IETF Logo Mail Archive

Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection

Thomas Narten <narten@us.ibm.com> Tue, 08 October 2002 19:16 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA27213 for <dhcwg-archive@odin.ietf.org>; Tue, 8 Oct 2002 15:16:29 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g98JI9e24894 for dhcwg-archive@odin.ietf.org; Tue, 8 Oct 2002 15:18:09 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JI9v24891 for <dhcwg-web-archive@optimus.ietf.org>; Tue, 8 Oct 2002 15:18:09 -0400
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA27190 for <dhcwg-web-archive@ietf.org>; Tue, 8 Oct 2002 15:15:58 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JG2v24821; Tue, 8 Oct 2002 15:16:02 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JFcv24803 for <dhcwg@optimus.ietf.org>; Tue, 8 Oct 2002 15:15:38 -0400
Received: from e31.co.us.ibm.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA27029 for <dhcwg@ietf.org>; Tue, 8 Oct 2002 15:13:27 -0400 (EDT)
Received: from westrelay03.boulder.ibm.com (westrelay03.boulder.ibm.com [9.17.194.24]) by e31.co.us.ibm.com (8.12.2/8.12.2) with ESMTP id g98JD06m033706; Tue, 8 Oct 2002 15:13:01 -0400
Received: from rotala.raleigh.ibm.com (rotala.raleigh.ibm.com [9.27.12.14]) by westrelay03.boulder.ibm.com (8.12.3/NCO/VER6.4) with ESMTP id g98JCutr229920; Tue, 8 Oct 2002 13:12:56 -0600
Received: from rotala.raleigh.ibm.com (narten@localhost) by rotala.raleigh.ibm.com (8.11.6/8.11.6) with ESMTP id g98JBEK28127; Tue, 8 Oct 2002 15:11:14 -0400
Message-Id: <200210081911.g98JBEK28127@rotala.raleigh.ibm.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
cc: "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>, Kim Kinnear <kkinnear@cisco.com>, rdroms@cisco.com, dhcwg@ietf.org
Subject: Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection
In-Reply-To: Message from Ted Lemon <Ted.Lemon@nominum.com> of "Tue, 08 Oct 2002 13:59:08 CDT." <061142C8-DAF0-11D6-A9B4-00039367340A@nominum.com>
Date: Tue, 08 Oct 2002 15:11:14 -0400
From: Thomas Narten <narten@us.ibm.com>
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

Ted Lemon <Ted.Lemon@nominum.com> writes:

> > Perhaps I shouldn't raise this, but it seems like we should be 
> > worrying much
> > more about security on the first hop (client <-> server/relay) than the
> > relay <-> server hop. The latter is much easier to secure as IPsec, 
> > tunneling,
> > and other fairly standard techniques could be used.
> >
> > Also, is the DHCPv6 draft strong enough in this area to satisfy the 
> > IESG (at
> > least around the relay <-> server security)?

> Right, the relay<->server hop is regular IP, so there's no reason not 
> to use IPsec to secure it.

In DHCPv6, using IPsec makes sense. The relay agent is originating a
new message that it sends to the DHC server.

But DHCPv4 is different, in that it relays the client packet. So IPsec
can't really be used there. But certainly a DHC-specific
authentication option could be defined for covering the relay agent
option and/or portions of the client request.

Thomas
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.20.3 | Report a Bug | By Email