[dhcwg] RE: I-D ACTION:draft-droms-dhcp-relay-agent-ipsec-00.txt

"Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se> Mon, 28 October 2002 20:41 UTC

Received: from www1.ietf.org (ietf.org [] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28903 for <dhcwg-archive@odin.ietf.org>; Mon, 28 Oct 2002 15:41:29 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g9SKhP016662 for dhcwg-archive@odin.ietf.org; Mon, 28 Oct 2002 15:43:25 -0500
Received: from ietf.org (odin.ietf.org []) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g9SKhOv16659 for <dhcwg-web-archive@optimus.ietf.org>; Mon, 28 Oct 2002 15:43:24 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28784 for <dhcwg-web-archive@ietf.org>; Mon, 28 Oct 2002 15:37:40 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain []) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g9SKb8v15998; Mon, 28 Oct 2002 15:37:08 -0500
Received: from ietf.org (odin.ietf.org []) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g9SKZ1v15800 for <dhcwg@optimus.ietf.org>; Mon, 28 Oct 2002 15:35:01 -0500
Received: from imr2.ericy.com (ietf-mx.ietf.org []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28580 for <dhcwg@ietf.org>; Mon, 28 Oct 2002 15:32:34 -0500 (EST)
Received: from mr5.exu.ericsson.se (mr5att.ericy.com []) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id g9SKYtW22610; Mon, 28 Oct 2002 14:34:55 -0600 (CST)
Received: from eamrcnt761.exu.ericsson.se (eamrcnt761.exu.ericsson.se []) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id g9SKYs619988; Mon, 28 Oct 2002 14:34:55 -0600 (CST)
Received: by eamrcnt761.exu.ericsson.se with Internet Mail Service (5.5.2656.59) id <41PBJK89>; Mon, 28 Oct 2002 14:34:54 -0600
Message-ID: <A1DDC8E21094D511821C00805F6F706B04AF93AB@eamrcnt715.exu.ericsson.se>
From: "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>
To: rdroms@cisco.com
Cc: dhcwg@ietf.org
Date: Mon, 28 Oct 2002 14:33:53 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C27EC1.53EE71DE"
Subject: [dhcwg] RE: I-D ACTION:draft-droms-dhcp-relay-agent-ipsec-00.txt
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>


Looks like you've been a bit busy!

Regarding this draft, does it make sense when multiple relays are involved to
disallow (MUST?) a relay agent from forwarding using IPSec if the relay
received the relayed client message without IPSec? (This might also have been
a good restriction to add to the DHCPv6 specification.) One potential issue
with this is that it would require code changes in the relay or some filtering
rules in the stack to assure non-protected relay messages are not processed. But
if you don't have it, security could easily be compromised since an attacker can
just set up a relay-chaining arrangement.

Note that by your description in Section 4, this is already stated but perhaps
not as clearly as it should be.

Also, we should move to make this a Working Group item. Any objections?

- Bernie

-----Original Message-----
From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org]
Sent: Monday, October 28, 2002 6:27 AM
Subject: I-D ACTION:draft-droms-dhcp-relay-agent-ipsec-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title		: Use of IPsec for Securing DHCPv4 Messages Exchanged 
                          Between Relay Agents and Servers
	Author(s)	: R. Droms
	Filename	: draft-droms-dhcp-relay-agent-ipsec-00.txt
	Pages		: 4
	Date		: 2002-10-25
'DHCP Relay Agent Information Option' (RFC 3046) assumes that DHCP
messages exchanged between relay agents and servers are not subject
to attack.  This document describes how IPsec can be used to protect
messages exchanged between relay agents and servers.

A URL for this Internet-Draft is:

To remove yourself from the IETF Announcement list, send a message to 
ietf-announce-request with the word unsubscribe in the body of the message.

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
	"get draft-droms-dhcp-relay-agent-ipsec-00.txt".

A list of Internet-Drafts directories can be found in
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.

Send a message to:
In the body type:
	"FILE /internet-drafts/draft-droms-dhcp-relay-agent-ipsec-00.txt".
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the