Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6

Ted Lemon <> Wed, 07 June 2017 19:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B6737129AD2 for <>; Wed, 7 Jun 2017 12:34:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IUnlRQJR9xvI for <>; Wed, 7 Jun 2017 12:34:15 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 23799129461 for <>; Wed, 7 Jun 2017 12:34:15 -0700 (PDT)
Received: by with SMTP id u19so18127794qta.3 for <>; Wed, 07 Jun 2017 12:34:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=UGTmJvBhRNXWbdQHpYBpBhP337VZMR3PUeQM5tjRMs8=; b=hWH1h2h5lZYsvcgR7+/fnnjtMcXUGFHR3Symz66YoiMUzJ1ukQTbG51mb4rIad46vh h5r/H+jhI+cYU6qEu2xUHEikFojAAePAQwpB1AfAkn8nkLuQc8QfMMlDr/w/GLWwp0+l p7Qqs6XfxCqDJYDtJDsSvubh7ddcaVf4Wkf6n/ReVr/aCKdvUuounTqXUX5hWrkOpaB5 6jaAp/0m5V/NlGjP/6OUGAIZrqryAu40giytgbnl9XZoEvB1Lnl/XP6evDhhRqhcEJOU 8/7nx3qaC5LniXidtkEV5TmR4KARWQbYgyfhXylEEhS/5cjQiKtXNvJEBpp48Wq0HAmV QMGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=UGTmJvBhRNXWbdQHpYBpBhP337VZMR3PUeQM5tjRMs8=; b=Qq60ImSFtCvflJGrNiVOT3gymPRz2f5bter/po1wUQft370Mfywegb/ZQWLq9+1mTi lfmY37wMo/VhrmO7asTE3gjUMPBvppyUsgBAOEDgNpl6mpHVQTnAemENUgJw3PK7chTh jHNS+lCfkcDbPeZSTvyvWUs7l+sUUuva4XP4XlFcjkIMXa5c4dl7WhzZhw7tkB1DtGQx 4vlyzfQr6ucYxg44zgijM0kY4u41sW8BVEWcSiBV57apSSt71cBYgw7eWIHxmEc30hB3 Monq9BuWWQTRk4Sr+seJYYHZQeFHET3hMJTGR2u0qA3xh0VQaBHIL9jGXCEHDSR0QtMw PrRA==
X-Gm-Message-State: AKS2vOzDHpkG2rmoWf87TN6KiEj7rQ5HBMsbtTFZyy/ZT3JpYl7J8sxv GnDp0mJkEkxbxqzB
X-Received: by with SMTP id e127mr39718646qkc.19.1496864054339; Wed, 07 Jun 2017 12:34:14 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id k6sm1695509qtk.10.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Jun 2017 12:34:13 -0700 (PDT)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6EF6EE6B-5154-4595-B856-04882AF31A85"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 7 Jun 2017 15:34:12 -0400
In-Reply-To: <>
Cc: Tomek Mrugalski <>,
To: Francis Dupont <>
References: <> <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Jun 2017 19:34:17 -0000

On Jun 7, 2017, at 3:26 PM, Ted Lemon <> wrote:
> Suppose I want to code up a DHCP client that uses IPsec on the Mac.   What API do I use?   Since encryption is now being done in the network stack, I don't have the option of not using an API.   AFAIK, no such API exists.   I'm choosing the Mac specifically because I haven't been able to find documentation for one there—I know I can do it on Linux.

Nevermind, I think I found it.

In order for this to work, I think the initial DHCPINFORM would need to include a public key, and the response would include a generated shared secret signed in the server's private key and encrypted using the client's public key.   It would also include the server's public key.   This would allow us to establish keying for the IPsec encryption.

However, I don't think this would actually work, because now we have an encrypted blob for the relay agent.   What does it do with it?

Once we have established a shared private key, I think that we would want to just use Bernie's model. Either that, or we use DTLS and wrap it in the same sort of message exchange, and the encrypted blobs are shipped around in DHCP messages pretty much the same way that we're doing in the current protocol.

But I don't have time to think about this right now... :)