Re: [dhcwg] Secure DHCPv6 Deployment Consideration - proposed text
Francis Dupont <Francis.Dupont@fdupont.fr> Tue, 06 October 2015 19:47 UTC
Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 240241B3227 for <dhcwg@ietfa.amsl.com>; Tue, 6 Oct 2015 12:47:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.262
X-Spam-Level:
X-Spam-Status: No, score=-1.262 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pM2iqiaiR9hB for <dhcwg@ietfa.amsl.com>; Tue, 6 Oct 2015 12:47:54 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F1E71B3226 for <dhcwg@ietf.org>; Tue, 6 Oct 2015 12:47:53 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [IPv6:::1]) by givry.fdupont.fr (8.14.7/8.14.7) with ESMTP id t96JjG8P027871; Tue, 6 Oct 2015 21:45:17 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201510061945.t96JjG8P027871@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: 神明達哉 <jinmei@wide.ad.jp>
In-reply-to: Your message of Tue, 06 Oct 2015 10:52:18 -0700. <CAJE_bqeva4f=BKt4LZdgf6Rput38jfc3szzhHuzEEn5yERTvMA@mail.gmail.com>
Date: Tue, 06 Oct 2015 21:45:16 +0200
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/82ZGOz7DGBZf4hSvcIaTC8-iK4w>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, "dhc-chairs@tools.ietf.org" <dhc-chairs@tools.ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>, "draft-ietf-dhc-sedhcpv6@tools.ietf.org" <draft-ietf-dhc-sedhcpv6@tools.ietf.org>
Subject: Re: [dhcwg] Secure DHCPv6 Deployment Consideration - proposed text
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2015 19:47:55 -0000
I join Jinmei, both because I'd like to see the secure DHCPv6 document published in a reasonable (i.e, short!) delay, and because I was asked for. (so if I can help please ask!) BTW I can see 2 "sure" senarios for deployment: - secure DHCPv6 as a complement of SEND. In this case all the PKI issues are already solved at the SEND level at the protocol level (i.e., a router (e.g., the router which puts the M/O bit(s) in RAs asking for DHCPv6) already provided the certificate validation stuff (e.g., certificate chain, crls, etc)) and at the organization level (e.g., X.509 prefile). - static pre-configuration of credentials. In this case the environment is closed and everything was installed offline before secure DHCPv6 use. At the limit, it is enough to verify the "right" certificate (or raw key) is used. Using the draft terminology, clients are configured with the server certificate/key and the server has a table matching each client with the corresponding certificate/key (BTW it is a common way to perform authorization from a PKI): this is the "local trust certificate list". Regards Francis.Dupont@fdupont.fr PS: the ISC Kea experimental implementation of secure DHCPv6 can call an external library for the certificate validation. This allows any kind of trust/authorization schemes (at the server side as Kea is server only).
- [dhcwg] Secure DHCPv6 Deployment Consideration - … Sheng Jiang
- Re: [dhcwg] Secure DHCPv6 Deployment Consideratio… 神明達哉
- Re: [dhcwg] Secure DHCPv6 Deployment Consideratio… Sheng Jiang
- Re: [dhcwg] Secure DHCPv6 Deployment Consideratio… Dacheng Zhang
- Re: [dhcwg] Secure DHCPv6 Deployment Consideratio… 神明達哉
- Re: [dhcwg] Secure DHCPv6 Deployment Consideratio… 神明達哉
- Re: [dhcwg] Secure DHCPv6 Deployment Consideratio… Francis Dupont