IETF Logo Mail Archive

RE: [dhcwg] IESG Discusses/Comments on draft-ietf-dhc-dhcpv6-subid-00.txt

"Bernie Volz \(volz\)" <volz@cisco.com> Sat, 21 January 2006 00:48 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F06vP-0001C2-UK; Fri, 20 Jan 2006 19:48:15 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F06vD-0001B2-SZ; Fri, 20 Jan 2006 19:48:14 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA16983; Fri, 20 Jan 2006 19:46:35 -0500 (EST)
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F0742-0005hs-WC; Fri, 20 Jan 2006 19:57:12 -0500
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-5.cisco.com with ESMTP; 20 Jan 2006 14:16:58 -0800
X-IronPort-AV: i="unknown"; a="250449171:sNHT0"
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id k0KMH7cd015942; Fri, 20 Jan 2006 14:17:21 -0800 (PST)
Received: from xmb-rtp-20a.amer.cisco.com ([64.102.31.15]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 20 Jan 2006 17:17:21 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [dhcwg] IESG Discusses/Comments on draft-ietf-dhc-dhcpv6-subid-00.txt
Date: Fri, 20 Jan 2006 17:17:19 -0500
Message-ID: <8E296595B6471A4689555D5D725EBB21011FE156@xmb-rtp-20a.amer.cisco.com>
Thread-Topic: [dhcwg] IESG Discusses/Comments on draft-ietf-dhc-dhcpv6-subid-00.txt
Thread-Index: AcYd+Xc730GSZNBrR/Wxdw5FLCGt2wAE+Rtw
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Ted Lemon <Ted.Lemon@nominum.com>, dhcwg@ietf.org
X-OriginalArrivalTime: 20 Jan 2006 22:17:21.0041 (UTC) FILETIME=[4825B010:01C61E0F]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2086112c730e13d5955355df27e3074b
Content-Transfer-Encoding: quoted-printable
Cc: iesg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org

There's also the assumption that a relay-agent, that will relay the
message using IPsec, doesn't relay a relayed message except if received
from an IPsec secured relay (since the relays down the chain and the
server can't know which earlier hops were secured or not - except the
last). A relay-agent only relay's a client message and an IPsec secured
relay message? (There isn't anything that I found that explicitly states
this in RFC 3315, so perhaps something to consider as we advance the
document. Or do we feel that is naturally obvious.)

Regarding your other point:

> It _is_ possible for a DHCP client to construct a relay 
> packet and send it to 
> a relay.  That relay might forward the packet to the server.  
>  Likewise, a 
> client can construct a relay packet and send it directly to 
> the server 
> (although getting a response back would be problematic).   
> DHCPv6 allows 
> multiple relay encapsulation, so there's no denying that it's 
> possible to 
> spoof an ID using the mechanism described here.

Isn't there inherently an assumption that a relay know whether it should
only be a first hop relay and thus ONLY relay client traffic (and not
relayed messages). This would be useful in both directions, since if so
configured, the relay would never want to relay a RELAY-REPLY either. (I
guess servers could also be told the maximum hops expected and drop
messages that have more than the maximum hops.)

- Bernie

> -----Original Message-----
> From: Ted Lemon [mailto:Ted.Lemon@nominum.com] 
> Sent: Friday, January 20, 2006 2:40 PM
> To: dhcwg@ietf.org
> Cc: Bernie Volz (volz); iesg@ietf.org
> Subject: Re: [dhcwg] IESG Discusses/Comments on 
> draft-ietf-dhc-dhcpv6-subid-00.txt
> 
> On Friday 20 January 2006 10:13, Bernie Volz (volz) wrote:
> > This option is NOT used by clients. It is used between 
> relay agents and
> > servers only. Thus, there is no issue regarding roaming (unless of
> > course the relay agents and servers are in different administrative
> > domains, but in this case there is likely some agreement 
> between these
> > domains and the relay would likely only forward the 
> information to the
> > appropriate server(s)).
> 
> Just to be clear, there are two different kinds of DHCPv6 
> packets - a naked 
> packet from a client, and a relay packet from or two a relay 
> agent, which 
> encapsulates a naked packet from the client.   This option 
> can only appear in 
> the relay agent portion of the packet.   You guys have all 
> read RFC3315, but 
> memories fade, so I thought it might be worth pointing this out.
> 
> It _is_ possible for a DHCP client to construct a relay 
> packet and send it to 
> a relay.  That relay might forward the packet to the server.  
>  Likewise, a 
> client can construct a relay packet and send it directly to 
> the server 
> (although getting a response back would be problematic).   
> DHCPv6 allows 
> multiple relay encapsulation, so there's no denying that it's 
> possible to 
> spoof an ID using the mechanism described here.
> 
> In practice, though, there are problems with this.   The 
> likely result of this 
> would be an error - the client would not get a valid 
> configuration, and would 
> not be able to use the network.   The worst that might happen 
> is that if a 
> client successfully perpetrated this attack, another client 
> might experience 
> a denial of service because the DHCP server might not be 
> willing to hand out 
> additional IP addresses to the same remote ID.
> 
> This still wouldn't be a problem if the DHCP server is 
> managing the client's 
> address space, because any attempt to exhaust a /48 would 
> simply overwhelm 
> the server, which you can do without using the remote ID 
> option.   It would 
> be a problem with prefix delegations, though, since 
> presumably the ISP isn't 
> going to assign an unlimited number of /48's to every subscriber.
> 
> However, protecting the remote ID by making it secret isn't 
> necessary.   The 
> DHCPv6 protocol defines a shared secret-based authentication 
> mechanism, and 
> furthermore it's possible for the relay agent and server to 
> do IPsec, and to 
> use IPsec to prove that the remote ID was inserted by the 
> relay agent, not a 
> client.
> 
> So I think the fix for this is to mention in the security 
> considerations 
> section that DHCPv6 servers and relay agents SHOULD use 
> shared-secret-based 
> authentication in cases where this option is used, and that 
> in particular 
> DHCPv6 servers SHOULD ignore the contents of this option if 
> these contents 
> have not been verified using shared-secret-based 
> authentication or some other 
> kind of secure authentication.
> 
> This still leaves open a possible hole if the DHCPv6 client sends a 
> relay-forward packet to the DHCPv6 relay agent, but the 
> DHCPv6 relay agent 
> doesn't insert its own remote ID option.   However, in this 
> case the server 
> is not expecting a remote ID option, so I think this is okay.
> 

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email