...
The primary security implication is that a device would be able to be remotely directed to a different controller. As a device trusts its controller completely, this can be an avenue of attack. However, this should be a minor one. It is easier to hijack a DNS record or BGP announcement to get an address than steal a TLS private key. At heart, an EVE device trusts a controller not because of a specific hostname or FQDN, but rather because the TLS channel is validated via the certificate already loaded on the device.
Once a device trusts a controller because it has a valid certificate, it trusts it entirely, including telling it to go trust a different controller.
Nonetheless, we need to recognize that some implementors may want to make the name immutable. Thus, we should support a config that makes a device ignore redirection. This should be configurable in two places:
- a `/config` flag, in which the filesystem indicates, "this device may not change controllers"
- a config option, i.e. lock down device to controller, which adds that flag
Design Proposal
Since the communication between device and controller is over http/s, and http already has both permanent and temporary redirect codes, `301` and `302` respectively, we propose to use those codes to indicate a redirect from controller to device.
...