IETF Logo Mail Archive

Re: [dhcwg] Secure DHCPv6 Deployment Consideration - proposed text

Francis Dupont <Francis.Dupont@fdupont.fr> Tue, 06 October 2015 19:47 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 240241B3227 for <dhcwg@ietfa.amsl.com>; Tue, 6 Oct 2015 12:47:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.262
X-Spam-Level:
X-Spam-Status: No, score=-1.262 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pM2iqiaiR9hB for <dhcwg@ietfa.amsl.com>; Tue, 6 Oct 2015 12:47:54 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F1E71B3226 for <dhcwg@ietf.org>; Tue, 6 Oct 2015 12:47:53 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [IPv6:::1]) by givry.fdupont.fr (8.14.7/8.14.7) with ESMTP id t96JjG8P027871; Tue, 6 Oct 2015 21:45:17 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201510061945.t96JjG8P027871@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: 神明達哉 <jinmei@wide.ad.jp>
In-reply-to: Your message of Tue, 06 Oct 2015 10:52:18 -0700. <CAJE_bqeva4f=BKt4LZdgf6Rput38jfc3szzhHuzEEn5yERTvMA@mail.gmail.com>
Date: Tue, 06 Oct 2015 21:45:16 +0200
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/82ZGOz7DGBZf4hSvcIaTC8-iK4w>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, "dhc-chairs@tools.ietf.org" <dhc-chairs@tools.ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>, "draft-ietf-dhc-sedhcpv6@tools.ietf.org" <draft-ietf-dhc-sedhcpv6@tools.ietf.org>
Subject: Re: [dhcwg] Secure DHCPv6 Deployment Consideration - proposed text
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2015 19:47:55 -0000

I join Jinmei, both because I'd like to see the secure DHCPv6 document
published in a reasonable (i.e, short!) delay, and because I was asked for.
(so if I can help please ask!)

BTW I can see 2 "sure" senarios for deployment:
 - secure DHCPv6 as a complement of SEND. In this case all the PKI
  issues are already solved at the SEND level at the protocol level
  (i.e., a router (e.g., the router which puts the M/O bit(s) in RAs
  asking for DHCPv6) already provided the certificate validation stuff
  (e.g., certificate chain, crls, etc)) and at the organization level
  (e.g., X.509 prefile).

 - static pre-configuration of credentials. In this case the environment
  is closed and everything was installed offline before secure DHCPv6 use.
  At the limit, it is enough to verify the "right" certificate (or raw key)
  is used. Using the draft terminology, clients are configured with the
  server certificate/key and the server has a table matching each client
  with the corresponding certificate/key (BTW it is a common way to perform
  authorization from a PKI): this is the "local trust certificate list".

Regards

Francis.Dupont@fdupont.fr

PS: the ISC Kea experimental implementation of secure DHCPv6 can call
an external library for the certificate validation. This allows any
kind of trust/authorization schemes (at the server side as Kea is
server only).

v2.23.0 | Report a Bug | By Email