Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6

Francis Dupont <Francis.Dupont@fdupont.fr> Wed, 07 June 2017 19:23 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FCFD131463 for <dhcwg@ietfa.amsl.com>; Wed, 7 Jun 2017 12:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01Vevg5EsQdT for <dhcwg@ietfa.amsl.com>; Wed, 7 Jun 2017 12:23:37 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F41912948F for <dhcwg@ietf.org>; Wed, 7 Jun 2017 12:23:37 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [IPv6:::1]) by givry.fdupont.fr (8.14.7/8.14.7) with ESMTP id v57J8lqg062133; Wed, 7 Jun 2017 21:08:47 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201706071908.v57J8lqg062133@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Tomek Mrugalski <tomasz.mrugalski@gmail.com>
cc: dhcwg@ietf.org
In-reply-to: Your message of Wed, 07 Jun 2017 20:43:05 +0200. <779d39d0-eab7-f4c0-e6a0-322f75edb2d5@gmail.com>
Date: Wed, 07 Jun 2017 21:08:47 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/0Imk17NWa0F4M49-r2VUWRY1Q4E>
Subject: Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 19:23:39 -0000

 In your previous mail you wrote:

>  This work has been in development for almost a decade. This particular
>  approach started in 2013. Let's not restart the work until we exhaust
>  all other possible alternatives.

=> I know it was pretty old (I was its gen-art reviewer and did thsi
review the 20130220 according to my message to gen-art...).
At this time it was not ready ("Summary: Not Ready" cut & paste
from this message) but putting some ideas from SEND which solved
a similar problem with same hard constraints made it something
reasonable.

IMHO the real issue comes from the switch from an authentication
mechanism to unauthenticated encryption. So if the name is the same
in fact it is a very different protocol, and of course to twist it
to fulfill a different goal did not work well...

>  How about the proposal Bernie made here?
>  https://mailarchive.ietf.org/arch/msg/dhcwg/c2bB8KdbGgsZShHtnyUgKwELa-w

=> IMHO anything using RSA encryption is dead.

>  Another possible approach to the problem mentioned in off-line
>  discussion was DTLS 1.2 (RFC6347), but Francis pointed out that it's
>  quite exchange heavy, compared to DHCP, which takes 1 or 2 exchanges.
>  Going to 3 or perhaps 4 exchanges is ok in my opinion, but if the
>  proposal requires more than that, we would see a lot of raised eyebrows.

=> without RSA encryption only solutions using state and multiple
exchanges are available so instead to transform DHCP into something
different I suggest to do the opposite: start from a security protocol
and add some DHCP features into it. In the case of opportunistic
IPsec/IKE it could be more DHCP features or if we are lucky some
profiles...

Regards

Francis.Dupont@fdupont.fr

PS: References are:
 RFC 4322 "Opportunistic Encryption using the Internet Key Exchange (IKE)"
 RFC 5996 "Internet Key Exchange Protocol Version 2 (IKEv2)"
 RFC 5739 "IPv6 Configuration in Internet Key Exchange Protocol
           Version 2 (IKEv2)"