IETF Logo Mail Archive

Re: [dhcwg] I-D Action: draft-ietf-dhc-relay-server-security-01.txt

"Templin, Fred L" <Fred.L.Templin@boeing.com> Mon, 17 October 2016 20:35 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 240BE129998 for <dhcwg@ietfa.amsl.com>; Mon, 17 Oct 2016 13:35:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLYBLYXiyU7s for <dhcwg@ietfa.amsl.com>; Mon, 17 Oct 2016 13:35:17 -0700 (PDT)
Received: from phx-mbsout-01.mbs.boeing.net (phx-mbsout-01.mbs.boeing.net [130.76.184.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C3DB12998D for <dhcwg@ietf.org>; Mon, 17 Oct 2016 13:35:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id u9HKZG0P020643; Mon, 17 Oct 2016 13:35:16 -0700
Received: from XCH15-06-09.nw.nos.boeing.com (xch15-06-09.nw.nos.boeing.com [137.136.239.172]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id u9HKZ94T020561 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Mon, 17 Oct 2016 13:35:09 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-09.nw.nos.boeing.com (2002:8988:efac::8988:efac) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 17 Oct 2016 13:35:08 -0700
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1178.000; Mon, 17 Oct 2016 13:35:09 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: "Bernie Volz (volz)" <volz@cisco.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] I-D Action: draft-ietf-dhc-relay-server-security-01.txt
Thread-Index: AQHSKH3lz/OzTPzvyE2kKLhsROBcOaCtIS2A//+5WMCAAH6CgP//wbCw
Date: Mon, 17 Oct 2016 20:35:08 +0000
Message-ID: <ed09c191c9a24989b38ec3db233e04d1@XCH15-06-08.nw.nos.boeing.com>
References: <147671242179.4527.12337010225582460227.idtracker@ietfa.amsl.com> <7e03afc26a08461e8308d5bdf985bed9@XCH-ALN-003.cisco.com> <ccbfe561da43469e8f894e2235c4b429@XCH15-06-08.nw.nos.boeing.com> <6a8f5646aedb44b5af85d7a45039eb02@XCH-ALN-003.cisco.com>
In-Reply-To: <6a8f5646aedb44b5af85d7a45039eb02@XCH-ALN-003.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/9GRNP92LY2bn3enS_mdlBgIW6Lo>
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-relay-server-security-01.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 20:35:19 -0000

Hi Bernie,

> -----Original Message-----
> From: Bernie Volz (volz) [mailto:volz@cisco.com]
> Sent: Monday, October 17, 2016 10:17 AM
> To: Templin, Fred L <Fred.L.Templin@boeing.com>; dhcwg@ietf.org
> Subject: RE: [dhcwg] I-D Action: draft-ietf-dhc-relay-server-security-01.txt
> 
> Hi:
> 
> As stated in Section 3:
> 
>    While IPsec is not mandated for relay to relay, relay to server, and
>    server to relay communication, it is highly recommended unless some
>    other security mechanisms are already in place (such as VPN tunnels)
>    that protect this potentially sensitive traffic from pervasive
>    monitoring and other attacks.
> 
> It doesn't mandate anything but highly recommends it. Yes, this is "weak" and really leaves it for the operator to decide what is
> necessary in their deployment. (One thought is that if someone is able to get into that part of the network, there is probably a lot
> more that they can do and monitor ... and just protecting they relay/relay/server communication is only one small piece).

That being the case, I am good with it.

Thanks - Fred
fred.l.templin@boeing.com

> - Bernie
> 
> -----Original Message-----
> From: Templin, Fred L [mailto:Fred.L.Templin@boeing.com]
> Sent: Monday, October 17, 2016 12:49 PM
> To: Bernie Volz (volz) <volz@cisco.com>; dhcwg@ietf.org
> Subject: RE: [dhcwg] I-D Action: draft-ietf-dhc-relay-server-security-01.txt
> 
> Hi Bernie,
> 
> Just so I can understand the intent of this document, if the relay(s) and server already know that some form of encryption is already in
> use (e.g., if the client and server are using sedhcpv6) then it should be OK to omit encryption between the Relay and Server. Does this
> draft intend to mandate the use of encryption in all cases?
> 
> Thanks - Fred
>

v2.23.0 | Report a Bug | By Email