RE: [dhcwg] dhcpv6-24: Reconfigure

"Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se> Wed, 15 May 2002 17:22 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14371 for <dhcwg-archive@odin.ietf.org>; Wed, 15 May 2002 13:22:59 -0400 (EDT)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id NAA14266 for dhcwg-archive@odin.ietf.org; Wed, 15 May 2002 13:23:12 -0400 (EDT)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id NAA14006; Wed, 15 May 2002 13:17:54 -0400 (EDT)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id NAA13989 for <dhcwg@ns.ietf.org>; Wed, 15 May 2002 13:17:53 -0400 (EDT)
Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14035 for <dhcwg@ietf.org>; Wed, 15 May 2002 13:17:38 -0400 (EDT)
Received: from mr7.exu.ericsson.se (mr7u3.ericy.com [208.237.135.122]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id g4FHHpl14825 for <dhcwg@ietf.org>; Wed, 15 May 2002 12:17:51 -0500 (CDT)
Received: from eamrcnt749 (eamrcnt749.exu.ericsson.se [138.85.133.47]) by mr7.exu.ericsson.se (8.11.3/8.11.3) with SMTP id g4FHHoe28970 for <dhcwg@ietf.org>; Wed, 15 May 2002 12:17:50 -0500 (CDT)
Received: FROM eamrcnt760.exu.ericsson.se BY eamrcnt749 ; Wed May 15 12:17:50 2002 -0500
Received: by eamrcnt760.exu.ericsson.se with Internet Mail Service (5.5.2653.19) id <KVLDZ96S>; Wed, 15 May 2002 12:17:50 -0500
Message-ID: <66F66129A77AD411B76200508B65AC69B4D41A@EAMBUNT705>
From: "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>
To: 'Thomas Narten' <narten@us.ibm.com>, dhcwg@ietf.org
Subject: RE: [dhcwg] dhcpv6-24: Reconfigure
Date: Wed, 15 May 2002 12:17:47 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C1FC34.6F519100"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: <dhcwg.ietf.org>
X-BeenThere: dhcwg@ietf.org

This certainly is an interesting idea. (Redundant server setups would likely need to exchange other information so they could also exchange the nonce).

But, what about simply suggesting that DHCP authentication be used? Or is that considered too weak?

Anyway to make sure I understand this, you would recommend a "Reconfiguration Nonce" option that the server would send the client in a Reply (such as to a Request or Rebind). The client would save this option and only accept a Reconfigure if the server sent that same "Reconfiguration Nonce" option in the Reconfigure message?

Note: Perhaps any Reply from a server could contain this as it may want to change its nonce?

x.x Reconfiguration Nonce Option

   A server sends the Reconfiguration Nonce option to a client in a Reply
   to a Request and Rebind. The client is responsible for saving the
   reconfiguration-nonce in order to validation reconfiguration requests
   from the server. The server also sends the Reconfiguration Nonce option
   in a Reconfigure message and the client only accepts the Reconfigure
   message if the nonce matches the one received in a Reply.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      OPTION_INTERFACE_ID      |         option-len            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   .                                                               .
   .                     reconfiguration-nonce                     .
   .                                                               .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



      option-code          OPTION_INTERFACE_ID (18)

      option-len           Length of reconfiguration-nonce field

      reconfiguration-nonce An opaque value of arbitrary length generated
                           by the server


- Bernie


-----Original Message-----
From: Thomas Narten [mailto:narten@us.ibm.com]
Sent: Wednesday, May 15, 2002 1:06 PM
To: dhcwg@ietf.org
Subject: [dhcwg] dhcpv6-24: Reconfigure


One IESG member has asked:

> 19. DHCP Server-Initiated Configuration Exchange

> reconfigure messages provide such a wonderful opportunity for
> attack.  and they are sent unicast "using an IPv6 unicast address
> of sufficient scope belonging to the DHCP client."

> possibly, the server could have intially provided a nonce that the
> client retains for validation.  but this precludes redundant server
> setups etc.

My response:

An interesting suggestion. Actually, it may not preclude this.  The
idea behind the Reconfigure is that the server that has state about
clients sends unicast Reconfigures to that client. It is not intended
to be used to allow any old DHC server to prod a client. So requiring
that the server also include a nonce may be OK. 
 
Question to the WG: should this be added? It would add some additional
defense against improper Reconfigure.

Thoughts?
 
Thomas

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg