RE: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection

Ralph Droms <rdroms@cisco.com> Tue, 08 October 2002 20:05 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28949 for <dhcwg-archive@odin.ietf.org>; Tue, 8 Oct 2002 16:05:19 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g98K6wO27380 for dhcwg-archive@odin.ietf.org; Tue, 8 Oct 2002 16:06:58 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98K6wv27377 for <dhcwg-web-archive@optimus.ietf.org>; Tue, 8 Oct 2002 16:06:58 -0400
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28931 for <dhcwg-web-archive@ietf.org>; Tue, 8 Oct 2002 16:04:48 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98K4kv27243; Tue, 8 Oct 2002 16:04:46 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98K1Cv27117 for <dhcwg@optimus.ietf.org>; Tue, 8 Oct 2002 16:01:12 -0400
Received: from funnel.cisco.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28750 for <dhcwg@ietf.org>; Tue, 8 Oct 2002 15:59:02 -0400 (EDT)
Received: from rdroms-w2k.cisco.com (ch2-dhcp150-107.cisco.com [161.44.150.107]) by funnel.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id QAA05077; Tue, 8 Oct 2002 16:01:02 -0400 (EDT)
Message-Id: <4.3.2.7.2.20021008155721.00b80818@funnel.cisco.com>
X-Sender: rdroms@funnel.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 08 Oct 2002 16:00:57 -0400
To: "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>
From: Ralph Droms <rdroms@cisco.com>
Subject: RE: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection
Cc: Thomas Narten <narten@us.ibm.com>, Ted Lemon <Ted.Lemon@nominum.com>, Kim Kinnear <kkinnear@cisco.com>, dhcwg@ietf.org
In-Reply-To: <F9211EC7A7FED4119FD9005004A6C8700AAD90CB@eamrcnt723.exu.er icsson.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

Oh, right, if I remember correctly the IPsec trust is pairwise between 
relay agents and then between the last relay agent and the server.  Not 
pretty to configure - but the configuration is reasonably static.

- Ralph

At 02:45 PM 10/8/2002 -0500, Bernie Volz (EUD) wrote:

>Why is IPsec a problem if you have multiple relays? If so, we may have the 
>same
>issue with DHCPv6?
>
>In DHCPv4, each relay generates a new message so it can be subject to IPsec.
>
>The server must assume that the relay before it (the one it received the 
>packet
>from) has sufficiently trusted the source (such as another relay) to relay 
>the
>packet.
>
>- Bernie
>
>-----Original Message-----
>From: Ralph Droms [<mailto:rdroms@cisco.com>mailto:rdroms@cisco.com]
>Sent: Tuesday, October 08, 2002 3:22 PM
>To: Thomas Narten
>Cc: Ted Lemon; Bernie Volz (EUD); Kim Kinnear; dhcwg@ietf.org
>Subject: Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection
>
>If I squint my eyes and stand back far enough, I don't see that the DHCPv4
>case is different.  While the relay agent is relaying a message on behalf
>of the client, it really is relaying that message in an independent UDP
>message, in which the source address belongs to the relay agent.  I don't
>think there is any reason the relay agent and server can't employ IPsec on
>the relay agent<->server messages.
>
>Of course, IPsec may be problematic if there are multiple relay agents in
>the path - which is the problem Mark Stapp is trying to solve, right?
>
>- Ralph
>
>At 03:11 PM 10/8/2002 -0400, Thomas Narten wrote:
> >Ted Lemon <Ted.Lemon@nominum.com> writes:
> >
> > > > Perhaps I shouldn't raise this, but it seems like we should be
> > > > worrying much
> > > > more about security on the first hop (client <-> server/relay) than 
> the
> > > > relay <-> server hop. The latter is much easier to secure as IPsec,
> > > > tunneling,
> > > > and other fairly standard techniques could be used.
> > > >
> > > > Also, is the DHCPv6 draft strong enough in this area to satisfy the
> > > > IESG (at
> > > > least around the relay <-> server security)?
> >
> > > Right, the relay<->server hop is regular IP, so there's no reason not
> > > to use IPsec to secure it.
> >
> >In DHCPv6, using IPsec makes sense. The relay agent is originating a
> >new message that it sends to the DHC server.
> >
> >But DHCPv4 is different, in that it relays the client packet. So IPsec
> >can't really be used there. But certainly a DHC-specific
> >authentication option could be defined for covering the relay agent
> >option and/or portions of the client request.
> >
> >Thomas

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg