RE: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection
Ralph Droms <rdroms@cisco.com> Tue, 08 October 2002 20:05 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28949 for <dhcwg-archive@odin.ietf.org>; Tue, 8 Oct 2002 16:05:19 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g98K6wO27380 for dhcwg-archive@odin.ietf.org; Tue, 8 Oct 2002 16:06:58 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98K6wv27377 for <dhcwg-web-archive@optimus.ietf.org>; Tue, 8 Oct 2002 16:06:58 -0400
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28931 for <dhcwg-web-archive@ietf.org>; Tue, 8 Oct 2002 16:04:48 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98K4kv27243; Tue, 8 Oct 2002 16:04:46 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98K1Cv27117 for <dhcwg@optimus.ietf.org>; Tue, 8 Oct 2002 16:01:12 -0400
Received: from funnel.cisco.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28750 for <dhcwg@ietf.org>; Tue, 8 Oct 2002 15:59:02 -0400 (EDT)
Received: from rdroms-w2k.cisco.com (ch2-dhcp150-107.cisco.com [161.44.150.107]) by funnel.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id QAA05077; Tue, 8 Oct 2002 16:01:02 -0400 (EDT)
Message-Id: <4.3.2.7.2.20021008155721.00b80818@funnel.cisco.com>
X-Sender: rdroms@funnel.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 08 Oct 2002 16:00:57 -0400
To: "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>
From: Ralph Droms <rdroms@cisco.com>
Subject: RE: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection
Cc: Thomas Narten <narten@us.ibm.com>, Ted Lemon <Ted.Lemon@nominum.com>, Kim Kinnear <kkinnear@cisco.com>, dhcwg@ietf.org
In-Reply-To: <F9211EC7A7FED4119FD9005004A6C8700AAD90CB@eamrcnt723.exu.er icsson.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Oh, right, if I remember correctly the IPsec trust is pairwise between relay agents and then between the last relay agent and the server. Not pretty to configure - but the configuration is reasonably static. - Ralph At 02:45 PM 10/8/2002 -0500, Bernie Volz (EUD) wrote: >Why is IPsec a problem if you have multiple relays? If so, we may have the >same >issue with DHCPv6? > >In DHCPv4, each relay generates a new message so it can be subject to IPsec. > >The server must assume that the relay before it (the one it received the >packet >from) has sufficiently trusted the source (such as another relay) to relay >the >packet. > >- Bernie > >-----Original Message----- >From: Ralph Droms [<mailto:rdroms@cisco.com>mailto:rdroms@cisco.com] >Sent: Tuesday, October 08, 2002 3:22 PM >To: Thomas Narten >Cc: Ted Lemon; Bernie Volz (EUD); Kim Kinnear; dhcwg@ietf.org >Subject: Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection > >If I squint my eyes and stand back far enough, I don't see that the DHCPv4 >case is different. While the relay agent is relaying a message on behalf >of the client, it really is relaying that message in an independent UDP >message, in which the source address belongs to the relay agent. I don't >think there is any reason the relay agent and server can't employ IPsec on >the relay agent<->server messages. > >Of course, IPsec may be problematic if there are multiple relay agents in >the path - which is the problem Mark Stapp is trying to solve, right? > >- Ralph > >At 03:11 PM 10/8/2002 -0400, Thomas Narten wrote: > >Ted Lemon <Ted.Lemon@nominum.com> writes: > > > > > > Perhaps I shouldn't raise this, but it seems like we should be > > > > worrying much > > > > more about security on the first hop (client <-> server/relay) than > the > > > > relay <-> server hop. The latter is much easier to secure as IPsec, > > > > tunneling, > > > > and other fairly standard techniques could be used. > > > > > > > > Also, is the DHCPv6 draft strong enough in this area to satisfy the > > > > IESG (at > > > > least around the relay <-> server security)? > > > > > Right, the relay<->server hop is regular IP, so there's no reason not > > > to use IPsec to secure it. > > > >In DHCPv6, using IPsec makes sense. The relay agent is originating a > >new message that it sends to the DHC server. > > > >But DHCPv4 is different, in that it relays the client packet. So IPsec > >can't really be used there. But certainly a DHC-specific > >authentication option could be defined for covering the relay agent > >option and/or portions of the client request. > > > >Thomas _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- RE: [dhcwg] status of draft-ietf-dhc-agent-subnet… Bernie Volz (EUD)
- Re: [dhcwg] status of draft-ietf-dhc-agent-subnet… Ted Lemon
- Re: [dhcwg] status of draft-ietf-dhc-agent-subnet… Ralph Droms
- RE: [dhcwg] status of draft-ietf-dhc-agent-subnet… Bernie Volz (EUD)
- Re: [dhcwg] status of draft-ietf-dhc-agent-subnet… Ted Lemon
- RE: [dhcwg] status of draft-ietf-dhc-agent-subnet… Ralph Droms
- Re: [dhcwg] status of draft-ietf-dhc-agent-subnet… Ralph Droms
- Re: [dhcwg] status of draft-ietf-dhc-agent-subnet… Mark Stapp
- RE: [dhcwg] status of draft-ietf-dhc-agent-subnet… Kostur, Andre