Re: [dhcwg] IESG Discusses/Comments on draft-ietf-dhc-dhcpv6-subid-00.txt
Ted Lemon <Ted.Lemon@nominum.com> Fri, 20 January 2006 19:40 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F027h-0003Z7-2I; Fri, 20 Jan 2006 14:40:37 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F027f-0003Yw-DT; Fri, 20 Jan 2006 14:40:35 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA13665; Fri, 20 Jan 2006 14:39:08 -0500 (EST)
Received: from shell-ng.nominum.com ([81.200.64.181]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F02GR-0000OV-FF; Fri, 20 Jan 2006 14:49:40 -0500
Received: from vpn-38.vpn.nominum.com (vpn-38.vpn.nominum.com [128.177.199.38]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by shell-ng.nominum.com (Postfix) with ESMTP id 8C706568C5; Fri, 20 Jan 2006 11:40:13 -0800 (PST) (envelope-from Ted.Lemon@nominum.com)
From: Ted Lemon <Ted.Lemon@nominum.com>
Organization: Nominum, Inc.
To: dhcwg@ietf.org
Subject: Re: [dhcwg] IESG Discusses/Comments on draft-ietf-dhc-dhcpv6-subid-00.txt
Date: Fri, 20 Jan 2006 12:40:05 -0700
User-Agent: KMail/1.8.3
References: <8E296595B6471A4689555D5D725EBB21011FDFFD@xmb-rtp-20a.amer.cisco.com>
In-Reply-To: <8E296595B6471A4689555D5D725EBB21011FDFFD@xmb-rtp-20a.amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200601201240.05975.Ted.Lemon@nominum.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Content-Transfer-Encoding: 7bit
Cc: "Bernie Volz (volz)" <volz@cisco.com>, iesg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
On Friday 20 January 2006 10:13, Bernie Volz (volz) wrote: > This option is NOT used by clients. It is used between relay agents and > servers only. Thus, there is no issue regarding roaming (unless of > course the relay agents and servers are in different administrative > domains, but in this case there is likely some agreement between these > domains and the relay would likely only forward the information to the > appropriate server(s)). Just to be clear, there are two different kinds of DHCPv6 packets - a naked packet from a client, and a relay packet from or two a relay agent, which encapsulates a naked packet from the client. This option can only appear in the relay agent portion of the packet. You guys have all read RFC3315, but memories fade, so I thought it might be worth pointing this out. It _is_ possible for a DHCP client to construct a relay packet and send it to a relay. That relay might forward the packet to the server. Likewise, a client can construct a relay packet and send it directly to the server (although getting a response back would be problematic). DHCPv6 allows multiple relay encapsulation, so there's no denying that it's possible to spoof an ID using the mechanism described here. In practice, though, there are problems with this. The likely result of this would be an error - the client would not get a valid configuration, and would not be able to use the network. The worst that might happen is that if a client successfully perpetrated this attack, another client might experience a denial of service because the DHCP server might not be willing to hand out additional IP addresses to the same remote ID. This still wouldn't be a problem if the DHCP server is managing the client's address space, because any attempt to exhaust a /48 would simply overwhelm the server, which you can do without using the remote ID option. It would be a problem with prefix delegations, though, since presumably the ISP isn't going to assign an unlimited number of /48's to every subscriber. However, protecting the remote ID by making it secret isn't necessary. The DHCPv6 protocol defines a shared secret-based authentication mechanism, and furthermore it's possible for the relay agent and server to do IPsec, and to use IPsec to prove that the remote ID was inserted by the relay agent, not a client. So I think the fix for this is to mention in the security considerations section that DHCPv6 servers and relay agents SHOULD use shared-secret-based authentication in cases where this option is used, and that in particular DHCPv6 servers SHOULD ignore the contents of this option if these contents have not been verified using shared-secret-based authentication or some other kind of secure authentication. This still leaves open a possible hole if the DHCPv6 client sends a relay-forward packet to the DHCPv6 relay agent, but the DHCPv6 relay agent doesn't insert its own remote ID option. However, in this case the server is not expecting a remote ID option, so I think this is okay. _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] IESG Discusses/Comments on draft-ietf-dhc… Bernie Volz (volz)
- Re: [dhcwg] IESG Discusses/Comments on draft-ietf… Ted Lemon
- [dhcwg] RE: IESG Discusses/Comments on draft-ietf… Wijnen, Bert (Bert)
- [dhcwg] RE: IESG Discusses/Comments on draft-ietf… Bernie Volz (volz)
- RE: [dhcwg] IESG Discusses/Comments on draft-ietf… Bernie Volz (volz)
- Re: [dhcwg] IESG Discusses/Comments on draft-ietf… Ted Lemon
- [dhcwg] RE: IESG Discusses/Comments on draft-ietf… Wijnen, Bert (Bert)
- [dhcwg] RE: IESG Discusses/Comments on draft-ietf… Bernie Volz (volz)