Re: [dhcwg] Trust model of Client FQDN option

Pekka Savola <pekkas@netcore.fi> Tue, 03 August 2004 23:16 UTC

Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA20681; Tue, 3 Aug 2004 19:16:07 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Bs8SV-00081k-Qo; Tue, 03 Aug 2004 19:12:39 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Bs8Ma-0007ST-W8 for dhcwg@megatron.ietf.org; Tue, 03 Aug 2004 19:06:33 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA20244 for <dhcwg@ietf.org>; Tue, 3 Aug 2004 19:06:30 -0400 (EDT)
Received: from netcore.fi ([193.94.160.1]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Bs8Pj-0003HZ-Pe for dhcwg@ietf.org; Tue, 03 Aug 2004 19:09:49 -0400
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id i73N5ua31874; Wed, 4 Aug 2004 02:05:56 +0300
Date: Wed, 04 Aug 2004 02:05:56 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: Ted Lemon <mellon@fugue.com>
Subject: Re: [dhcwg] Trust model of Client FQDN option
In-Reply-To: <21E7AC38-E59B-11D8-8860-000A95D9C74C@fugue.com>
Message-ID: <Pine.LNX.4.44.0408040144440.31389-100000@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc: dhcwg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org

On Tue, 3 Aug 2004, Ted Lemon wrote:
> On Aug 3, 2004, at 11:03 AM, Pekka Savola wrote:
> > I'm not sure the v4 or v6 DHC FQDN client options address the problem
> > of the trust model for the update content sufficiently well.  I'd even
> > go as far to say that it might create a false sense of security.
> 
> Pekka, in the meeting this morning, you said you hadn't read the drafts 
> having to do with DNS updates on DHCPv4.   Have you now read them?   

Yes; I scanned through draft-ietf-dhc-fqdn-option and the dnxext dhcrr 
document.

> The reason I ask is that for the entire duration of the time I've been 
> coming to IETF, people have occasionally raised the very same issue you 
> are now raising.

Maybe this would stop if these issues would actually be adequately
addressed?  I promise to bring this up again at the last minute if 
not.

What you describe below is very well, and probably addresses most of
the issues (to a certain degree, which should be spelled out), but
none of this seems to exist written in the clear in
draft-ietf-dhc-fqdn-option.

Let's look at its Security Considerations section (the others don't 
include anything relevant to this, AFAICS):

1st paragraph: generic text about DNS update authentication 
requirements

2nd: notes the two approaches (client vs dhcp updated), and that they 
depend e.g., on security model (without going into details)

3rd: generic text wrt. whether DHCP server would always do the updates 
or not

4th: notes the lack of authentication of the user, given that DHCP 
authentication is not there or is not deployed.  Ascertaining the 
identty of the client is difficult. [note: DHCP authentication has 
very little to do with the authorization of the client to update a 
specific name]

5th: describes scenarios where you might not be able to spoof DHCP 
packets, and a little text about being able to trust (in some cases) 
the dhc client id. [note: spoofing or not spoofing DHCP packets, and 
DHC client id do not yet provide any authorization to update a DNS 
name]

I also note that the draft doesn't even mention
draft-ietf-dnsext-dhcid-rr-08.txt.

The actual meat is missing, and does not address *DNS name*
authorization at all, just talks quite a bit about DHCP authentication
and different ways to eliminate DHCP spoofing.

> The solution we have adopted, which is widely deployed, allows two 
> answers to your question.   The first is a more paranoid solution that 
> requires widespread distribution of individual DNS update keys.   The 
> second is a more laissez-faire solution that does not require the 
> distribution of individual DNS update keys.   This second solution is 
> no more or less secure than the first, but its behavior is different.   
> Names added by the DHCP server are marked as such, and if a name is 
> present and was not added by the DHCP server, that name can't be 
> replaced at the request of the DHCP client.   When a client's lease 
> expires, another client can acquire the previous client's name, so 
> there's no protection for client names.   You get to pick which 
> solution to deploy, based on your willingness to distribute keys and 
> based on whether or not you care whether a DHCP client can count on 
> retaining its name, once its name is registered.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings


_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg