Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services

Simon Hobson <dhcp1@thehobsons.co.uk> Tue, 10 January 2017 08:07 UTC

Return-Path: <dhcp1@thehobsons.co.uk>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC4BC129B2F for <dhcwg@ietfa.amsl.com>; Tue, 10 Jan 2017 00:07:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QRmA_3x5PTxk for <dhcwg@ietfa.amsl.com>; Tue, 10 Jan 2017 00:07:02 -0800 (PST)
Received: from patsy.thehobsons.co.uk (patsy.thehobsons.co.uk [81.174.135.208]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F14791295F3 for <dhcwg@ietf.org>; Tue, 10 Jan 2017 00:07:01 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at patsy.thehobsons.co.uk
Received: from simons-macbookpro.lan (magpiehouse.plus.com [80.229.10.150]) by patsy.thehobsons.co.uk (Postfix) with ESMTPSA id 6727F1A071 for <dhcwg@ietf.org>; Tue, 10 Jan 2017 08:06:53 +0000 (UTC)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Simon Hobson <dhcp1@thehobsons.co.uk>
In-Reply-To: <HE1PR0701MB1914138E2293BA8C976DC9C2DE670@HE1PR0701MB1914.eurprd07.prod.outlook.com>
Date: Tue, 10 Jan 2017 08:06:52 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <8382A4BB-303D-468D-9453-1A426096FAAE@thehobsons.co.uk>
References: <HE1PR0701MB191453938CCDD842F97014F3DE640@HE1PR0701MB1914.eurprd07.prod.outlook.com> <0827A698-2AF7-4D16-87BE-A86BC8E44C63@fugue.com> <HE1PR0701MB1914138E2293BA8C976DC9C2DE670@HE1PR0701MB1914.eurprd07.prod.outlook.com>
To: "dhcwg@ietf.org" <dhcwg@ietf.org>
X-Mailer: Apple Mail (2.1510)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/30MrjBb9ornqJqb84XLISA58VZs>
Subject: Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jan 2017 08:07:04 -0000

Srinivasa Rao Nalluri <srinivasa.rao.nalluri@ericsson.com>; wrote:

> If I understand correct, you are asking how certificate supplied through DHCP option is validated.
>  
> The certificate supplied through DHCP option is not validated but it can be used to validate certificate offered by LWM2M server during LWM2M bootstrapping phase.
>  
> Instead of hardcoding root certificate in device by manufacturer, we are proposing to obtain same through DHCP option.

I can see the use case, but now you validating the information being provided ... using a certificate provided by an untrusted source.
Thus, if someone has enough access to redirect your devices to use their server, they probably have enough access to provide the fake certificate to make their server trusted. I'm assuming this is what Ted was alluring to.