Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May 18
Sheng Jiang <jiangsheng@huawei.com> Tue, 06 May 2014 07:36 UTC
Return-Path: <jiangsheng@huawei.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A09DC1A0269 for <dhcwg@ietfa.amsl.com>; Tue, 6 May 2014 00:36:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.552
X-Spam-Level:
X-Spam-Status: No, score=-4.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09IuCTT-hiB8 for <dhcwg@ietfa.amsl.com>; Tue, 6 May 2014 00:36:46 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id 2F8511A0265 for <dhcwg@ietf.org>; Tue, 6 May 2014 00:36:45 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml204-edg.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BDW12092; Tue, 06 May 2014 07:36:40 +0000 (GMT)
Received: from LHREML406-HUB.china.huawei.com (10.201.5.243) by lhreml204-edg.china.huawei.com (172.18.7.223) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 6 May 2014 08:35:25 +0100
Received: from NKGEML408-HUB.china.huawei.com (10.98.56.39) by lhreml406-hub.china.huawei.com (10.201.5.243) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 6 May 2014 08:36:39 +0100
Received: from NKGEML512-MBX.china.huawei.com ([169.254.7.206]) by nkgeml408-hub.china.huawei.com ([10.98.56.39]) with mapi id 14.03.0158.001; Tue, 6 May 2014 15:36:35 +0800
From: Sheng Jiang <jiangsheng@huawei.com>
To: 神明達哉 <jinmei@wide.ad.jp>, Tomek Mrugalski <tomasz.mrugalski@gmail.com>
Thread-Topic: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May 18
Thread-Index: AQHPY9fqOkQX2Up+wk+VaPjsYGUK15sp5cSAgAlKLTA=
Date: Tue, 06 May 2014 07:36:34 +0000
Message-ID: <5D36713D8A4E7348A7E10DF7437A4B923AE43272@nkgeml512-mbx.china.huawei.com>
References: <535FEDAD.5010103@gmail.com> <CAJE_bqen37j5UCsKZj6syVyvk2Xed4V_xGp-t4xY8shjmS+H5g@mail.gmail.com>
In-Reply-To: <CAJE_bqen37j5UCsKZj6syVyvk2Xed4V_xGp-t4xY8shjmS+H5g@mail.gmail.com>
Accept-Language: en-GB, zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.145]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/RhOMNwhcH976ystZKXgWI59L_A4
Cc: dhcwg <dhcwg@ietf.org>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May 18
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 07:36:47 -0000
Hi, Jinmei, Thanks for your email. Replies in lines. >- (maybe already discussed before but) the concept of using public key > authentication in DHCP makes some sense to me, but I wonder why we > are discussing this specifically for DHCPv6. As far as I know > there's no such counterpart in DHCPv4 (the only related thing I can > google is draft-gupta-dhcp-auth-02.txt, which expired long ago), am > I correct? If so, is that because *v4 is just too legacy and isn't > worth improvements anymore? Or does that reflect some DHCP specific > points that make public key authentication not so viable? If it's > the latter, doesn't it also apply to this proposal? Replied in another email, too. We do have a plan to extend in DHCPv4. However, it would be in lower priority for us and for WG. >- The description of the draft is a bit vague (which may have to be > clarified anyway), but if I understand it correctly, it assumes that > both clients (each of them) and servers maintain their pair of > public-private keys, and a client offers and uses its own key to > authenticate messages from the client to servers. Is that correct? > If so, does this make sense? My general understanding is that > authenticating DHCP messages from clients to server is not that > critical, and it's quite unlikely that servers maintain public keys > of all possible clients so the servers would have to rely on the > leap-of-faith model. They then may have to worry about the > "resource exhaustion attacks" (although I'm not sure if this is a > big issue, see below). > >Other non editorial comments on the draft: >- Section 5.1: > Public Key A variable-length field containing public key. The > key MUST be represented as a lower-case hexadecimal > string with the most significant octet of the key > first. Typically, the length of a 2048-bit RSA > > Is there any specific reason it's represented as a string? Not > necessarily bad, but I thought more common practice here is to > simply use the binary value of the key. DHCP options in wire format > are not expected to be human readable anyway, so I don't see the > point for using a string here. We borrow the ideas from multiple other security mechanisms such as rfc 7210. But your concern makes sense. We will change this according to your point. >- In Section 6.2: > > On the recipient that supports the leap of faith model, the number of > cached public keys or unverifiable certificates MUST be limited in > order to protect against resource exhaustion attacks. If the > > This is mainly concerned about servers, correct? If so, I'm not > sure how severe this "attacks" are; DHCP servers generally need to > maintain some state for each client (unless that's stateless only > server) and would naturally already have some limitation on that > resource. Shouldn't the general defense be enough for this > particular resource, too? The "MUST" here seems not proper. Let us replace is with "MAY". It makes this point optional and should address your concern. >Editorial nits: Editorial nits will be fixed. :) Best regards, Sheng + Dacheng
- [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Res… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Liubing (Leo)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Declan Ma
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… liuzilong8266
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- [dhcwg] WGLC summary for draft-ietf-dhc-sedhcpv6-… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- [dhcwg] Deployment consideration for SeDHCPv6 Sheng Jiang
- Re: [dhcwg] Deployment consideration for SeDHCPv6 神明達哉
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Ralph Droms
- Re: [dhcwg] Deployment consideration for SeDHCPv6 神明達哉
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Sheng Jiang
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Ralph Droms