IETF Logo Mail Archive

Re: [dhcwg] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04

Christian Huitema <huitema@huitema.net> Tue, 08 December 2020 02:10 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71F5C3A0D69 for <dhcwg@ietfa.amsl.com>; Mon, 7 Dec 2020 18:10:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-_hpOCEeQN3 for <dhcwg@ietfa.amsl.com>; Mon, 7 Dec 2020 18:10:04 -0800 (PST)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67A5A3A0D4C for <dhcwg@ietf.org>; Mon, 7 Dec 2020 18:10:04 -0800 (PST)
Received: from xse458.mail2web.com ([66.113.197.204] helo=xse.mail2web.com) by mx13.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kmRZn-0002Zy-Bi for dhcwg@ietf.org; Tue, 08 Dec 2020 02:14:06 +0100
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4Cqhw639BPzPBp for <dhcwg@ietf.org>; Mon, 7 Dec 2020 17:11:34 -0800 (PST)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kmRXS-0004lC-Ac for dhcwg@ietf.org; Mon, 07 Dec 2020 17:11:34 -0800
Received: (qmail 21851 invoked from network); 8 Dec 2020 01:11:34 -0000
Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.58.43.42]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dhcwg@ietf.org>; 8 Dec 2020 01:11:33 -0000
To: Ted Lemon <mellon@fugue.com>, "Bernie Volz (volz)" <volz=40cisco.com@dmarc.ietf.org>
Cc: secdir@ietf.org, draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, last-call@ietf.org, Naveen Kottapalli <naveen.sarma@gmail.com>, dhcwg@ietf.org
References: <F5FE0A09-351E-4ED5-8880-A7EE943B8EA9@cisco.com> <1B6C9B2E-A750-44C5-A1AC-703482FB1AF4@fugue.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <45aa2ea2-bc78-25c6-cc66-9f7b61a33a26@huitema.net>
Date: Mon, 07 Dec 2020 17:11:33 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <1B6C9B2E-A750-44C5-A1AC-703482FB1AF4@fugue.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: 66.113.197.204
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.10)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/jvsL0yi2MddWrcgEY1klwPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zQNCpt9/2BbQ3dwpvTsiCXfYzfQXcfqmra3dmoHS4ygrJI s9KseiIpx4madWEDniVWuRWrkPihq53YqAd1ENNqBHtNXu1E6L4+KyOXc4QYanQOD0r6/AaHZiEt dTMtMlia0Lmg/jgHfCNZd+W+PXf6pwBrLVd1JPXC59/U9xv9ACue9TLOhN8AYRsvkjfngQDQTJIg pA+f0j0ZqQfWsi0h2+J9PgaoF8SQHto3le4zsAApCVB1N/BtJyJqv7YkIyyKggeTQ85o+W6+jEZD z+LhiyQEs+dlGXUJLWZ+Gc08Nmllke3azHdKmySKNUVQl4ntlVxnbS8qIO7oudHyb2T1VQ58xe/l rqiRGalI3YPsxOTrFXToVyBmRCgQVX6zVyFUu8qzeMQP6uTHL0d9UjfY+eX5ZvcELCIKs663F/co VFYFvf25LVONYbYifH5OzZDcG6hsRQZiAIgw+z837AqgX7ewI8e1h7RITgN14BHmGVt/ReJ9Mfhz zmbKTH7wI9GEU1utNskUAORCV2WFZX0j6bOrsThK1bigWDZBYbbo9F7lLXQUcNAszDsnoUOr0Bjx USt/hdf+pt+5Tz4ZersuOI+gTB/pfSlbi1HgG7umZ25gpnihbI3Vv1c2tRvdVD2GbN7BITAZon7Z Iz1ONK9yUo4/+EUytKrR9Md9I2Rs18uyRi7FLQG5v4y7Y5UPsXJPCC/cRgvQKtcrMMueERx33er6 7Bj83sUXIpu5x54oO6vL25OCb/r1zhdKyfotO4+IaIzNoZzswxuMaWjBAlpwH6vpf27+XqC/wsv8 KHig2/Uf9oDBqtClgM5jH/om1Q5UomG0v+rwIiID/kwKc8V5Tj9+FRkaOS/DNjANmb8tO61SbYdY AwdpaVzHW7wHO7YhEWyJzIkwSFAW0Pw8uiKeubcolFl/rX+2ReQklqJDASQX2Id+W5hjJNcdGs0+ iHjXODmj5PX/tZQU3bYnWKpb
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/AfZx9rRAP_bN4b6Kv9Nj4qmTJaQ>
Subject: Re: [dhcwg] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2020 02:10:06 -0000

On 12/7/2020 5:03 AM, Ted Lemon wrote:
> Also, Christian, RA guard only works in a managed environment. In an 
> unmanaged environment it will break things. It would be wise to be 
> careful about when and where you recommend it or we will wind up with 
> interoperability problems. This is probably outside of the DHC wg’s 
> bailiwick.

But I am being careful -- I am not asking for any change in the draft, 
except for a trivial nit. I am just pointing out that there are attacks 
and that the proposed solution in 8213 did not pan out. It would be nice 
is there was guidance available on how to secure DHCP clients and 
servers "in practice", especially if your attack model includes virus of 
fishing attacks overtaking an authorized client inside the perimeter.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email