RE: [dhcwg] DHCP Option for CableLabs Client Configuration
Ralph Droms <rdroms@cisco.com> Fri, 02 August 2002 23:53 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA11958 for <dhcwg-archive@odin.ietf.org>; Fri, 2 Aug 2002 19:53:01 -0400 (EDT)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id TAA16567 for dhcwg-archive@odin.ietf.org; Fri, 2 Aug 2002 19:54:10 -0400 (EDT)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id TAA16449; Fri, 2 Aug 2002 19:52:08 -0400 (EDT)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id SAA12154 for <dhcwg@optimus.ietf.org>; Fri, 2 Aug 2002 18:30:13 -0400 (EDT)
Received: from funnel.cisco.com (funnel.cisco.com [161.44.168.79]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA09610 for <dhcwg@ietf.org>; Fri, 2 Aug 2002 18:29:04 -0400 (EDT)
Received: from rdroms-w2k.cisco.com (rtp-vpn2-122.cisco.com [10.82.240.122]) by funnel.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id SAA16715; Fri, 2 Aug 2002 18:29:01 -0400 (EDT)
Message-Id: <4.3.2.7.2.20020802182433.039fee40@funnel.cisco.com>
X-Sender: rdroms@funnel.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Fri, 02 Aug 2002 18:28:55 -0400
To: "Cosmo, Patrick" <Patrick@incognito.com>
From: Ralph Droms <rdroms@cisco.com>
Subject: RE: [dhcwg] DHCP Option for CableLabs Client Configuration
Cc: 'Paul Duffy' <paduffy@cisco.com>, PacketCable Provisioning and OSS Majordomo List <packetcable-prov-oss@cablelabs.com>, Erik Nordmark <Erik.Nordmark@sun.com>, Thomas Narten <narten@us.ibm.com>, "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>, dhcwg@ietf.org, nrussell@cisco.com, pgrossma@cisco.com, Matt Osman <M.Osman@cablelabs.com>
In-Reply-To: <4FB49E60CFBA724E88867317DAA3D198692F2F@homer.incognito.com .>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="=====================_20270527==_.ALT"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: <dhcwg.ietf.org>
X-BeenThere: dhcwg@ietf.org
Patrick, At 03:31 PM 8/2/2002 -0700, Cosmo, Patrick wrote: >Thanks Ralph. Does it only prevent DHCP server spoofing for CMs, and not >MTAs? Good question; the text reads: Network layer requirements for the CMTS exist beyond transparency to IP traffic. The CMTS must also support: · variable length subnet masks · classless addressing · IP multicast addressing and forwarding · Internet Group Management Protocol (IGMP) · proxy ARP · filtering of DHCP downstream-bound broadcast packets to protect against BOOTP server spoofing I would read the text to apply to all DHCP server spoofing. - Ralph > >-----Original Message----- >From: Ralph Droms [mailto:rdroms@cisco.com] >Sent: Friday, August 02, 2002 6:18 PM >To: Cosmo, Patrick >Cc: 'Paul Duffy'; PacketCable Provisioning and OSS Majordomo List; Erik >Nordmark; Thomas Narten; Bernie Volz (EUD); dhcwg@ietf.org; >nrussell@cisco.com; pgrossma@cisco.com; Matt Osman >Subject: RE: [dhcwg] DHCP Option for CableLabs Client Configuration > >Patrick - > >In response to the question at the beginning of your second paragraph, the >CMTS is responsible for preventing DHCP server spoofing. See section 4 of >"Cable Modem Termination System - Network Side Interface Specification", >SP-CMTS-NSII01-960702. > >- Ralph > >At 02:34 PM 8/2/2002 -0700, Cosmo, Patrick wrote: >>The access provider's DHCP server sends a list of legal telephony DHCP >>server addresses (CCC sub options 1/2) to the CM. The CM passes this >>list to the MTA (both devices live in the same physical box). >>[Cosmo, Patrick] The CM must be completely provisioned before the MTA can >>(successfully) do DHCP, correct? So why can't you send the sub-option 1/2 >>data to the CM in its config file or through SNMP, and then let it pass >>it along to the MTA? >> >>You want to ensure that the MTA gets a list of "legal telephony DHCP >>server addresses". This implies that without opts 1/2, the MTA may get >>DHCP from a server outside this list. Can anyone say whether there is a >>mechanism that ensures the CM only gets DHCP from valid servers (does the >>CMTS ensure this?)? This question has already been posited to Richard >>Woundy, but perhaps someone else knows? You can't protect the MTA from >>bogus DHCP servers, if you are trying to do it using data, forwarded from >>a CM, that originates from those same bogus DHCP servers. Similarly, this >>opt 1/2 mechanism does not allow the access provider to gain tighter >>control over its DHCP/DNS infrastructure if the CM can get DHCP from >>servers outside this infrastructure. >> >> The MTA does a normal discover, but uses the list to restrict the set >> of DHCP servers from which it will accept DHCP responses. See section 7 >> http://www.packetcable.com/specs/PKT-SP-PROV-I03-011221.pdf >> >><key issue> >>You have an access provider who has tight control over its DHCP/DNS >>infrastructure. The access provider is permitting other business >>entities to layer services atop its network. The access provider will >>have less control over the service provider's infrastructure. >></key issue> >> >>The 1/2 mechanism explicitly scopes specific devices to specific service >>provider's infrastructure. It also offers some what more protection from >>the hacker who is trying to setup a bogus DHCP server behind his cable >>modem, potentially bringing down the phones. Not good if your house is >>burning down and you need to call the fire department. >>>Why would you want this? If you can configure the DHCP service to know >>>which MTAs to "redirect", why can't you just configure the DHCP service >>>to ignore those MTAs altogether, instead of "redirecting" them, so that >>>the MTAs only recieve OFFERs from the appropriate DHCP services? I >>>believe that this is the way the rest of the world has always worked up >>>until now: if you don't want a device to get a lease from a particular >>>DHCP service, you configure that DHCP service so it doesn't offer those >>>devices a lease. You don't configure the DHCP service to send an offer >>>that basically says "I'm offering a lease, but you are not allowed to >>>accept any leases from me, you must except leases only from DHCP server >>>X". It could be that I'm misunderstanding the purpose of these options. >>>-----Original Message----- >>>From: Paul Duffy [<mailto:paduffy@cisco.com>mailto:paduffy@cisco.com] >>>Sent: Thursday, August 01, 2002 4:01 PM >>>To: Erik Nordmark >>>Cc: Thomas Narten; Bernie Volz (EUD); 'Ralph Droms'; dhcwg@ietf.org; >>>nrussell@cisco.com; pgrossma@cisco.com; Matt Osman >>>Subject: Re: [dhcwg] DHCP Option for CableLabs Client Configuration >>>Thanks Erik, >>> >>>Re: optional port numbers ... >>> >>>1. Cablelabs needs it for testing, lab, etc. >>>2. Some MSO's may decide to deploy DNS on non standard ports. Its a >>>flexibility issue. >>>3. Not using a standard port makes it slightly less prone to attack by >>>script kiddies. >>> >>>...I'm out of arguments. What specific suggestions do you have would give >>>us the port configuration control ? >>> >>>Thanks, >>> >>>At 07:12 PM 8/1/2002 +0200, Erik Nordmark wrote: >>> > > 1. A primary use case is for testing/lab/trial deployments. The >>> only way >>> > > to configure an MTA (a headless, embedded device) for a non >>> standard port >>> > > number would be via the CCC sub-option 4/5 mechanism. >>> > >>> >That seems like an argument for perhaps an experimental RFC, but >>> >as I understand it the intent is to make this specification a proposed >>> >standard. >>> > >>> > > 2. Permitting protocol servers to run on a non standard port is not >>> > without >>> > > precedence. Its been pointed out that Paul Vixie's "named" server >>> allows >>> > > it to be configured on a specific port. Does this mean that Paul is >>> > > violating Internet Standards ? Come to think of it, I don't think >>> I've >>> > > ever seen a protocol server that did not permit configuration of its >>> > > protocol port. >>> > >>> >I don't think anybody has claimed that servers must always use the >>> >standard port number. >>> > >>> >Instead the issue seems to be that the sole reason that these suboptions >>> >are needed i.e. why the standard DHCP options for DNS servers are not >>> >sufficient. is the claimed need to support non-standard port numbers. >>> > >>> >Why invent a new standard mechanism for this, especially since the >>> utility >>> >is limited to testing/lab/trials? >>> > >>> > Erik >>> >>>-- >>> >>>Paul Duffy >>>Cisco Systems, Inc. >>>paduffy@cisco.com >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>_______________________________________________ >>>dhcwg mailing list >>>dhcwg@ietf.org >>><https://www1.ietf.org/mailman/listinfo/dhcwg>https://www1.ietf.org/mailman/listinfo/dhcwg >>> >>-- >> >>Paul Duffy >>Cisco Systems, Inc. >>paduffy@cisco.com
- [dhcwg] DHCP Option for CableLabs Client Configur… Ralph Droms
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Bernie Volz (EUD)
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Thomas Narten
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Bernie Volz (EUD)
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Thomas Narten
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Bernie Volz (EUD)
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Thomas Narten
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Erik Nordmark
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Erik Nordmark
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Josh Littlefield
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Cosmo, Patrick
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Cosmo, Patrick
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Cosmo, Patrick
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Ralph Droms
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Ralph Droms
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Woundy, Richard
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Erik Nordmark
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Erik Nordmark
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Woundy, Richard
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Ralph Droms
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Paul Duffy
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Sumanth Channabasappa
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Erik Nordmark
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Erik Nordmark
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Erik Nordmark
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Woundy, Richard
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Erik Nordmark
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Woundy, Richard
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Cosmo, Patrick
- Re: [dhcwg] DHCP Option for CableLabs Client Conf… Ted Lemon
- RE: [dhcwg] DHCP Option for CableLabs Client Conf… Ryan Scripps
- Re: [dhcwg] draft-ietf-dhc-packetcable-03.txt Thomas Narten
- Re: [dhcwg] draft-ietf-dhc-packetcable-04.txt Thomas Narten
- Re: [dhcwg] draft-ietf-dhc-packetcable-04.txt Thomas Narten
- Re: [dhcwg] draft-ietf-dhc-packetcable-04.txt Thomas Narten
- Re: [dhcwg] draft-ietf-dhc-packetcable-04.txt Thomas Narten
- Re: [dhcwg] draft-ietf-dhc-packetcable-05.txt Thomas Narten
- Re: [dhcwg] draft-ietf-dhc-packetcable-05.txt Thomas Narten