Re: [dhcwg] Deployment consideration for SeDHCPv6
Sheng Jiang <jiangsheng@huawei.com> Wed, 18 June 2014 09:30 UTC
Return-Path: <jiangsheng@huawei.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7882E1A0104 for <dhcwg@ietfa.amsl.com>; Wed, 18 Jun 2014 02:30:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.552
X-Spam-Level:
X-Spam-Status: No, score=-4.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8iuIS-8ywuB for <dhcwg@ietfa.amsl.com>; Wed, 18 Jun 2014 02:30:23 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2F981A00A6 for <dhcwg@ietf.org>; Wed, 18 Jun 2014 02:30:21 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BFO09581; Wed, 18 Jun 2014 09:30:20 +0000 (GMT)
Received: from nkgeml409-hub.china.huawei.com (10.98.56.40) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 18 Jun 2014 10:30:19 +0100
Received: from NKGEML512-MBX.china.huawei.com ([169.254.7.68]) by nkgeml409-hub.china.huawei.com ([10.98.56.40]) with mapi id 14.03.0158.001; Wed, 18 Jun 2014 17:30:16 +0800
From: Sheng Jiang <jiangsheng@huawei.com>
To: Ralph Droms <rdroms.ietf@gmail.com>, 神明達哉 <jinmei@wide.ad.jp>
Thread-Topic: [dhcwg] Deployment consideration for SeDHCPv6
Thread-Index: AQHPgKHv1Ac5DKV250+NBNKyOimJaptj6VoAgBEuy4CAAZYj8A==
Date: Wed, 18 Jun 2014 09:30:16 +0000
Message-ID: <5D36713D8A4E7348A7E10DF7437A4B923AE8D3C9@nkgeml512-mbx.china.huawei.com>
References: <535FEDAD.5010103@gmail.com> <5388F901.1000709@gmail.com> <78B235AF-D94C-40F1-9C76-4159B3A0A043@nominum.com> <CAJE_bqf4UZeFifHMhM=Vo2X66+ab7cnhb19K-XD_+_pr7-VS1A@mail.gmail.com> <FF49B4DE-E45F-4FF7-9C2D-5FA72FE66A4D@gmail.com> <C7C8884E-499D-4B55-B978-8D7A4D21EE3C@nominum.com> <5D36713D8A4E7348A7E10DF7437A4B923AE88462@nkgeml512-mbx.china.huawei.com> <5D36713D8A4E7348A7E10DF7437A4B923AE891C2@nkgeml512-mbx.china.huawei.com> <CAJE_bqfJmdeTXwZNYx2XcLeMOJ2DhBkzXTQ61S8q4s=PL-28dA@mail.gmail.com> <791EB108-E4E8-4A82-84BC-CB36E277CAC4@gmail.com>
In-Reply-To: <791EB108-E4E8-4A82-84BC-CB36E277CAC4@gmail.com>
Accept-Language: en-GB, zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.145]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/WdnJlYsfJKCC2-mQrFsV9PgBaz0
Cc: dhcwg <dhcwg@ietf.org>, Lemon Ted <ted.lemon@nominum.com>
Subject: Re: [dhcwg] Deployment consideration for SeDHCPv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jun 2014 09:30:25 -0000
Thanks Ralph for confirmation. Thanks Jinmei for helpful input. We have included these text in the ongoing update version. Best regards, Sheng >-----Original Message----- >From: Ralph Droms [mailto:rdroms.ietf@gmail.com] >Sent: Wednesday, June 18, 2014 1:16 AM >To: 神明達哉; Sheng Jiang >Cc: Lemon Ted; dhcwg >Subject: Re: [dhcwg] Deployment consideration for SeDHCPv6 > >Sheng - I think Jinmei-san's suggested text is very good, although I do have >one question about authentication on a server. The text includes examples >for the various scenarios, which addresses my primary concern. > >Jinmei-san - I have one question about your text. Can you explain in a little >more detail how the second and third examples of authentication on a server >work, in which you say the server only has to remember the client's public key >so neither full authentication nor LoF is required? > >- Ralph > >On Jun 6, 2014, at 2:51 PM 6/6/14, 神明達哉 <jinmei@wide.ad.jp> wrote: > >> At Thu, 5 Jun 2014 09:38:41 +0000, >> Sheng Jiang <jiangsheng@huawei.com> wrote: >> >>> The below text is the proposal from SeDHCPv6 authors in order to >>> clarify the applicability. We plan to add these text, of course >>> after reaching consensus in the mail list, into the next update >>> version. Any comments are appreciated. >> >> The proposed text seems to be almost a minor revise of my outline I >> showed on the list, so I guess Ted would still complain that it's >> incomplete:-). I'm not sure how much we should be "complete" in this >> document (especially if we wouldn't like to make the document a >> kitchen sink), but I'll show my own try below. Not intending to push >> this particular text, but I thought I'm responsible for providing >> something more concrete as someone who keeps raising the point. >> >> X. Deployment consideration >> >> This document defines two levels of authentication: full >> authentication based on certificate or pre-shared key verification and >> weaker authentication based on leap-of-faith (LoF). As a mechanism, >> both levels can be applied on servers and clients. Depending on the >> details of expected threats and other constraints, some cases may have >> limited applicability. This section discusses such details. >> >> X.1 Authentication on a client >> >> For clients, DHCP authentication generally means authenticating the >> server (the sender of DHCP messages) and verifying message integrity. >> >> This is satisfied with full authentication. Due to the configuration >> overhead, however, full authentication may not always be feasible. It >> would still be viable in a controlled environment with skilled stuff, >> such as a corporate intranet. >> >> If LoF is used, message integrity is provided but there is a chance >> for the client to incorrectly trust a malicious server at the >> beginning of the first session with the server (and therefore keep >> trusting it thereafter). But LoF guarantees the subsequent messages >> are sent by the same server that sent the public key, and therefore >> narrows the attack scope. This may make sense if the network can be >> reasonably considered secure and requesting pre-configuration is >> deemed to be infeasible. A small home network would be an example of >> such cases. >> >> For environments that are neither controlled nor really trustworthy, >> such as a network cafe, full authentication wouldn't be feasible due >> to configuration overhead, while pure LoF, i.e. silently trusting the >> server at the first time, would be too insecure. But some >> middleground might be justified, such as requiring human intervention >> at the point of LoF. >> >> X.2 Authentication on a server >> >> As for authentication on a server, there are several different >> scenarios to consider, each of which has different applicability >> issues. >> >> A server may have to selectively serve a specific client or deny >> specific clients depending on the identify of the client. This will >> require full authentication, since if the server allows LoF any >> malicious user can pretend to be a new legitimate client. Also, the >> use of certification wouldn't be feasible in this case, since it's >> less likely for all such clients to have valid (and generally >> different) certificates. So the applicable case may be limited, but a >> controlled environment with skilled stuff and a specifically expected >> set of clients such as a corporate intranet may still find it useful >> and viable. >> >> A server can prevent an attack on the DHCP session with an existing >> client from a malicious client, e.g., by sending a bogus Release >> message: the server would remember the original client's public key >> at the beginning of the DHCP session and authenticate subsequent >> messages (and their sender). Neither full authentication nor LoF is >> needed for this purpose, since the server does not have to trust the >> public key itself. So this can be generally used for any usage of >> DHCP. >> >> A server can prevent an attack by a malicious client that pretends to >> be a valid past client and tries to establish a new DHCP session >> (whether this is a real security threat may be a subject of debate, >> but this is probably at least annoying). This is similar to the first >> scenario, but full authentication may not necessarily be required; >> since the purpose is to confirm a returning client has the same >> identify as a valid past client, the server only has to remember the >> client's public key at the first time. So LoF can be used at the risk >> of allowing a malicious client to mount this attack before the initial >> session with a valid client. An uncontrolled, but reasonable reliable >> network like a home network may use this defense with LoF. >> >> -- >> JINMEI, Tatuya
- [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Res… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Liubing (Leo)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Declan Ma
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… liuzilong8266
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- [dhcwg] WGLC summary for draft-ietf-dhc-sedhcpv6-… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- [dhcwg] Deployment consideration for SeDHCPv6 Sheng Jiang
- Re: [dhcwg] Deployment consideration for SeDHCPv6 神明達哉
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Ralph Droms
- Re: [dhcwg] Deployment consideration for SeDHCPv6 神明達哉
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Sheng Jiang
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Ralph Droms