Re: [dhcwg] RE: I-D ACTION:draft-droms-dhcp-relay-agent-ipsec-00.txt

Thomas Narten <narten@us.ibm.com> Mon, 04 November 2002 17:27 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA23782 for <dhcwg-archive@odin.ietf.org>; Mon, 4 Nov 2002 12:27:25 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gA4HTPc08765 for dhcwg-archive@odin.ietf.org; Mon, 4 Nov 2002 12:29:25 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA4HTOv08762 for <dhcwg-web-archive@optimus.ietf.org>; Mon, 4 Nov 2002 12:29:24 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA23752 for <dhcwg-web-archive@ietf.org>; Mon, 4 Nov 2002 12:26:54 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA4HQVv08611; Mon, 4 Nov 2002 12:26:32 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA4HP3v08462 for <dhcwg@optimus.ietf.org>; Mon, 4 Nov 2002 12:25:03 -0500
Received: from e6.ny.us.ibm.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA23394 for <dhcwg@ietf.org>; Mon, 4 Nov 2002 12:22:33 -0500 (EST)
Received: from northrelay03.pok.ibm.com (northrelay03.pok.ibm.com [9.56.224.151]) by e6.ny.us.ibm.com (8.12.2/8.12.2) with ESMTP id gA4HOSPi274946; Mon, 4 Nov 2002 12:24:29 -0500
Received: from rotala.raleigh.ibm.com (rotala.raleigh.ibm.com [9.27.12.14]) by northrelay03.pok.ibm.com (8.12.3/NCO/VER6.4) with ESMTP id gA4HOQPA084856; Mon, 4 Nov 2002 12:24:26 -0500
Received: from rotala.raleigh.ibm.com (narten@localhost) by rotala.raleigh.ibm.com (8.11.6/8.11.6) with ESMTP id gA4HKko25690; Mon, 4 Nov 2002 12:20:46 -0500
Message-Id: <200211041720.gA4HKko25690@rotala.raleigh.ibm.com>
To: "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>
cc: "'Ralph Droms'" <rdroms@cisco.com>, dhcwg@ietf.org
Subject: Re: [dhcwg] RE: I-D ACTION:draft-droms-dhcp-relay-agent-ipsec-00.txt
In-Reply-To: Message from "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se> of "Tue, 29 Oct 2002 12:33:47 CST." <A1DDC8E21094D511821C00805F6F706B0499F91F@eamrcnt715.exu.ericsson.se>
Date: Mon, 04 Nov 2002 12:20:46 -0500
From: Thomas Narten <narten@us.ibm.com>
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

> Yes, that was the text I was referring to. And, I think we are in
> agreement. I just feel it is better to state it the other way around
> - a relay agent SHOULD NOT relay a relayed message (giaddr field is
> no-zero) using IPsec unless the relay received that message secured
> by IPsec.

So if you have three DHC "hops" in your path, but one of them is
unprotected, it makes no sense to protect the other two ? That doesn't
follow at all.

The threats one is concerned about may vary on each "hop". It may well
make sense to protect the hop(s) that traverse paths where one is
particularly worried about threats, while not being as worried about
certain other hop on the overal path.

Right?

Thomas
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg