[dhcwg] Comments on draft-jinmei-dhc-dhcpv6-clarify-auth-00

Christian Strauf <strauf@rz.tu-clausthal.de> Tue, 20 July 2004 14:43 UTC

Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA24912; Tue, 20 Jul 2004 10:43:20 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Bmvh3-0003vN-JY; Tue, 20 Jul 2004 10:34:09 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BmvX3-0000zC-4J for dhcwg@megatron.ietf.org; Tue, 20 Jul 2004 10:23:49 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA23286 for <dhcwg@ietf.org>; Tue, 20 Jul 2004 10:23:46 -0400 (EDT)
Received: from sinfonix.rz.tu-clausthal.de ([139.174.2.33]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1BmvX8-0000nY-85 for dhcwg@ietf.org; Tue, 20 Jul 2004 10:23:58 -0400
Received: from [139.174.2.206] (balrog.rz.tu-clausthal.de [139.174.2.206]) by sinfonix.rz.tu-clausthal.de (8.9.3/8.9.3) with ESMTP id QAA24940 for <dhcwg@ietf.org>; Tue, 20 Jul 2004 16:23:41 +0200 (MET DST)
From: Christian Strauf <strauf@rz.tu-clausthal.de>
To: dhcwg@ietf.org
Content-Type: text/plain
Organization: Rechenzentrum TU Clausthal
Message-Id: <1090333421.11056.266.camel@localhost>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6
Date: Tue, 20 Jul 2004 16:23:41 +0200
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Content-Transfer-Encoding: 7bit
Subject: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-clarify-auth-00
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
Content-Transfer-Encoding: 7bit

Jinmei-san,

here are my first comments on the I-D. My overall impression of the I-D
is very good, it seems to include all the issues raised on the DHC-ML.
All comments I have are mostly minor things like language and typos, not
essential problems with the contents.

I like the comment that you make in para 2.1 about not having a real
"session" in stateless which is essentially a contradiction to
"stateless" on one hand but on the other hand one obviously needs to
strictly separate sessions that concern content transmitted via DHCP and
sessions that concern the transmission itself. I think that your
proposed rephrasing of Section 21.4.4.4 incorporates that nicely.

I paragraph 4. you write:

"A reasonable interpretation of the phrase is probably as follows: a
DHCPv6 message is called unauthenticated when it fails the validation
test described in Section 21.4.2, it does not contain an authentication
option, or when it includes an authentication option but does not have
authentication information when necessary."

I would propose a minor rephrasing to clear the language up a little (if
I understand the above paragraph correctly, the following rewording
should work):

"A reasonable interpretation of the phrase is as follows: a DHCPv6
message is called unauthenticated if it fails the validation test
described in Section 21.4.2, if it does not contain an authentication
option, or if it includes an authentication option without the necessary
authentication information."

I also like para 5.1. very much, especially the choice of highlighted
keywords is very good. I second the idea of proposing a default policy
of discarding non-authenticated messages.

Minor typos:

para 2.:
	-It should also be noted that [RFC3315] does not define how the
         server should do when it receives
        +It should also be noted that [RFC3315] does not define what the
         server should do when it receives

para 3.:
	-3.  What If Reply Is Detected
	+3.  What If Replay Is Detected

para 5.:
	-Apparently this contradicts with the requirement in Section
         21.4.2.
	+Apparently this contradicts the requirement in Section 21.4.2.

para 5.1.:
	-Accepting an non-authenticated
	+Accepting a non-authenticated

Thank you for writing this I-D up, it summarises important DHCP
authentication issues raised on the ML very well and gives the reader a
good idea where there're gaps in the standard and where clarifications
should be made. Additionally I think that this I-D is a good basis for
any future BCP document regarding DHCPv6 deployments where
authentication mechanisms are used.

Cheers,
Christian


_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg