IETF Logo Mail Archive

Re: [dhcwg] more thoughts about draft-ietf-dhc-sedhcpv6-02.txt

Sheng Jiang <jiangsheng@huawei.com> Wed, 25 June 2014 08:16 UTC

Return-Path: <jiangsheng@huawei.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA6981B2B09 for <dhcwg@ietfa.amsl.com>; Wed, 25 Jun 2014 01:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.852
X-Spam-Level:
X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nOHz6dLGlSYA for <dhcwg@ietfa.amsl.com>; Wed, 25 Jun 2014 01:16:49 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89D9B1B2AFB for <dhcwg@ietf.org>; Wed, 25 Jun 2014 01:16:48 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BGL18413; Wed, 25 Jun 2014 08:16:47 +0000 (GMT)
Received: from NKGEML401-HUB.china.huawei.com (10.98.56.32) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 25 Jun 2014 09:16:46 +0100
Received: from NKGEML512-MBX.china.huawei.com ([169.254.7.249]) by nkgeml401-hub.china.huawei.com ([10.98.56.32]) with mapi id 14.03.0158.001; Wed, 25 Jun 2014 16:16:38 +0800
From: Sheng Jiang <jiangsheng@huawei.com>
To: Francis Dupont <Francis.Dupont@fdupont.fr>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] more thoughts about draft-ietf-dhc-sedhcpv6-02.txt
Thread-Index: AQHPju4mG27LeCnUK0SEcxzM0SNIlpuBeh4g
Date: Wed, 25 Jun 2014 08:16:37 +0000
Message-ID: <5D36713D8A4E7348A7E10DF7437A4B923AEBC702@nkgeml512-mbx.china.huawei.com>
References: <201406231419.s5NEJKQe017346@givry.fdupont.fr>
In-Reply-To: <201406231419.s5NEJKQe017346@givry.fdupont.fr>
Accept-Language: en-GB, zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.145]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/EuUXW6xYYt8di5kSV3u6N0hNK-Q
Subject: Re: [dhcwg] more thoughts about draft-ietf-dhc-sedhcpv6-02.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jun 2014 08:16:51 -0000

Hi, Francis,

Please see replies in lines.

>Timestamps are not enough for the anti-replay protection and
>are difficult to implement for clients without a good long term
>real time clock, so I propose:
> - to introduce a nonce option which will be processed as an extension
>  of the transaction ID (so there are already 3 octets)
> - to put the timestamp in its own option (so it can be omitted)

We could apply this to next version.

> - to document a way for an unsynchronized node to get a good time value,
>  for instance sending an Information-Request or a Solicit without
>  rapid-commit asking for a timestamp option in the ORO

This has to be a separated document. It remains out of scope for this document. In most of cases, it is ok to assume a node have a time which has less 5-min time drift. A brand new node without any knowledge of time is an edge case.

>I propose to require the timestamp option in all messages changing the
>state (e.g., request, renew, etc) and everything from agents.
>I don't propose to make nonces mandatory but there is no good reason
>to not use them as soon as they are supported.

It's reasonable.

>The second point is about (X.509 public key) certificates. They are useless
>without the trust anchor, the whole chain, CRLs, etc. And if we want
>to use self-signed certificates they bring nothing compared to raw
>public keys. And I don't talk about profiles (even SeND had to be
>completed by RFC 6494). So I really suggest to drop the certificate
>option and to use the key option to identify the public key.

Actually, certificate would be very useful for server to authorize the client. It is much less useful on a client, who have not been allowed to connect on line. In such case, certificate can be used with LoF, which is equal usage as identify the public key.

>The last point is compatibility with SeND (RFC 3971). Today in red and
>black (:-) environments it is possible to secure the Neighbor Discovery
>but not DHCP. I propose to fix this using the secure DHCPv6 for
>the protection of DHCP and the SeND section 6 Authorization Delegation
>Discovery for the "certificate part".

Could you be more clear how this may work? I am not sure I fully understand your proposal. So far, SeDHCPv6 has no compatibility issues with SeND, because they are two solutions independent from each other. We don't want to introduce any dependency between them, which would make the deployment much more complicated.

Best regards,

Sheng

>Regards
>
>Francis.Dupont@fdupont.fr
>
>_______________________________________________
>dhcwg mailing list
>dhcwg@ietf.org
>https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email