IETF Logo Mail Archive

Re: [dhcwg] draft-bi-dhc-sec-option

Cui Yang <cuiyang@huawei.com> Wed, 28 March 2012 15:48 UTC

Return-Path: <cuiyang@huawei.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A866821E82A6 for <dhcwg@ietfa.amsl.com>; Wed, 28 Mar 2012 08:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.774
X-Spam-Level: *
X-Spam-Status: No, score=1.774 tagged_above=-999 required=5 tests=[AWL=0.169, BAYES_00=-2.599, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78diopRKQjNN for <dhcwg@ietfa.amsl.com>; Wed, 28 Mar 2012 08:48:33 -0700 (PDT)
Received: from dfwrgout.huawei.com (dfwrgout.huawei.com [206.16.17.72]) by ietfa.amsl.com (Postfix) with ESMTP id 209EE21E826C for <dhcwg@ietf.org>; Wed, 28 Mar 2012 08:48:33 -0700 (PDT)
Received: from 172.18.9.243 (EHLO dfweml202-edg.china.huawei.com) ([172.18.9.243]) by dfwrg01-dlp.huawei.com (MOS 4.2.3-GA FastPath) with ESMTP id AET62986; Wed, 28 Mar 2012 11:48:32 -0400 (EDT)
Received: from DFWEML408-HUB.china.huawei.com (10.193.5.134) by dfweml202-edg.china.huawei.com (172.18.9.108) with Microsoft SMTP Server (TLS) id 14.1.323.3; Wed, 28 Mar 2012 08:47:13 -0700
Received: from SZXEML438-HUB.china.huawei.com (10.72.61.73) by dfweml408-hub.china.huawei.com (10.193.5.134) with Microsoft SMTP Server (TLS) id 14.1.323.3; Wed, 28 Mar 2012 08:47:10 -0700
Received: from SZXEML508-MBS.china.huawei.com ([169.254.6.137]) by szxeml438-hub.china.huawei.com ([10.72.61.73]) with mapi id 14.01.0323.003; Wed, 28 Mar 2012 23:46:15 +0800
From: Cui Yang <cuiyang@huawei.com>
To: Ted Lemon <Ted.Lemon@nominum.com>, Alper Yegin <alper.yegin@yegin.org>, dhc WG <dhcwg@ietf.org>
Thread-Topic: [dhcwg] draft-bi-dhc-sec-option
Thread-Index: AQHNDEv5iTILqwgG4EabUrbxfUEvZ5Z/0S6a
Date: Wed, 28 Mar 2012 15:47:05 +0000
Message-ID: <8CC0CB0BCAE52F46882E17828A9AE2161F479B8F@SZXEML508-MBS.china.huawei.com>
References: <CAC16W0DXs4q5ApuiyN4pVJVuXQQunAFMGnu5JjJvszcWjnncJA@mail.gmail.com>, <2F208A97-BFF3-4820-BA98-3E47AC41D992@yegin.org>, <8D23D4052ABE7A4490E77B1A012B6307472C3E6F@mbx-02.win.nominum.com>
In-Reply-To: <8D23D4052ABE7A4490E77B1A012B6307472C3E6F@mbx-02.win.nominum.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.24.1.67]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Subject: Re: [dhcwg] draft-bi-dhc-sec-option
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 15:48:33 -0000

Hi, Ted and Alper,

Thanks for your reviews and comments.

The proposed DHCP option is aimed to help set up the security mechanism, i.e., carrying IP addresses of PKI server, etc. 
But the option itself does not need to be protected, or in other words, the security does not necessarily rely on the DHCP option.

The current usage of vendor-specific solution (option 43) for this problem is quite restricted, because of the usual limitations of requiring the client and server to understand these vendor-specific extensions. It is desired that security configuration has a new standardized option, since most parameters are common across most clients and servers.

Thanks,
Yang
________________________________________
发件人: Ted Lemon [Ted.Lemon@nominum.com]
发送时间: 2012年3月27日 23:19
到: Alper Yegin; dhc WG
主题: Re: [dhcwg] draft-bi-dhc-sec-option

> RFC 3118 is not used. Sending security parameters over DHCP needs consideration.

Yes, we have pretty much given up on providing information like this in DHCP.   It doesn't make any sense to do so, because DHCP does not operate in controlled administrative domains.   Even if you authenticate the DHCP server, you still can't trust it to tell you what PKI server to talk to.

v2.23.0 | Report a Bug | By Email