[dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - Respond by March 29th

Tomek Mrugalski <tomasz.mrugalski@gmail.com> Wed, 08 March 2017 13:37 UTC

Return-Path: <tomasz.mrugalski@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C23E3129690; Wed, 8 Mar 2017 05:37:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFQXY_WrmYyc; Wed, 8 Mar 2017 05:37:04 -0800 (PST)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D06B712967A; Wed, 8 Mar 2017 05:37:03 -0800 (PST)
Received: by mail-lf0-x235.google.com with SMTP id k202so14561310lfe.1; Wed, 08 Mar 2017 05:37:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:cc:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=ODg3Hww1kevWhCEqK1vi+SH1u6hGRWrIicHdUuNBcxM=; b=k3gpulX+z7iLsbEdlXM95tvrcw8rpi2cF+e0+uQN7ZcTYrhOQGDxo1QzPJ+dvK0kC6 HXlg+iocABd4y1CniSSOCpqVASlvr/pndyzyU/VgKuk6b2v0JIfAHRoMSUD1YKX4Vn45 yg4N3crvDTYl1qgo8UpMoOsRHWq8O3zLVBBj98PsE6at5P/jx4/S4XQ71nCTcDiul4hc d0prQdYmBQ7HnN4jJmtGZdVC6KuQeXElaBWKsGeTdGJRQNVieAvB2nkBWECI1il0D5G2 d7YJWVvlffAccEm0+DrXV3CyOGKYyo8EVl8Nysw8BWJJ9E3lyFNWqPIXv7kEfj4qsa2t mVpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:cc:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=ODg3Hww1kevWhCEqK1vi+SH1u6hGRWrIicHdUuNBcxM=; b=FnjlVInOATRB6kk6mVF9moM3iHxQDbRTrsnB+Lt4pJWRRhBb8GUGF+K6cwh46WM6Wm +p6xky7RAEbvHLgkDXNfG8xyaMNwR0RshaEFJG8MpZs/zDZp/FBGwrtLLi3HUfL/v7IP gJQKSbHfYS1a1PMEin6XdH3CKHgZnLKoqLZEvQix4m89Rfr4Cv5TJKWGjmiZdX1FSUv4 PqFo33XO/6ey9/2GFxQgQNzErMy+3vKwiBUtq8100B0TaAa0DaoiGJugafGM0QQqWxMG 48yVoJr2S/VsTXnQkuV/0BR6897icEoGoJe76h440/edWMuNRKs0BfqE5KU6V2AC+VC5 kJOw==
X-Gm-Message-State: AMke39nVpjuk7DMY5PHvMDzwE4ZZ4WpLbzalp4Nup6OyUC6Fwbs41BrEXeCavcomwHlx5A==
X-Received: by 10.46.83.92 with SMTP id t28mr2202474ljd.70.1488980221770; Wed, 08 Mar 2017 05:37:01 -0800 (PST)
Received: from [192.168.0.6] (109241207033.gdansk.vectranet.pl. [109.241.207.33]) by smtp.googlemail.com with ESMTPSA id a138sm631402lfb.2.2017.03.08.05.37.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Mar 2017 05:37:00 -0800 (PST)
From: Tomek Mrugalski <tomasz.mrugalski@gmail.com>
To: dhcwg <dhcwg@ietf.org>
Message-ID: <e08be0f6-f1b4-4f57-6cdf-ddd546f8b793@gmail.com>
Date: Wed, 8 Mar 2017 14:36:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/JjZqxnxNyDmuh3ZdknUGJJR_tMw>
Cc: draft-ietf-dhc-sedhcpv6 authors <draft-ietf-dhc-sedhcpv6@ietf.org>
Subject: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - Respond by March 29th
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 13:37:06 -0000

Hi,
draft-ietf-dhc-sedhcpv6-21 describes a mechanism for using public key
cryptography to provide end-to-end security between DHCPv6 clients and
servers. The mechanism provides encryption in all cases, and can be used
for authentication based on pre-sharing of authorized certificates. This
draft has started in 2013, but the whole DHCPv6 security saga is much
longer and begins in 2008. This draft was submitted to IESG in mid-2015.
The guidance received was clear that  substantial changes are needed. As
a result, "encrypt everywhere, authenticate if you can" approach was used.

Authors believe this draft to be ready for working group last call.

Please send your substantial comments to the mailing list and express
your opinion whether this draft is ready for publication. Feel free to
send nitpicks and minor corrections to the authors directly. This is a
complex draft, so the chairs believe 3 weeks WGLC is in order. Please
send your comments no later than March 29th. Bernie and I will determine
consensus and will discuss during Chicago meeting as needed.

To initiate the discussion, I have two related questions. The chairs
would love to hear your opinions on those.

1. The "encrypt everywhere" paradigm means that in deployments that do
snooping on relay will break down. To solve this problem, we need a
assignment notification mechanism, similar to the one described in
draft-ietf-dhc-dhcpv6-agentopt-delegate-04. That draft expired many
years ago. This matter was discussed in Seoul and the minutes describe
the conclusion as:

  The discussion gravitated towards not resurrecting until the sedhcpv6
  I-D progresses further. We will reevaluate this once sedhcpv6 is done.

Do you want the WG to resurrect agentopt-delegate a) now, b) when
sedhcpv6 is sent to IESG or c) when sedhcpv6 is published as RFC? d) we
need a completely new draft and I'm volunteering to work on it.

2. One of the authors suggested that this protocol is quite complex and
having a feedback from an implementation (or ideally two interoperating)
would be very important and would likely result in some changes to the
draft. It's probably too late for Chicago, but we can organize a
sedhcpv6 hackathon in Prague. Two likely implementations would be WIDE
and Kea, as those two are open source and have an old version of the
draft partially implemented. Do you think such a hackathon would be
useful? Are you willing to participate?

Title: Secure DHCPv6
Authors: L. Li, S. Jiang, Y.Cui, T.Jinmei, T.Lemon, D.Zhang
Filename: draft-ietf-dhc-sedhcpv6-21
Pages: 31
Date: 2017-02-21
Link: https://datatracker.ietf.org/doc/draft-ietf-dhc-sedhcpv6/

Responses by March 29th are appreciated.

Thanks,
Bernie and Tomek