IETF Logo Mail Archive

Re: [dhcwg] WGLC on draft-ietf-dhc-relay-server-security-01 - respond by Nov 9

"Bernie Volz (volz)" <volz@cisco.com> Fri, 28 October 2016 21:57 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5184129429 for <dhcwg@ietfa.amsl.com>; Fri, 28 Oct 2016 14:57:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.952
X-Spam-Level:
X-Spam-Status: No, score=-14.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kANf_bhrdPCv for <dhcwg@ietfa.amsl.com>; Fri, 28 Oct 2016 14:57:42 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDD5A129696 for <dhcwg@ietf.org>; Fri, 28 Oct 2016 14:57:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3584; q=dns/txt; s=iport; t=1477691861; x=1478901461; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=2zmla8hTwPwkVQ2ft5BFHEwxmRHWnWkdS0ZeiryJFGM=; b=GzXa7CEjZ8q2WkgsawKDyZQB6aPP22kkDeSm7pxqU76JsE5Ut02CEofL tSBOHbnowMAsW2Q1u94pVB18nVmmshq4oL6JU2eMixF972jWWxbrPPlht vJj6ruZZBXEjoeFxK0M5At5U5J3913goyJBZiBBqkWa6ZyedFMT68nxnN c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CDAQDTyBNY/4oNJK1cGgEBAQECAQEBAQgBAQEBgyoBAQEBAR9YfQeNL5Z/h16KUoIPggcohXsCGoFqPxQBAgEBAQEBAQFiHQuEYgEBAQQjEToLDAQCAQgRAwEBAQMCIwMCAgIfERQBCAgCBA4FCIgyAxcOsWaIcw2DaAEBAQEBAQEBAQEBAQEBAQEBAQEBARcFgQeKC4JHgWMBAQWDGoJbBZljNQGGLIZSgyGBdYRtiSmIc4QchAABHjZfhQpyAYVJgSCBCQEBAQ
X-IronPort-AV: E=Sophos;i="5.31,560,1473120000"; d="scan'208";a="340947936"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 28 Oct 2016 21:57:41 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id u9SLvebD032341 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 28 Oct 2016 21:57:41 GMT
Received: from xch-aln-003.cisco.com (173.36.7.13) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 28 Oct 2016 16:57:40 -0500
Received: from xch-aln-003.cisco.com ([173.36.7.13]) by XCH-ALN-003.cisco.com ([173.36.7.13]) with mapi id 15.00.1210.000; Fri, 28 Oct 2016 16:57:40 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: WGLC on draft-ietf-dhc-relay-server-security-01 - respond by Nov 9
Thread-Index: AQHSL73ZiaawKQtxr0aAQAYuf4FhZKC+ZUyA
Date: Fri, 28 Oct 2016 21:57:40 +0000
Message-ID: <ccd1836d6f514855a37ef40a7f36c31e@XCH-ALN-003.cisco.com>
References: <147671242179.4527.12337010225582460227.idtracker@ietfa.amsl.com> <7e03afc26a08461e8308d5bdf985bed9@XCH-ALN-003.cisco.com> <ccbfe561da43469e8f894e2235c4b429@XCH15-06-08.nw.nos.boeing.com> <6a8f5646aedb44b5af85d7a45039eb02@XCH-ALN-003.cisco.com> <ed09c191c9a24989b38ec3db233e04d1@XCH15-06-08.nw.nos.boeing.com> <CA+dB4X4edhyJa+FR8phiJvQqi1wPU+eqsZ4=b4WHL7mFj-Dkgw@mail.gmail.com> <6c57d13d-7f48-67b5-fdad-4f230f46553f@gmail.com>
In-Reply-To: <6c57d13d-7f48-67b5-fdad-4f230f46553f@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.1.195]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/15QO4e8Z-kOL_MG7xKGVubJi7Rk>
Subject: Re: [dhcwg] WGLC on draft-ietf-dhc-relay-server-security-01 - respond by Nov 9
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 21:57:44 -0000

Hi:

As a co-author, I support this moving forward.

During the WGLC draft-ietf-dhc-rfc3315bis-05, Jinmei raised a comment regarding Key Management in section 19.1 of that bis document  (see (https://www.ietf.org/mail-archive/web/dhcwg/current/msg17577.html) that also impacts the text in this new draft.

After some offline exchanges, I propose we change the text for Key Management in section 3 of the this document (and similarly in the bis document) to:

   Key management          Because both relay agents and servers tend to
                           be managed by a single organizational entity,
                           public key schemes may be optional.  Manually
                           configured key management may suffice, but
                           does not provide defense against replayed
                           messages.  Accordingly, IKE [RFC2409] / IKE2
                           [RFC7296] with preshared secrets SHOULD be
                           supported.  IKE/IKEv2 with public keys MAY be
                           supported.  Additional information on manual
                           vs automated key management and when one
                           should be used over the other can be found in
                           [RFC4107].

- Bernie

-----Original Message-----
From: Tomek Mrugalski [mailto:tomasz.mrugalski@gmail.com] 
Sent: Wednesday, October 26, 2016 3:19 PM
To: dhcwg@ietf.org
Cc: Yogendra Pal <jntupal@gmail.com>; Bernie Volz (volz) <volz@cisco.com>
Subject: WGLC on draft-ietf-dhc-relay-server-security-01 - respond by Nov 9

Hi,
Authors believe this draft to be ready for working group last call.
Please send your substantial comments to the mailing list and express your opinion whether this draft is ready for publication. Feel free to send nitpicks and minor corrections to the authors directly.

This draft has been adopted relatively recently. It's a very short draft (a bit over 3 pages of the actual text) that explains how communication between relays and servers could be secured using IPSec.
The issue it tries to address was raised during IESG discussions couple months ago when processing one of the earlier DHC drafts.

Please post your comments by Nov. 9th. Since Bernie is a co-author, I will determine the consensus.

Title: Security of Messages Exchanged Between Servers and Relay Agents
Authors: Bernie Volz, Yogendra Pal
Filename: draft-ietf-dhc-relay-server-security-01
Pages: 8
Date: 2016-10-17

https://tools.ietf.org/html/draft-ietf-dhc-relay-server-security-01

Thanks,
Tomek

v2.23.0 | Report a Bug | By Email