Re: [dhcwg] Security for leasequery messages
Kim Kinnear <kkinnear@cisco.com> Fri, 09 April 2004 00:04 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA13081 for <dhcwg-archive@odin.ietf.org>; Thu, 8 Apr 2004 20:04:25 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BBjUz-0000p8-3O for dhcwg-archive@odin.ietf.org; Thu, 08 Apr 2004 20:03:57 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i3903vIh003162 for dhcwg-archive@odin.ietf.org; Thu, 8 Apr 2004 20:03:57 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BBjUy-0000ov-WC for dhcwg-web-archive@optimus.ietf.org; Thu, 08 Apr 2004 20:03:57 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA12919 for <dhcwg-web-archive@ietf.org>; Thu, 8 Apr 2004 20:03:55 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1BBjUv-0000X4-00 for dhcwg-web-archive@ietf.org; Thu, 08 Apr 2004 20:03:53 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BBidp-0001rg-00 for dhcwg-web-archive@ietf.org; Thu, 08 Apr 2004 19:09:02 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BBhlc-0003YS-00 for dhcwg-web-archive@ietf.org; Thu, 08 Apr 2004 18:13:00 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BBhld-0002sI-6S; Thu, 08 Apr 2004 18:13:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BBhl0-0002iS-EV for dhcwg@optimus.ietf.org; Thu, 08 Apr 2004 18:12:22 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA00922 for <dhcwg@ietf.org>; Thu, 8 Apr 2004 18:12:18 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1BBhkw-0003RI-00 for dhcwg@ietf.org; Thu, 08 Apr 2004 18:12:18 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BBfgs-0002QU-00 for dhcwg@ietf.org; Thu, 08 Apr 2004 16:00:03 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx with esmtp (Exim 4.12) id 1BBJoz-00070h-00 for dhcwg@ietf.org; Wed, 07 Apr 2004 16:38:53 -0400
Received: from sj-core-5.cisco.com (171.71.177.238) by sj-iport-2.cisco.com with ESMTP; 07 Apr 2004 12:46:13 +0000
Received: from flask.cisco.com (IDENT:mirapoint@flask.cisco.com [161.44.122.62]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id i37KcLn2000768; Wed, 7 Apr 2004 13:38:21 -0700 (PDT)
Received: from kkinnear-w2k03.cisco.com ([161.44.65.230]) by flask.cisco.com (Mirapoint Messaging Server MOS 3.3.6-GR) with ESMTP id AHL09670; Wed, 7 Apr 2004 16:38:19 -0400 (EDT)
Message-Id: <4.3.2.7.2.20040407163537.02686008@goblet.cisco.com>
X-Sender: kkinnear@goblet.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 07 Apr 2004 16:38:19 -0400
To: Ralph Droms <rdroms@cisco.com>, dhcwg@ietf.org
From: Kim Kinnear <kkinnear@cisco.com>
Subject: Re: [dhcwg] Security for leasequery messages
Cc: kkinnear@cisco.com
In-Reply-To: <4.3.2.7.2.20040406195254.02bc7b90@flask.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
Folks, This is clearly an issue, and there are no easy answers. Here is one approach: Nothing is mandatory to implement, since one approach is to ensure that there is physical security between the access concentrator and the DHCP server. A better approach is to use some form of the not-yet-fully-baked relay agent authentication. For example: http://www.ietf.org/internet-drafts/draft-ietf-dhc-auth-suboption-03.txt but since this is still coming along, it can't be mandatory, that's for sure. We could wait to standardize leasequery until something was approved for relay agent authentication, but that will further delay something that has already undergone numerous delays. There are large number of similar-to-the-standard leasequery installations, and more every day. It would be nice to bring them all into compliance over time, and time is getting away from us. One approach would be to make something mandatory once that something exists, which is a little odd but perhaps doable. We might be able to say: "When some form of relay-agent to DHCP server authentication becomes a standard, its use for leasequery becomes mandatory." Something to consider. Any other ideas for handle this one? Cheers -- Kim At 07:56 PM 4/6/2004, Ralph Droms wrote: >The following issues relate to security for leasequery messages: > >Steve Bellovin: > >Discuss: >(26 March 2004) >The Security Considerations section says this: > > DHCP servers SHOULD prevent exposure of location information > (particularly the mapping of hardware address to IP address lease, > which can be an invasion of broadband subscriber privacy) by > employing some form of relay agent authentication between the > DHCPLEASEQUERY client and the DHCP server. > > Clients of the DHCPLEASEQUERY message SHOULD ensure that their data > path to the DHCP server is secure. Clients SHOULD use Relay Agent > Information security as a way to achieve this goal. > >What is "some form of ... authentication"? What is "Relay Agent Information >security"? Put another way, what is mandatory to implement? > >Russ Housley: > >Discuss: > Section 7 says: > > > > DHCP servers SHOULD prevent exposure of location information > > (particularly the mapping of hardware address to IP address lease, > > which can be an invasion of broadband subscriber privacy) by > > employing some form of relay agent authentication between the > > DHCPLEASEQUERY client and the DHCP server. > > > There needs to be more discussion of the authentication requirements. > I would prefer the specification to name a mandatory-to-implement > mechanism, but that may be asking too much. > > Section 7 also says: > > > > Clients of the DHCPLEASEQUERY message SHOULD ensure that their data > > path to the DHCP server is secure. > > > What security services are needed? Integrity, authentication, access > control, replay protection confidentiality? The hint about Relay Agent > Information security, with no reference, is not sufficient. > > > >_______________________________________________ >dhcwg mailing list >dhcwg@ietf.org >https://www1.ietf.org/mailman/listinfo/dhcwg _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Security for leasequery messages Ralph Droms
- Re: [dhcwg] Security for leasequery messages Kim Kinnear
- RE: [dhcwg] Security for leasequery messages Bernie Volz
- Re: [dhcwg] Security for leasequery messages Josh Littlefield
- Re: [dhcwg] Security for leasequery messages Ted Lemon