IETF Logo Mail Archive

Re: [dhcwg] IESG Discusses/Comments on draft-ietf-dhc-dhcpv6-subid-00.txt

Ted Lemon <Ted.Lemon@nominum.com> Fri, 20 January 2006 19:40 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F027h-0003Z7-2I; Fri, 20 Jan 2006 14:40:37 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F027f-0003Yw-DT; Fri, 20 Jan 2006 14:40:35 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA13665; Fri, 20 Jan 2006 14:39:08 -0500 (EST)
Received: from shell-ng.nominum.com ([81.200.64.181]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F02GR-0000OV-FF; Fri, 20 Jan 2006 14:49:40 -0500
Received: from vpn-38.vpn.nominum.com (vpn-38.vpn.nominum.com [128.177.199.38]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by shell-ng.nominum.com (Postfix) with ESMTP id 8C706568C5; Fri, 20 Jan 2006 11:40:13 -0800 (PST) (envelope-from Ted.Lemon@nominum.com)
From: Ted Lemon <Ted.Lemon@nominum.com>
Organization: Nominum, Inc.
To: dhcwg@ietf.org
Subject: Re: [dhcwg] IESG Discusses/Comments on draft-ietf-dhc-dhcpv6-subid-00.txt
Date: Fri, 20 Jan 2006 12:40:05 -0700
User-Agent: KMail/1.8.3
References: <8E296595B6471A4689555D5D725EBB21011FDFFD@xmb-rtp-20a.amer.cisco.com>
In-Reply-To: <8E296595B6471A4689555D5D725EBB21011FDFFD@xmb-rtp-20a.amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200601201240.05975.Ted.Lemon@nominum.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Content-Transfer-Encoding: 7bit
Cc: "Bernie Volz (volz)" <volz@cisco.com>, iesg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org

On Friday 20 January 2006 10:13, Bernie Volz (volz) wrote:
> This option is NOT used by clients. It is used between relay agents and
> servers only. Thus, there is no issue regarding roaming (unless of
> course the relay agents and servers are in different administrative
> domains, but in this case there is likely some agreement between these
> domains and the relay would likely only forward the information to the
> appropriate server(s)).

Just to be clear, there are two different kinds of DHCPv6 packets - a naked 
packet from a client, and a relay packet from or two a relay agent, which 
encapsulates a naked packet from the client.   This option can only appear in 
the relay agent portion of the packet.   You guys have all read RFC3315, but 
memories fade, so I thought it might be worth pointing this out.

It _is_ possible for a DHCP client to construct a relay packet and send it to 
a relay.  That relay might forward the packet to the server.   Likewise, a 
client can construct a relay packet and send it directly to the server 
(although getting a response back would be problematic).   DHCPv6 allows 
multiple relay encapsulation, so there's no denying that it's possible to 
spoof an ID using the mechanism described here.

In practice, though, there are problems with this.   The likely result of this 
would be an error - the client would not get a valid configuration, and would 
not be able to use the network.   The worst that might happen is that if a 
client successfully perpetrated this attack, another client might experience 
a denial of service because the DHCP server might not be willing to hand out 
additional IP addresses to the same remote ID.

This still wouldn't be a problem if the DHCP server is managing the client's 
address space, because any attempt to exhaust a /48 would simply overwhelm 
the server, which you can do without using the remote ID option.   It would 
be a problem with prefix delegations, though, since presumably the ISP isn't 
going to assign an unlimited number of /48's to every subscriber.

However, protecting the remote ID by making it secret isn't necessary.   The 
DHCPv6 protocol defines a shared secret-based authentication mechanism, and 
furthermore it's possible for the relay agent and server to do IPsec, and to 
use IPsec to prove that the remote ID was inserted by the relay agent, not a 
client.

So I think the fix for this is to mention in the security considerations 
section that DHCPv6 servers and relay agents SHOULD use shared-secret-based 
authentication in cases where this option is used, and that in particular 
DHCPv6 servers SHOULD ignore the contents of this option if these contents 
have not been verified using shared-secret-based authentication or some other 
kind of secure authentication.

This still leaves open a possible hole if the DHCPv6 client sends a 
relay-forward packet to the DHCPv6 relay agent, but the DHCPv6 relay agent 
doesn't insert its own remote ID option.   However, in this case the server 
is not expecting a remote ID option, so I think this is okay.

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email