind.WPI.EDU> <20140326024008.GU7867@angus.ind.WPI.EDU> <9250.1395808974@turing-police.cc.vt.edu> Date: Wed, 26 Mar 2014 11:36:25 +0100 Message-ID: From: Aaron Wood To: Valdis Kletnieks Content-Type: multipart/alternative; boundary=089e0118238a60857304f5800a99 Cc: Hauke Mehrtens , "Steven B." , "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] odhcp6c went crazy flooding Comcast with DHCPv6 SOLICITs X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2014 10:36:26 -0000 --089e0118238a60857304f5800a99 Content-Type: text/plain; charset=ISO-8859-1 I also don't consider the ntp/dnssec issue a blocker, not at the moment. It's a larger problem to solve, and one that needs solving in a wider context than just CeroWRT, and so we should keep working on a solution, but not make it a "release blocking" issue. It's a known issue, a known bit of research to continue chiseling away it, but not a major blocker. Especially since we can always switch to raw-ip addresses for the ntp servers, as a workaround. But I like some of the workarounds suggested such as starting secure, and then slowly ratching down the security as things fail. So long as we don't expose a way to cripple the unit, or otherwise coerce it into misbehavior, I think we'll find a solution along those routes. -Aaron On Wed, Mar 26, 2014 at 5:42 AM, wrote: > On Tue, 25 Mar 2014 20:41:53 -0700, Dave Taht said: > > > I'm still at a loss as to the most correct way to bring up dnssec. > > Don't sweat it too much - nobody else in the security business knows > how to do it either. :) DNSSEC has even less uptake than IPv6.... > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > --089e0118238a60857304f5800a99 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I also don't consider the ntp/dnssec issue a blocker, = not at the moment. =A0It's a larger problem to solve, and one that need= s solving in a wider context than just CeroWRT, and so we should keep worki= ng on a solution, but not make it a "release blocking" issue. =A0= It's a known issue, a known bit of research to continue chiseling away = it, but not a major blocker.

Especially since we can always switch to raw-ip addresses fo= r the ntp servers, as a workaround.

But I like som= e of the workarounds suggested such as starting secure, and then slowly rat= ching down the security as things fail. =A0So long as we don't expose a= way to cripple the unit, or otherwise coerce it into misbehavior, I think = we'll find a solution along those routes.

-Aaron


On Wed, Mar 26, 2014 at 5:42 AM, <= Valdis.Kletnie= ks@vt.edu> wrote:
On Tue, 25 Mar 2014 20:41:53= -0700, Dave Taht said:

> I'm still at a loss as to the most correct way to bring up dnssec.=

Don't sweat it too much - nobody else in the security business kn= ows
how to do it either. :) =A0DNSSEC has even less uptake than IPv6....

_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel@lists.= bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel


--089e0118238a60857304f5800a99--