[dhcwg] RE: I-D ACTION:draft-droms-dhcp-relay-agent-ipsec-00.txt
"Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se> Tue, 29 October 2002 18:35 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA18355 for <dhcwg-archive@odin.ietf.org>; Tue, 29 Oct 2002 13:35:28 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g9TIbOR30669 for dhcwg-archive@odin.ietf.org; Tue, 29 Oct 2002 13:37:24 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g9TIbOv30666 for <dhcwg-web-archive@optimus.ietf.org>; Tue, 29 Oct 2002 13:37:24 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA18328 for <dhcwg-web-archive@ietf.org>; Tue, 29 Oct 2002 13:34:56 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g9TIZDv29994; Tue, 29 Oct 2002 13:35:13 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g9TIYtv29971 for <dhcwg@optimus.ietf.org>; Tue, 29 Oct 2002 13:34:55 -0500
Received: from imr1.ericy.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA18168 for <dhcwg@ietf.org>; Tue, 29 Oct 2002 13:32:26 -0500 (EST)
Received: from mr7.exu.ericsson.se (mr7u3.ericy.com [208.237.135.122]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id g9TIYnd14729; Tue, 29 Oct 2002 12:34:49 -0600 (CST)
Received: from eamrcnt760.exu.ericsson.se (eamrcnt760.exu.ericsson.se [138.85.133.38]) by mr7.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id g9TIYn801672; Tue, 29 Oct 2002 12:34:49 -0600 (CST)
Received: by eamrcnt760.exu.ericsson.se with Internet Mail Service (5.5.2656.59) id <41PDW15G>; Tue, 29 Oct 2002 12:34:48 -0600
Message-ID: <A1DDC8E21094D511821C00805F6F706B0499F91F@eamrcnt715.exu.ericsson.se>
From: "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>
To: 'Ralph Droms' <rdroms@cisco.com>
Cc: dhcwg@ietf.org
Date: Tue, 29 Oct 2002 12:33:47 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C27F78.E36C5148"
Subject: [dhcwg] RE: I-D ACTION:draft-droms-dhcp-relay-agent-ipsec-00.txt
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Ralph: Yes, that was the text I was referring to. And, I think we are in agreement. I just feel it is better to state it the other way around - a relay agent SHOULD NOT relay a relayed message (giaddr field is no-zero) using IPsec unless the relay received that message secured by IPsec. Without this requirement, what value is there in securing the traffic at a later hop? - Bernie -----Original Message----- From: Ralph Droms [mailto:rdroms@cisco.com] Sent: Tuesday, October 29, 2002 10:22 AM To: Bernie Volz (EUD) Cc: dhcwg@ietf.org Subject: RE: I-D ACTION:draft-droms-dhcp-relay-agent-ipsec-00.txt Bernie - thanks for your review and feedback on the IPsec for relay agent draft. I had not intended the text in section 4 to require an unbroken chain of IPsec forwarding (although not using IPsec over every link doesn't make much sense). Are you referring to the following text: If a client message is relayed through multiple relay agents, each of the relay agents must have established independent, pairwise trust relationships. That is, if messages from client C will be relayed by relay agent A to relay agent B and then to the server, relay agents A and B must be configured to use IPSec for the messages they exchange, and relay agent B and the server must be configured to use IPSec for the messages they exchange. I intend the text to describe the use of hop-by-hop IPsec, without an absolute requirement that all hops use IPsec. Not being able to anticipate every possible deployment, I suggest "SHOULD use IPsec on every hop", with some appropriate word-smithing of the spec for clarification. - Ralph At 02:33 PM 10/28/2002 -0600, Bernie Volz (EUD) wrote: >Ralph: > >Looks like you've been a bit busy! > >Regarding this draft, does it make sense when multiple relays are involved to >disallow (MUST?) a relay agent from forwarding using IPSec if the relay >received the relayed client message without IPSec? (This might also have been >a good restriction to add to the DHCPv6 specification.) One potential issue >with this is that it would require code changes in the relay or some >filtering >rules in the stack to assure non-protected relay messages are not >processed. But >if you don't have it, security could easily be compromised since an >attacker can >just set up a relay-chaining arrangement. > >Note that by your description in Section 4, this is already stated but >perhaps >not as clearly as it should be. > >Also, we should move to make this a Working Group item. Any objections? > >- Bernie > >-----Original Message----- >From: Internet-Drafts@ietf.org >[<mailto:Internet-Drafts@ietf.org>mailto:Internet-Drafts@ietf.org] >Sent: Monday, October 28, 2002 6:27 AM >Subject: I-D ACTION:draft-droms-dhcp-relay-agent-ipsec-00.txt > >A New Internet-Draft is available from the on-line Internet-Drafts >directories. > > Title : Use of IPsec for Securing DHCPv4 Messages > Exchanged > Between Relay Agents and Servers > Author(s) : R. Droms > Filename : draft-droms-dhcp-relay-agent-ipsec-00.txt > Pages : 4 > Date : 2002-10-25 > >'DHCP Relay Agent Information Option' (RFC 3046) assumes that DHCP >messages exchanged between relay agents and servers are not subject >to attack. This document describes how IPsec can be used to protect >messages exchanged between relay agents and servers. > >A URL for this Internet-Draft is: ><http://www.ietf.org/internet-drafts/draft-droms-dhcp-relay-agent-ipsec-00.txt>http://www.ietf.org/internet-drafts/draft-droms-dhcp-relay-agent-ipsec-00.txt > > >To remove yourself from the IETF Announcement list, send a message to >ietf-announce-request with the word unsubscribe in the body of the message. > >Internet-Drafts are also available by anonymous FTP. Login with the username >"anonymous" and a password of your e-mail address. After logging in, >type "cd internet-drafts" and then > "get draft-droms-dhcp-relay-agent-ipsec-00.txt". > >A list of Internet-Drafts directories can be found in ><http://www.ietf.org/shadow.html>http://www.ietf.org/shadow.html >or ><ftp://ftp.ietf.org/ietf/1shadow-sites.txt>ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > >Internet-Drafts can also be obtained by e-mail. > >Send a message to: > mailserv@ietf.org. >In the body type: > "FILE /internet-drafts/draft-droms-dhcp-relay-agent-ipsec-00.txt". > >NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > >Below is the data which will enable a MIME compliant mail reader >implementation to automatically retrieve the ASCII version of the >Internet-Draft.
- [dhcwg] RE: I-D ACTION:draft-droms-dhcp-relay-age… Bernie Volz (EUD)
- [dhcwg] RE: I-D ACTION:draft-droms-dhcp-relay-age… Ralph Droms
- [dhcwg] RE: I-D ACTION:draft-droms-dhcp-relay-age… Bernie Volz (EUD)