IETF Logo Mail Archive

RE: [dhcwg] Response to IESG comments on draft-ietf-dhc-isnsoptio n-08.txt

Charles Monia <cmonia@NishanSystems.com> Sat, 06 September 2003 10:51 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA05492 for <dhcwg-archive@odin.ietf.org>; Sat, 6 Sep 2003 06:51:51 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19vaf0-0001WA-He for dhcwg-archive@odin.ietf.org; Sat, 06 Sep 2003 06:51:29 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h86ApIR3005822 for dhcwg-archive@odin.ietf.org; Sat, 6 Sep 2003 06:51:18 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19vaf0-0001Vk-Bo for dhcwg-web-archive@optimus.ietf.org; Sat, 06 Sep 2003 06:51:18 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA05389 for <dhcwg-web-archive@ietf.org>; Sat, 6 Sep 2003 06:51:01 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19vaen-0005tL-00 for dhcwg-web-archive@ietf.org; Sat, 06 Sep 2003 06:51:05 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19vaem-0005tD-00 for dhcwg-web-archive@ietf.org; Sat, 06 Sep 2003 06:51:04 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19vaej-0001Sw-Ia; Sat, 06 Sep 2003 06:51:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19vNiQ-0005q5-8J for dhcwg@optimus.ietf.org; Fri, 05 Sep 2003 17:01:58 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA19106 for <dhcwg@ietf.org>; Fri, 5 Sep 2003 17:01:51 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19vNiO-000153-00 for dhcwg@ietf.org; Fri, 05 Sep 2003 17:01:56 -0400
Received: from ultrex.nishansystems.com ([12.36.127.195] helo=ariel.nishansystems.com) by ietf-mx with esmtp (Exim 4.12) id 19vNiN-00011W-00 for dhcwg@ietf.org; Fri, 05 Sep 2003 17:01:55 -0400
Received: by ariel.nishansystems.com with Internet Mail Service (5.5.2653.19) id <SHPZTJR8>; Fri, 5 Sep 2003 14:01:09 -0700
Message-ID: <B300BD9620BCD411A366009027C21D9BE86EEA@ariel.nishansystems.com>
From: Charles Monia <cmonia@NishanSystems.com>
To: "'Elizabeth G. Rodriguez'" <ElizabethRodriguez@ieee.org>, Charles Monia <cmonia@NishanSystems.com>, 'Ralph Droms' <rdroms@cisco.com>, 'Steven Bellovin' <smb@research.att.com>
Cc: "'Thomas Narten (E-mail)'" <narten@us.ibm.com>, "'DHCP (E-mail)'" <dhcwg@ietf.org>, "'Ips (E-mail)'" <ips@ece.cmu.edu>, "'David Black (E-mail)'" <Black_David@emc.com>, "'Allison Mankin (E-mail)'" <mankin@isi.edu>, Joshua Tseng <jtseng@NishanSystems.com>, Kevin Gibbons <kgibbons@NishanSystems.com>
Subject: RE: [dhcwg] Response to IESG comments on draft-ietf-dhc-isnsoptio n-08.txt
Date: Fri, 05 Sep 2003 14:01:07 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

Hi:

In response to the security issues, the following change to the security
section is proposed.  Please let me know if this is satisfactory. 

=====================
Security:

Security considerations pertinent to DHCP are described in [RFC3118].  Among
these is the potential for a "man-in-the-middle" attack by a hostile entity
modifying or replacing the original iSNS option message. If the
authentication option in [RFC3118] is not implemented, then an attacker may
trick the iSNS client into connecting into rogue iSNS servers.

It is therefore RECOMMENDED that [RFC3118] be implemented and used on the
client and server.  If the authentication option for DHCP is not implemented
and it is determined that the potential exists for one of the attacks
described in [RFC3118], then the DHCP option message for iSNS should not be
utilized.

======================

Thanks,
Charles Monia

> -----Original Message-----
> From: Elizabeth G. Rodriguez [mailto:ElizabethRodriguez@ieee.org] 
> Sent: Friday, August 29, 2003 9:56 AM
> To: 'Charles Monia'; 'Ralph Droms'; 'Steven Bellovin'
> Cc: 'Thomas Narten (E-mail)'; 'DHCP (E-mail)'; 'Ips 
> (E-mail)'; 'David Black (E-mail)'; 'Allison Mankin (E-mail)'; 
> 'Joshua Tseng'; 'Kevin Gibbons'
> Subject: RE: [dhcwg] Response to IESG comments on 
> draft-ietf-dhc-isnsoption-08.txt
> 
> 
> Hi all,
> 
> I am struggling with the new wording here.
> I understand Ralph Droms' concerns, but not sure that this is 
> the right solution.  In addition, the current wording is 
> mandating use, something that in general we try to avoid in 
> IETF documents.
> 
> I have added Steve Bellovin to the distribution, and hope he 
> will comment on this proposed change -- he is the AD who 
> questioned making RFC 3118 optional.  If he is OK with the 
> proposed change to keep RFC 3118 optional, then I recommend 
> changes to the effect of:
> 
> 1) It is RECOMMENDED that RFC 3118 be implemented.  
> 
> 2) It is recommended that if RFC 3118 is available on both 
> the client and server, it be used.
> 
> Elizabeth Rodriguez
> 
> 
> -----Original Message-----
> From: Charles Monia [mailto:cmonia@NishanSystems.com] 
> Sent: Thursday, August 28, 2003 4:31 PM
> To: 'Ralph Droms'; Charles Monia
> Cc: Thomas Narten (E-mail); DHCP (E-mail); Ips (E-mail); 
> David Black (E-mail); Elizabeth Rodriguez (E-mail); Allison 
> Mankin (E-mail); Charles Monia; Joshua Tseng; Kevin Gibbons
> Subject: RE: [dhcwg] Response to IESG comments on 
> draft-ietf-dhc-isnsoption-08.txt
> 
> Hi:
> 
> I have incorporated Ralph's suggestion in revision 9 of the 
> spec,  along with changes to reflect the other IESG comments. 
>  This new version has been submitted to the IETF archive.
> 
> Pending the announcement of document availability from the 
> archive, the spec can be obtained from 
> ftp://ftp.nishansystems.com/outgoing/draft-ietf-dhc-isnsoption
> -09.pdf or 
> ftp://ftp.nishansystems.com/outgoing/draft-ietf-dhc-isnsoption-09.txt.
> 
> Markups visible in the PDF version show the text that was 
> added or deleted.
> 
> Charles
> > -----Original Message-----
> > From: Ralph Droms [mailto:rdroms@cisco.com]
> > Sent: Wednesday, August 27, 2003 3:09 AM
> > To: Charles Monia
> > Cc: Thomas Narten (E-mail); DHCP (E-mail); Ips (E-mail); 
> > David Black (E-mail); Elizabeth Rodriguez (E-mail); Allison 
> > Mankin (E-mail); Charles Monia; Joshua Tseng; Kevin Gibbons
> > Subject: Re: [dhcwg] Response to IESG comments on 
> > draft-ietf-dhc-isnsoption-08.txt
> > 
> > 
> > Note that, because there are no implementations of RFC 3118
> > today, and no 
> > plans by any important vendors to implement RFC 3118 in the 
> > future, making 
> > RFC 3118 authentication mandatory will effectively disallo 
> > any use of this 
> > option.
> > 
> > Perhaps we can modify this requirement to something like "use
> > of RFC 3118 
> > is mandatory if it is available in the client and server".
> > 
> > - Ralph
> > 
> > At 03:37 PM 8/19/2003 -0700, Charles Monia wrote:
> > 
> > > > "Steven M. Bellovin" <smb@research.att.com> writes:
> > >
> > > > Is 3118 mandatory-to-implement or not?  I have a hard time
> > > > understanding why it should be optional.
> > >
> > >We will revise the spec to make implementation of RFC 3118 
> mandatory.
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > dhcwg mailing list
> > dhcwg@ietf.org
> > https://www1.ietf.org/mailman/listinfo/dhcwg
> > 
> 
> 
> 
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www1.ietf.org/mailman/listinfo/dhcwg
> 

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email