Re: [dhcwg] Trust model of Client FQDN option
Pekka Savola <pekkas@netcore.fi> Tue, 03 August 2004 23:16 UTC
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA20681; Tue, 3 Aug 2004 19:16:07 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Bs8SV-00081k-Qo; Tue, 03 Aug 2004 19:12:39 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Bs8Ma-0007ST-W8 for dhcwg@megatron.ietf.org; Tue, 03 Aug 2004 19:06:33 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA20244 for <dhcwg@ietf.org>; Tue, 3 Aug 2004 19:06:30 -0400 (EDT)
Received: from netcore.fi ([193.94.160.1]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Bs8Pj-0003HZ-Pe for dhcwg@ietf.org; Tue, 03 Aug 2004 19:09:49 -0400
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id i73N5ua31874; Wed, 4 Aug 2004 02:05:56 +0300
Date: Wed, 04 Aug 2004 02:05:56 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: Ted Lemon <mellon@fugue.com>
Subject: Re: [dhcwg] Trust model of Client FQDN option
In-Reply-To: <21E7AC38-E59B-11D8-8860-000A95D9C74C@fugue.com>
Message-ID: <Pine.LNX.4.44.0408040144440.31389-100000@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc: dhcwg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
On Tue, 3 Aug 2004, Ted Lemon wrote: > On Aug 3, 2004, at 11:03 AM, Pekka Savola wrote: > > I'm not sure the v4 or v6 DHC FQDN client options address the problem > > of the trust model for the update content sufficiently well. I'd even > > go as far to say that it might create a false sense of security. > > Pekka, in the meeting this morning, you said you hadn't read the drafts > having to do with DNS updates on DHCPv4. Have you now read them? Yes; I scanned through draft-ietf-dhc-fqdn-option and the dnxext dhcrr document. > The reason I ask is that for the entire duration of the time I've been > coming to IETF, people have occasionally raised the very same issue you > are now raising. Maybe this would stop if these issues would actually be adequately addressed? I promise to bring this up again at the last minute if not. What you describe below is very well, and probably addresses most of the issues (to a certain degree, which should be spelled out), but none of this seems to exist written in the clear in draft-ietf-dhc-fqdn-option. Let's look at its Security Considerations section (the others don't include anything relevant to this, AFAICS): 1st paragraph: generic text about DNS update authentication requirements 2nd: notes the two approaches (client vs dhcp updated), and that they depend e.g., on security model (without going into details) 3rd: generic text wrt. whether DHCP server would always do the updates or not 4th: notes the lack of authentication of the user, given that DHCP authentication is not there or is not deployed. Ascertaining the identty of the client is difficult. [note: DHCP authentication has very little to do with the authorization of the client to update a specific name] 5th: describes scenarios where you might not be able to spoof DHCP packets, and a little text about being able to trust (in some cases) the dhc client id. [note: spoofing or not spoofing DHCP packets, and DHC client id do not yet provide any authorization to update a DNS name] I also note that the draft doesn't even mention draft-ietf-dnsext-dhcid-rr-08.txt. The actual meat is missing, and does not address *DNS name* authorization at all, just talks quite a bit about DHCP authentication and different ways to eliminate DHCP spoofing. > The solution we have adopted, which is widely deployed, allows two > answers to your question. The first is a more paranoid solution that > requires widespread distribution of individual DNS update keys. The > second is a more laissez-faire solution that does not require the > distribution of individual DNS update keys. This second solution is > no more or less secure than the first, but its behavior is different. > Names added by the DHCP server are marked as such, and if a name is > present and was not added by the DHCP server, that name can't be > replaced at the request of the DHCP client. When a client's lease > expires, another client can acquire the previous client's name, so > there's no protection for client names. You get to pick which > solution to deploy, based on your willingness to distribute keys and > based on whether or not you care whether a DHCP client can count on > retaining its name, once its name is registered. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Trust model of Client FQDN option Pekka Savola
- Re: [dhcwg] Trust model of Client FQDN option Ted Lemon
- Re: [dhcwg] Trust model of Client FQDN option Pekka Savola
- RE: [dhcwg] Trust model of Client FQDN option Bernie Volz
- RE: [dhcwg] Trust model of Client FQDN option Bernie Volz
- Re: [dhcwg] Trust model of Client FQDN option Mark Stapp
- RE: [dhcwg] Trust model of Client FQDN option Pekka Savola
- Re: [dhcwg] Trust model of Client FQDN option Ted Lemon
- RE: [dhcwg] Trust model of Client FQDN option Bernie Volz
- Re: [dhcwg] Trust model of Client FQDN option Ted Lemon
- RE: [dhcwg] Trust model of Client FQDN option Bernie Volz
- Re: [dhcwg] Trust model of Client FQDN option Ted Lemon