IETF Logo Mail Archive

Re: [dhcwg] Stephen Farrell's Discuss on draft-ietf-dhc-dhcpv6-active-leasequery-03: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 10 July 2015 14:54 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03DEA1B2C91; Fri, 10 Jul 2015 07:54:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExwSydS9-m_A; Fri, 10 Jul 2015 07:54:31 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CC771A9166; Fri, 10 Jul 2015 07:54:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 52E7BBE73; Fri, 10 Jul 2015 15:54:29 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c4fyEyB9tl7H; Fri, 10 Jul 2015 15:54:27 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.42.23.241]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A2147BE5D; Fri, 10 Jul 2015 15:54:27 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1436540067; bh=PbAaLtBdwj5R58oq2eOCxQzNqHYSfr/ZkF50ueKdlpc=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=1nQIkP+rHBOefvc3UkQ8j/A8uHnCumC0fXVJWENaP8VKrc2HlqbNPDUIuLYqDO7B6 g2sYZOZLFUX8LEHEy5dCMnFWV31cD6ZVnC33FRiOYDWMstByQpcDnY8QJiPlJF4/85 NVXaFVamYcu4RC2KNU/tIl6yEKo09rjNqdTzMhZc=
Message-ID: <559FDCA3.7020504@cs.tcd.ie>
Date: Fri, 10 Jul 2015 15:54:27 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Kim Kinnear <kkinnear@cisco.com>
References: <20150708114206.28697.67541.idtracker@ietfa.amsl.com> <5224B44F-7286-45CF-9509-06EDFDC2A704@cisco.com>
In-Reply-To: <5224B44F-7286-45CF-9509-06EDFDC2A704@cisco.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/95QvWDZj7M_PUvyks62vEvri5I8>
Cc: dhc-chairs@ietf.org, draft-ietf-dhc-dhcpv6-active-leasequery@ietf.org, The IESG <iesg@ietf.org>, dhcwg@ietf.org
Subject: Re: [dhcwg] Stephen Farrell's Discuss on draft-ietf-dhc-dhcpv6-active-leasequery-03: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 14:54:33 -0000

Thanks Kim,

I'm fine with that being there, but was just wondering if there
was a specific reason and didn't intend to suggest a change.

Cheers,
S.

PS: Will respond to your other mail later today

On 10/07/15 15:48, Kim Kinnear wrote:
> 
> On Jul 8, 2015, at 7:42 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
>> - section 10: why is (the usually mythical:-) 3315 a MUST NOT
>> here? I don't get that. I could see it being an EDONTCAR but I
>> don't see the harm if one did go mad and try use 3315. And I
>> could maybe, possibly, with a lot of a nose-holding, see a
>> universe in which one might use TLS server auth for the DHCP
>> server and 3315 to authenticate the requestor, so it seems odd
>> to rule that out in this way.
> 
> Stephen,
> 
> This language was in the first draft submission of this protocol,
> so it wasn't something added along the way.  I would say that
> the arguments for this language are:
> 
>   1. If you want authentication, use TLS which is a documented part of
>   this protocol.
> 
>   2. The RFC 3315 authentication explicitly does not deal with data
>   security, and so again, TLS gives you that.
> 
>   3. RFC 3315 authentication has not been specified over a TCP
>   connection to the DHCP server.  Are there things you would need to
>   think about here?  I can't think of any right off, but it still
>   makes a nice argument.
> 
>   4. Why allow *two* security/authentication mechanisms for one
>   protocol.  Yes, we could imagine someone using it, but if some
>   people use it and some people use TLS, then where does that leave
>   us?  Not communicating securely, seems to me. 
> 
> Bottom line:  Just because we can imagine someone doing this doesn't
> make it a good thing to do.  So, I would say:  If you want
> authentication or security, use TLS.  If not, not.  I see zero value
> in allowing an intermediate solution which just makes the likelihood
> of actually communicating significantly less.
> 
> I think this statement -- MUST NOT use 3315 authentication -- should
> stand.
> 
> Regards -- Kim
>

v2.23.0 | Report a Bug | By Email