IETF Logo Mail Archive

Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection

Thomas Narten <narten@us.ibm.com> Tue, 08 October 2002 19:13 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA27040 for <dhcwg-archive@odin.ietf.org>; Tue, 8 Oct 2002 15:13:49 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g98JFUc24786 for dhcwg-archive@odin.ietf.org; Tue, 8 Oct 2002 15:15:30 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JFTv24783 for <dhcwg-web-archive@optimus.ietf.org>; Tue, 8 Oct 2002 15:15:29 -0400
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA26994 for <dhcwg-web-archive@ietf.org>; Tue, 8 Oct 2002 15:13:19 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JDOv24721; Tue, 8 Oct 2002 15:13:24 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JCxv24671 for <dhcwg@optimus.ietf.org>; Tue, 8 Oct 2002 15:12:59 -0400
Received: from e33.co.us.ibm.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA26902 for <dhcwg@ietf.org>; Tue, 8 Oct 2002 15:10:48 -0400 (EDT)
Received: from westrelay03.boulder.ibm.com (westrelay03.boulder.ibm.com [9.17.194.24]) by e33.co.us.ibm.com (8.12.2/8.12.2) with ESMTP id g98JAQaI028840; Tue, 8 Oct 2002 15:10:26 -0400
Received: from rotala.raleigh.ibm.com (rotala.raleigh.ibm.com [9.27.12.14]) by westrelay03.boulder.ibm.com (8.12.3/NCO/VER6.4) with ESMTP id g98JAOtr050398; Tue, 8 Oct 2002 13:10:25 -0600
Received: from rotala.raleigh.ibm.com (narten@localhost) by rotala.raleigh.ibm.com (8.11.6/8.11.6) with ESMTP id g98J8gq28110; Tue, 8 Oct 2002 15:08:42 -0400
Message-Id: <200210081908.g98J8gq28110@rotala.raleigh.ibm.com>
To: "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>
cc: Kim Kinnear <kkinnear@cisco.com>, rdroms@cisco.com, dhcwg@ietf.org
Subject: Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection
In-Reply-To: Message from "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se> of "Tue, 08 Oct 2002 13:16:51 CDT." <F9211EC7A7FED4119FD9005004A6C8700AAD90C4@eamrcnt723.exu.ericsson.se>
Date: Tue, 08 Oct 2002 15:08:42 -0400
From: Thomas Narten <narten@us.ibm.com>
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

> Perhaps I shouldn't raise this, but it seems like we should be
> worrying much more about security on the first hop (client <->
> server/relay) than the relay <-> server hop.

We should be worried about both. So, we do need to revisit the DHCP
authentication stuff to come up with something more deployable. I.e,
wouldn't it be nice to (say) before an IETF download a certificate
that identifies the DHC servers that will be available (and trustable)
while at the IETF meetings?

> The latter is much
> easier to secure as IPsec, tunneling, and other fairly standard
> techniques could be used.

Right. So, for the case of IPv4, it would be really nice to at least
have this. Right now, we don't.

> Also, is the DHCPv6 draft strong enough in this area to satisfy the
> IESG (at least around the relay <-> server security)?

Section 21.2 in the dhcpv6 doc seems good enough. Use IPsec, with
static keys. This seems deployable/manageable, if not ideal.

Thomas
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.30.2 | Report a Bug | By Email | System Status