Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection

Ralph Droms <rdroms@cisco.com> Tue, 08 October 2002 19:24 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA27598 for <dhcwg-archive@odin.ietf.org>; Tue, 8 Oct 2002 15:24:42 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g98JQMX25346 for dhcwg-archive@odin.ietf.org; Tue, 8 Oct 2002 15:26:22 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JQMv25343 for <dhcwg-web-archive@optimus.ietf.org>; Tue, 8 Oct 2002 15:26:22 -0400
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA27583 for <dhcwg-web-archive@ietf.org>; Tue, 8 Oct 2002 15:24:11 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JO9v25258; Tue, 8 Oct 2002 15:24:09 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JMRv25173 for <dhcwg@optimus.ietf.org>; Tue, 8 Oct 2002 15:22:27 -0400
Received: from funnel.cisco.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA27460 for <dhcwg@ietf.org>; Tue, 8 Oct 2002 15:20:16 -0400 (EDT)
Received: from rdroms-w2k.cisco.com (ch2-dhcp150-107.cisco.com [161.44.150.107]) by funnel.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id PAA01704; Tue, 8 Oct 2002 15:22:14 -0400 (EDT)
Message-Id: <4.3.2.7.2.20021008151605.00b72388@funnel.cisco.com>
X-Sender: rdroms@funnel.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 08 Oct 2002 15:22:11 -0400
To: Thomas Narten <narten@us.ibm.com>
From: Ralph Droms <rdroms@cisco.com>
Subject: Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection
Cc: Ted Lemon <Ted.Lemon@nominum.com>, "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>, Kim Kinnear <kkinnear@cisco.com>, dhcwg@ietf.org
In-Reply-To: <200210081911.g98JBEK28127@rotala.raleigh.ibm.com>
References: <Message from Ted Lemon <Ted.Lemon@nominum.com> <061142C8-DAF0-11D6-A9B4-00039367340A@nominum.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

If I squint my eyes and stand back far enough, I don't see that the DHCPv4 
case is different.  While the relay agent is relaying a message on behalf 
of the client, it really is relaying that message in an independent UDP 
message, in which the source address belongs to the relay agent.  I don't 
think there is any reason the relay agent and server can't employ IPsec on 
the relay agent<->server messages.

Of course, IPsec may be problematic if there are multiple relay agents in 
the path - which is the problem Mark Stapp is trying to solve, right?

- Ralph

At 03:11 PM 10/8/2002 -0400, Thomas Narten wrote:
>Ted Lemon <Ted.Lemon@nominum.com> writes:
>
> > > Perhaps I shouldn't raise this, but it seems like we should be
> > > worrying much
> > > more about security on the first hop (client <-> server/relay) than the
> > > relay <-> server hop. The latter is much easier to secure as IPsec,
> > > tunneling,
> > > and other fairly standard techniques could be used.
> > >
> > > Also, is the DHCPv6 draft strong enough in this area to satisfy the
> > > IESG (at
> > > least around the relay <-> server security)?
>
> > Right, the relay<->server hop is regular IP, so there's no reason not
> > to use IPsec to secure it.
>
>In DHCPv6, using IPsec makes sense. The relay agent is originating a
>new message that it sends to the DHC server.
>
>But DHCPv4 is different, in that it relays the client packet. So IPsec
>can't really be used there. But certainly a DHC-specific
>authentication option could be defined for covering the relay agent
>option and/or portions of the client request.
>
>Thomas

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg