IETF Logo Mail Archive

Re: [dhcwg] more thoughts about draft-ietf-dhc-sedhcpv6-02.txt

Sten Carlsen <stenc@s-carlsen.dk> Wed, 25 June 2014 12:50 UTC

Return-Path: <stenc@s-carlsen.dk>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBF541B2C07 for <dhcwg@ietfa.amsl.com>; Wed, 25 Jun 2014 05:50:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.892
X-Spam-Level:
X-Spam-Status: No, score=-0.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51yqNI-1STjh for <dhcwg@ietfa.amsl.com>; Wed, 25 Jun 2014 05:50:33 -0700 (PDT)
Received: from mail2.s-carlsen.dk (0134100024.0.fullrate.dk [90.185.128.210]) by ietfa.amsl.com (Postfix) with ESMTP id 688DD1B2C05 for <dhcwg@ietf.org>; Wed, 25 Jun 2014 05:50:33 -0700 (PDT)
Received: from silver4-wire.s-carlsen.dk (unknown [IPv6:2001:16d8:dd00:81ac:cabc:c8ff:fe91:1152]) by mail2.s-carlsen.dk (Postfix) with ESMTPA id D0FD919356; Wed, 25 Jun 2014 14:49:58 +0200 (CEST)
Message-ID: <53AAC576.7070609@s-carlsen.dk>
Date: Wed, 25 Jun 2014 14:49:58 +0200
From: Sten Carlsen <stenc@s-carlsen.dk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Francis Dupont <Francis.Dupont@fdupont.fr>, Sheng Jiang <jiangsheng@huawei.com>
References: <201406251150.s5PBoAh6083205@givry.fdupont.fr>
In-Reply-To: <201406251150.s5PBoAh6083205@givry.fdupont.fr>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/5RkTG-Vj9DYuBpVEGxL-34RRh-Q
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] more thoughts about draft-ietf-dhc-sedhcpv6-02.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jun 2014 12:50:35 -0000


On 25/06/14 13:50, Francis Dupont wrote:
>  In your previous mail you wrote:
> 
>>  > - to document a way for an unsynchronized node to get a good time value,
>>  >  for instance sending an Information-Request or a Solicit without
>>  >  rapid-commit asking for a timestamp option in the ORO
>>  
>>  This has to be a separated document. It remains out of scope for this docume
>>  nt. In most of cases, it is ok to assume a node have a time which has less 5
>>  -min time drift. A brand new node without any knowledge of time is an edge c
>>  ase.
> 
> => to make timestamps more efficient for security you have to allow only
> small drift, so a pre-synchronization procedure should help to solve
> the unsecure/large vs secure/hard-to-implement drift. 
To me it seems that  a pre-synchronisation procedure is a great help for
intruders?

Now you can make sure the target is in time sync with the attack just by
synchronising with it first, really opens the window for attacks.

> Note about the
> first statement I agree it is "not normative".
> 
> Regards
> 
> Francis.Dupont@fdupont.fr
> 
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
> 

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!"

v2.23.0 | Report a Bug | By Email