RE: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection

"Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se> Tue, 08 October 2002 19:47 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28409 for <dhcwg-archive@odin.ietf.org>; Tue, 8 Oct 2002 15:47:00 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g98JmdS26619 for dhcwg-archive@odin.ietf.org; Tue, 8 Oct 2002 15:48:39 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98Jmdv26616 for <dhcwg-web-archive@optimus.ietf.org>; Tue, 8 Oct 2002 15:48:39 -0400
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28374 for <dhcwg-web-archive@ietf.org>; Tue, 8 Oct 2002 15:46:28 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JkJv26523; Tue, 8 Oct 2002 15:46:19 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g98JjEv26502 for <dhcwg@optimus.ietf.org>; Tue, 8 Oct 2002 15:45:14 -0400
Received: from imr2.ericy.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28283 for <dhcwg@ietf.org>; Tue, 8 Oct 2002 15:43:03 -0400 (EDT)
Received: from mr5.exu.ericsson.se (mr5att.ericy.com [138.85.224.141]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id g98Jj8g12848; Tue, 8 Oct 2002 14:45:08 -0500 (CDT)
Received: from eamrcnt761.exu.ericsson.se (eamrcnt761.exu.ericsson.se [138.85.133.39]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id g98Jj7127407; Tue, 8 Oct 2002 14:45:07 -0500 (CDT)
Received: by eamrcnt761.exu.ericsson.se with Internet Mail Service (5.5.2656.59) id <41PANQ5X>; Tue, 8 Oct 2002 14:45:07 -0500
Message-ID: <F9211EC7A7FED4119FD9005004A6C8700AAD90CB@eamrcnt723.exu.ericsson.se>
From: "Bernie Volz (EUD)" <Bernie.Volz@am1.ericsson.se>
To: "'Ralph Droms'" <rdroms@cisco.com>, Thomas Narten <narten@us.ibm.com>
Cc: Ted Lemon <Ted.Lemon@nominum.com>, Kim Kinnear <kkinnear@cisco.com>, dhcwg@ietf.org
Subject: RE: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection
Date: Tue, 8 Oct 2002 14:45:05 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C26F03.332B1D26"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

Why is IPsec a problem if you have multiple relays? If so, we may have the same
issue with DHCPv6?

In DHCPv4, each relay generates a new message so it can be subject to IPsec.

The server must assume that the relay before it (the one it received the packet
from) has sufficiently trusted the source (such as another relay) to relay the
packet.

- Bernie

-----Original Message-----
From: Ralph Droms [mailto:rdroms@cisco.com]
Sent: Tuesday, October 08, 2002 3:22 PM
To: Thomas Narten
Cc: Ted Lemon; Bernie Volz (EUD); Kim Kinnear; dhcwg@ietf.org
Subject: Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection 


If I squint my eyes and stand back far enough, I don't see that the DHCPv4 
case is different.  While the relay agent is relaying a message on behalf 
of the client, it really is relaying that message in an independent UDP 
message, in which the source address belongs to the relay agent.  I don't 
think there is any reason the relay agent and server can't employ IPsec on 
the relay agent<->server messages.

Of course, IPsec may be problematic if there are multiple relay agents in 
the path - which is the problem Mark Stapp is trying to solve, right?

- Ralph

At 03:11 PM 10/8/2002 -0400, Thomas Narten wrote:
>Ted Lemon <Ted.Lemon@nominum.com> writes:
>
> > > Perhaps I shouldn't raise this, but it seems like we should be
> > > worrying much
> > > more about security on the first hop (client <-> server/relay) than the
> > > relay <-> server hop. The latter is much easier to secure as IPsec,
> > > tunneling,
> > > and other fairly standard techniques could be used.
> > >
> > > Also, is the DHCPv6 draft strong enough in this area to satisfy the
> > > IESG (at
> > > least around the relay <-> server security)?
>
> > Right, the relay<->server hop is regular IP, so there's no reason not
> > to use IPsec to secure it.
>
>In DHCPv6, using IPsec makes sense. The relay agent is originating a
>new message that it sends to the DHC server.
>
>But DHCPv4 is different, in that it relays the client packet. So IPsec
>can't really be used there. But certainly a DHC-specific
>authentication option could be defined for covering the relay agent
>option and/or portions of the client request.
>
>Thomas