Re: [dhcwg] Alissa Cooper's Discuss on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with DISCUSS and COMMENT)
Kim Kinnear <kkinnear@cisco.com> Wed, 30 September 2015 19:33 UTC
Return-Path: <kkinnear@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BCFA1A89A6; Wed, 30 Sep 2015 12:33:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O3SKJIxDK-Ff; Wed, 30 Sep 2015 12:33:57 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1D771A89A5; Wed, 30 Sep 2015 12:33:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3657; q=dns/txt; s=iport; t=1443641635; x=1444851235; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=lQiZ3Y9hjOX8HS3EMBMx8cYIH5q0s3gqhGibshav8WY=; b=JAsojYEvyHUOa39yuGSPUoGVVICUNsuoJ5xD/uq6714IzzvtqdpYaxwP XPnbKmMhoxjvv3hB4S6hslh1YRtDmgYzq/1IZ0Lym2DX0CPicHSszj0gw wbe7twfgUxYbwj9YF5zWkmUnnqUXELG27wz53B8WkeT/Z4JNpCu+j9IA4 c=;
X-IronPort-AV: E=Sophos;i="5.17,613,1437436800"; d="scan'208";a="605459105"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Sep 2015 19:33:53 +0000
Received: from dhcp-10-131-65-126.cisco.com (dhcp-10-131-65-126.cisco.com [10.131.65.126]) (authenticated bits=0) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t8UJXomv026440 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 30 Sep 2015 19:33:51 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Kim Kinnear <kkinnear@cisco.com>
In-Reply-To: <20150929224619.31476.89163.idtracker@ietfa.amsl.com>
Date: Wed, 30 Sep 2015 15:33:51 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <939EE2DF-1E5F-4C9F-8F4A-3809369D92A7@cisco.com>
References: <20150929224619.31476.89163.idtracker@ietfa.amsl.com>
To: Alissa Cooper <alissa@cooperw.in>
X-Mailer: Apple Mail (2.1878.6)
X-Authenticated-User: kkinnear
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/-FjW5Gs1TTKRaOmKfJ_7IbWYf1I>
Cc: dhcwg@ietf.org, The IESG <iesg@ietf.org>, Kim Kinnear <kkinnear@cisco.com>
Subject: Re: [dhcwg] Alissa Cooper's Discuss on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 19:33:59 -0000
Alissa, Thank you for reviewing our draft. I have responded to your discuss and comment below. On Sep 29, 2015, at 6:46 PM, Alissa Cooper <alissa@cooperw.in> wrote: > Alissa Cooper has entered the following ballot position for > draft-ietf-dhc-dhcpv4-active-leasequery-06: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv4-active-leasequery/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > What is the rationale for allowing the use of this protocol in insecure > mode? I realize this is usually for backwards compatibility, but it seems > like both clients and servers would need to be updated in order to > implement this spec anyway. The basic reason for two modes of operation (insecure and secure mode) is because there are essentially two models of use for this protocol. In one model, the requestor of an active leasequery is connected to the internet in an arbitrary location, and the information transmitted needs to be protected during transmission. In addition, the identity of both requestor and server need to be verified. For this model of use, the secure mode is appropriate. The other model of use is where the requestor of the active leasequery resides in a network element that is essentially "next to" the element containing the DHCP server, and both of these elements are inside a protected environment. In this case, the insecure mode is sufficient since there are other, more global, protections in place to protect this information. Note that in discussions of the DHCPv6 Active Leasequery draft with Stephen Farrell, we have changed both this draft and the DHCPv6 version to require *two* explicit choices in configuration to use the insecure mode. So nobody should be able to deploy a DHCP server and through ignorance or inattention allow someone to perform an insecure active leasequery. Kathleen Moriarty attached a comment to her ballot explaining why she didn't have an issue with this, and I agree wholeheartedly with her analysis! > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > In sections 7.2, 8.1, and 9, this is a bit of a strange layering of > normative requirements: > > The recommendations in [RFC7525] SHOULD be followed when negotiating > this connection. > > If you were going to use normative language here I think this would more > appropriately be a MUST, but I would actually recommend something along > the lines of "The recommendations in [RFC7525] apply" since the > recommendations contained therein vary in their normative strength. > Perhaps the security ADs have a preferred formulation, I'm not sure. I will change the sentence you noted to be "The recommendations in [RFC7525] apply." in the next update of the draft. Thanks again for your review. Kim > > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Alissa Cooper's Discuss on draft-ietf-dhc… Alissa Cooper
- Re: [dhcwg] Alissa Cooper's Discuss on draft-ietf… Kim Kinnear
- Re: [dhcwg] Alissa Cooper's Discuss on draft-ietf… Alissa Cooper