Re: [dhcwg] Alissa Cooper's Discuss on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with DISCUSS and COMMENT)
Alissa Cooper <alissa@cooperw.in> Wed, 30 September 2015 22:55 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B781AC3E4 for <dhcwg@ietfa.amsl.com>; Wed, 30 Sep 2015 15:55:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnSYx4zW8yzg for <dhcwg@ietfa.amsl.com>; Wed, 30 Sep 2015 15:55:07 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68CE11AC3E1 for <dhcwg@ietf.org>; Wed, 30 Sep 2015 15:55:07 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id D6BF820AC5 for <dhcwg@ietf.org>; Wed, 30 Sep 2015 18:55:06 -0400 (EDT)
Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Wed, 30 Sep 2015 18:55:06 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=0dS94 91nRIJcu12E9Mm3tIYJWjA=; b=BIWQdYb+8Rt9YzjudwSj6IJBf98VYdNeHez9m YfWCcLh9F/qFbIR4E3a5uN9G8qYCdrLuqPwm+OVcVqS9G6xodAR4qiny62I/Aqd8 Sh8xsJn3d3K1h8hfX4EuXdo0cXCdKlHZjvUhrOo0TvA+ZG08o4Mdvm5eQp59Hxxx br3FC4=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=0dS9491nRIJcu12E9Mm3tIYJWjA=; b=Q4kAl 48ZRscuIwztR6w3xlWXmkU0TeHKm02XR/ivu72PbYmFHp2CLFkmn38Z99GlcwwgS 0YHnone8+IDnOR3PWpOVZdD7u2M1DnBphRzUim607RQDh66qdt+pl9zCh/kBlgJy wPkowLIqBH5pKJPPPv1z9dUFlUfNDPXGc6w/L4=
X-Sasl-enc: rHpgMG0jmoeTQAxnIw7RjHJCa5MuUmCrj6f2v0gCzbuA 1443653706
Received: from dhcp-171-68-20-218.cisco.com (dhcp-171-68-20-218.cisco.com [171.68.20.218]) by mail.messagingengine.com (Postfix) with ESMTPA id E9F94C00013; Wed, 30 Sep 2015 18:55:05 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_608D1B60-004E-4234-ACE6-47F3B468522A"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <939EE2DF-1E5F-4C9F-8F4A-3809369D92A7@cisco.com>
Date: Wed, 30 Sep 2015 15:55:04 -0700
Message-Id: <B3F93E4F-595A-44EB-A302-B83A67C828BC@cooperw.in>
References: <20150929224619.31476.89163.idtracker@ietfa.amsl.com> <939EE2DF-1E5F-4C9F-8F4A-3809369D92A7@cisco.com>
To: Kim Kinnear <kkinnear@cisco.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/WjhHDlduZkh1Uf64V-qKZg4RA5o>
Cc: dhcwg@ietf.org, IESG <iesg@ietf.org>
Subject: Re: [dhcwg] Alissa Cooper's Discuss on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 22:55:13 -0000
> On Sep 30, 2015, at 12:33 PM, Kim Kinnear <kkinnear@cisco.com> wrote: > > > Alissa, > > Thank you for reviewing our draft. I have responded to your discuss > and comment below. > > On Sep 29, 2015, at 6:46 PM, Alissa Cooper <alissa@cooperw.in <mailto:alissa@cooperw.in>> wrote: > >> Alissa Cooper has entered the following ballot position for >> draft-ietf-dhc-dhcpv4-active-leasequery-06: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv4-active-leasequery/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> What is the rationale for allowing the use of this protocol in insecure >> mode? I realize this is usually for backwards compatibility, but it seems >> like both clients and servers would need to be updated in order to >> implement this spec anyway. > > The basic reason for two modes of operation (insecure and > secure mode) is because there are essentially two models of > use for this protocol. In one model, the requestor of an > active leasequery is connected to the internet in an arbitrary > location, and the information transmitted needs to be > protected during transmission. In addition, the identity of > both requestor and server need to be verified. For this model > of use, the secure mode is appropriate. > > The other model of use is where the requestor of the active > leasequery resides in a network element that is essentially > "next to" the element containing the DHCP server, and both of > these elements are inside a protected environment. In this > case, the insecure mode is sufficient since there are other, > more global, protections in place to protect this information. Ok, apparently I had the same question on the v6 version but put it in a comment in support of Stephen’s DISCUSS. I think it would help to have some version of the above rationale in the draft, but will clear my DISCUSS. Thanks, Alissa > > Note that in discussions of the DHCPv6 Active Leasequery draft > with Stephen Farrell, we have changed both this draft and the > DHCPv6 version to require *two* explicit choices in > configuration to use the insecure mode. So nobody should be > able to deploy a DHCP server and through ignorance or > inattention allow someone to perform an insecure active > leasequery. > > Kathleen Moriarty attached a comment to her ballot explaining > why she didn't have an issue with this, and I agree > wholeheartedly with her analysis! > > >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> In sections 7.2, 8.1, and 9, this is a bit of a strange layering of >> normative requirements: >> >> The recommendations in [RFC7525] SHOULD be followed when negotiating >> this connection. >> >> If you were going to use normative language here I think this would more >> appropriately be a MUST, but I would actually recommend something along >> the lines of "The recommendations in [RFC7525] apply" since the >> recommendations contained therein vary in their normative strength. >> Perhaps the security ADs have a preferred formulation, I'm not sure. > > I will change the sentence you noted to be "The recommendations > in [RFC7525] apply." in the next update of the draft. > > Thanks again for your review. > > Kim >> >> >> _______________________________________________ >> dhcwg mailing list >> dhcwg@ietf.org <mailto:dhcwg@ietf.org> >> https://www.ietf.org/mailman/listinfo/dhcwg <https://www.ietf.org/mailman/listinfo/dhcwg>
- [dhcwg] Alissa Cooper's Discuss on draft-ietf-dhc… Alissa Cooper
- Re: [dhcwg] Alissa Cooper's Discuss on draft-ietf… Kim Kinnear
- Re: [dhcwg] Alissa Cooper's Discuss on draft-ietf… Alissa Cooper