Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)
"Bernie Volz (volz)" <volz@cisco.com> Fri, 19 August 2016 13:38 UTC
Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6912312DA2E for <dhcwg@ietfa.amsl.com>; Fri, 19 Aug 2016 06:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.768
X-Spam-Level:
X-Spam-Status: No, score=-15.768 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qTAXiyzWnFO3 for <dhcwg@ietfa.amsl.com>; Fri, 19 Aug 2016 06:38:38 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E53C512DA89 for <dhcwg@ietf.org>; Fri, 19 Aug 2016 06:37:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2842; q=dns/txt; s=iport; t=1471613853; x=1472823453; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=DREEyKiHHQHgYuA6+dE5Rla/PQcDkFGezYP9odFN66M=; b=f246BMkARjHytg+B6zxR7vy2NI8uw3s5sk4SlCh4Rmhxzogbt+73snHz Ri8oqiMoIfjQxP+F/4qjoJYo/S55d1xUr7rxJNMKRGSCiE7f62eBRzDut yphkHrhgvw5Z1YE5OTfuwZ+LNpnCqGVmvrWXq0JuFr5zQjbpK2iCDnOXA w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CUAgAaC7dX/5xdJa1eg0RWfAemcoRHjCyBfSSFeQIcgU84FAIBAQEBAQEBXieEXgEBBAEjEUUFBwQCAQgQAQQBAQMCIwMCAgIfERQBCAgCBA4FCBOHfAMPCA6sSYtwDYQaAQEBAQEBAQEBAQEBAQEBAQEBAQEBFwWBAol2gkOBZx0QI4JHgloFmRM0AYYfhjuCPI9TiDWECIN3AR42g3pwAYYtfwEBAQ
X-IronPort-AV: E=Sophos;i="5.28,544,1464652800"; d="scan'208";a="311400514"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Aug 2016 13:37:33 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id u7JDbXPr020523 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 19 Aug 2016 13:37:33 GMT
Received: from xch-aln-003.cisco.com (173.36.7.13) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 19 Aug 2016 08:37:32 -0500
Received: from xch-aln-003.cisco.com ([173.36.7.13]) by XCH-ALN-003.cisco.com ([173.36.7.13]) with mapi id 15.00.1210.000; Fri, 19 Aug 2016 08:37:32 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: 神明達哉 <jinmei@wide.ad.jp>, "Templin, Fred L" <Fred.L.Templin@boeing.com>
Thread-Topic: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)
Thread-Index: AQHR9NA4CHku5xpnb0Wx+Hz1v40PpaBFt3GAoEOccRC/eUedAP/8S5WA//aij8CAFPU5gP//AD5QoEYx64D//16xcA==
Date: Fri, 19 Aug 2016 13:37:32 +0000
Message-ID: <30c9413c4662476096ef087ac88f6314@XCH-ALN-003.cisco.com>
References: <92dcf2e0cf08452caa5861f7258ea6c5@XCH15-05-05.nw.nos.boeing.com> <201608121919.u7CJJqcS056876@givry.fdupont.fr> <c5303eef3c124228825f32a40f229107@XCH-ALN-003.cisco.com> <ccaff4d4cb5c4eefb05eee0660c2611c@XCH15-05-05.nw.nos.boeing.com> <f46aa91e4cfb41b29dd2d8186f5959f8@XCH-ALN-003.cisco.com> <ba1c8ff573d7466b8c437373e05f1023@XCH15-05-05.nw.nos.boeing.com> <b65e1dd66b634240b3ca164b2c04c20a@XCH15-05-05.nw.nos.boeing.com> <CAJE_bqfb5sxOpkTEXkwZXckKBWof7U1-W6EFzCHk7ijnMjpMMA@mail.gmail.com> <5ec83aaf4e76497aa4b4d465483bdcf5@XCH15-05-05.nw.nos.boeing.com> <CAJE_bqeKqEgLVC2ZZyUCjsrPP5_suRJ8en2NC+g13Q5PyQL1iw@mail.gmail.com>
In-Reply-To: <CAJE_bqeKqEgLVC2ZZyUCjsrPP5_suRJ8en2NC+g13Q5PyQL1iw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.1.196]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/KRYpP8ffjrgLHkmbkZldXsrfmSs>
Cc: "<dhcwg@ietf.org>" <dhcwg@ietf.org>, Francis Dupont <Francis.Dupont@fdupont.fr>
Subject: Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2016 13:38:40 -0000
> so not very convincing to overturn a wg consensus on always enabling encryption Agreed. We held discussions with others (Randy Busy, etc.) and are under the belief that what is there is in the right direction. This is an overall solution to the DHCP security solution and tries to address FULL security (as the traffic is encrypted - so it addresses privacy). I'm not sure if encryption harms anything in your environment; so what harm is there to use it? Note that encryption will cause significant issues for DOCSIS and likely other deployments where the relay currently snoops the traffic. So, we'll need to address how to handle that (either dust of the https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-agentopt-delegate work or come up with something else). Until something else is in place, those environments just can't make use of this capability. - Bernie -----Original Message----- From: jinmei.tatuya@gmail.com [mailto:jinmei.tatuya@gmail.com] On Behalf Of ???? Sent: Thursday, August 18, 2016 6:54 PM To: Templin, Fred L <Fred.L.Templin@boeing.com> Cc: <dhcwg@ietf.org> <dhcwg@ietf.org>; Francis Dupont <Francis.Dupont@fdupont.fr>; Bernie Volz (volz) <volz@cisco.com> Subject: Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis) At Thu, 18 Aug 2016 22:42:38 +0000, "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote: > Hi, I already made a stronger case as follows: > > > I think what that means in terms of this draft is that for some use cases all > > that is needed is for the client to include a Signature option in its DHCPv6 > > messages to the server. The client does not need to include a Certificate > > option nor any encryption options. So, I would like it if the draft could > > include a simple "authentication only" mode of operation. To me, it just looks like "in some cases encryption may not be needed" and not so different from "it's overkilling for me", so not very convincing to overturn a wg consensus on always enabling encryption. But it's ultimately up to the wg. -- JINMEI, Tatuya
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… 神明達哉
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… 神明達哉
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Francis Dupont
- [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc331… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Lishan Li
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ralph Droms (rdroms)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L