Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6

Francis Dupont <Francis.Dupont@fdupont.fr> Thu, 08 June 2017 00:19 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE44012704B for <dhcwg@ietfa.amsl.com>; Wed, 7 Jun 2017 17:19:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOqYg36taBfo for <dhcwg@ietfa.amsl.com>; Wed, 7 Jun 2017 17:19:51 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FB04126DFF for <dhcwg@ietf.org>; Wed, 7 Jun 2017 17:19:50 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [IPv6:::1]) by givry.fdupont.fr (8.14.7/8.14.7) with ESMTP id v58050lw080684; Thu, 8 Jun 2017 02:05:00 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201706080005.v58050lw080684@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Ted Lemon <mellon@fugue.com>
cc: =?utf-8?B?56We5piO6YGU5ZOJ?= <jinmei@wide.ad.jp>, dhcwg <dhcwg@ietf.org>
In-reply-to: Your message of Wed, 07 Jun 2017 19:45:34 -0400. <C5387B74-FA42-4B26-8AA6-5C41F8FBB0BB@fugue.com>
Date: Thu, 08 Jun 2017 02:05:00 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/HtuHh0-3Wdze1-oRzLfbyuIJAyA>
Subject: Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2017 00:19:53 -0000

 In your previous mail you wrote:

>  The relay agent can forward an encrypted payload that it receives.   It =
>  can't forward a cleartext payload from an encrypted packet it couldn't =
>  decode.

=> we agree: a relay agent can handle an encrypted payload if this payload
is inside a DHCP message, and can't handle it if a DHCP message is in this
payload.
So if we want to support the intermediate relay case either the DHCP
protocol is modified, or the client and the first relay agent are end
points of a security association.
Note this could disqualify DTLS & co as it is unlikely we accept
to have to update relay agents.

Regards

Francis.Dupont@fdupont.fr