Re: [dhcwg] draft-ietf-dhc-pktc-kerb-tckt-01.txt

Paul Duffy <paduffy@cisco.com> Wed, 23 April 2003 20:02 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA04725 for <dhcwg-archive@odin.ietf.org>; Wed, 23 Apr 2003 16:02:50 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h3NK57H26270 for dhcwg-archive@odin.ietf.org; Wed, 23 Apr 2003 16:05:07 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h3NK57826267 for <dhcwg-web-archive@optimus.ietf.org>; Wed, 23 Apr 2003 16:05:07 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA04691 for <dhcwg-web-archive@ietf.org>; Wed, 23 Apr 2003 16:02:19 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 198QTv-00073S-00 for dhcwg-web-archive@ietf.org; Wed, 23 Apr 2003 16:04:39 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 198QTv-00073P-00 for dhcwg-web-archive@ietf.org; Wed, 23 Apr 2003 16:04:39 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h3NK2w826120; Wed, 23 Apr 2003 16:02:58 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h3NK0T825933 for <dhcwg@optimus.ietf.org>; Wed, 23 Apr 2003 16:00:29 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA04429 for <dhcwg@ietf.org>; Wed, 23 Apr 2003 15:57:42 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 198QPS-00070O-00 for dhcwg@ietf.org; Wed, 23 Apr 2003 16:00:02 -0400
Received: from rtp-core-1.cisco.com ([64.102.124.12]) by ietf-mx with esmtp (Exim 4.12) id 198QPR-00070D-00 for dhcwg@ietf.org; Wed, 23 Apr 2003 16:00:01 -0400
Received: from funnel.cisco.com (funnel.cisco.com [161.44.168.79]) by rtp-core-1.cisco.com (8.12.6/8.12.6) with ESMTP id h3NJxtlY029283; Wed, 23 Apr 2003 15:59:56 -0400 (EDT)
Received: from paduffy-w2k.cisco.com (ch2-dhcp150-106.cisco.com [161.44.150.106]) by funnel.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id PAA12360; Wed, 23 Apr 2003 15:59:55 -0400 (EDT)
Message-Id: <4.3.2.7.2.20030423155349.01769d40@funnel.cisco.com>
X-Sender: paduffy@funnel.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 23 Apr 2003 15:59:54 -0400
To: Thomas Narten <narten@us.ibm.com>
From: Paul Duffy <paduffy@cisco.com>
Subject: Re: [dhcwg] draft-ietf-dhc-pktc-kerb-tckt-01.txt
Cc: dhcwg@ietf.org
In-Reply-To: <200304231936.h3NJaeDN014292@rotala.raleigh.ibm.com>
References: <Message from paduffy@cisco.com of "Wed, 23 Apr 2003 15:26:20 EDT." <4.3.2.7.2.20030423151100.026384e8@funnel.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

...inline...

At 03:36 PM 4/23/2003 -0400, Thomas Narten wrote:
>Hi Paul.
>
> > > >        Code   Len      TCM
> > > >       +-----+-----+-----+-----+
> > > >       | TBD |  2  | m1  | m2  |
> > > >       +-----+-----+-----+-----+
> > >
> > >It might be better to not have m1/m2, since the text talks about a
> > >single 16-bit field rather than two smaller fields.
>
> > The format is consistent with the formats presented in RFC 3495 (sections
> > 8.3, 8.4, etc.).
>
>I guess we need to revise them and republish. :-)
>
> > I'm not sure what you are driving at.  Suggestions?
>
>THis is relatively minor thing, but since the field is 16-byte field,
>it seems better to show it that way then to divide it up into
>individual bytes.
>
>Just change the picture to something like:
>
>        Code   Len      TCM
>       +-----+-----+-----+-----+
>       | TBD |  2  | TC Mask   |
>       +-----+-----+-----+-----+

I'd much prefer leaving this as it is...its perfectly consistent with its 
parent RFC (3495).  IP addresses are also multi octet quantities...they are 
handled in a similar manner (not lumped into a single field).

OK ?


> > > >    5.   IANA Considerations
> > >
> > >what about future assignments of bit values?
>
> > Yes, needs to be added.  How about...
>
> > "IANA is requested to maintain a new number space of "CableLabs Client
> > Configuration Option Ticket Control Mask Bit Definitions", located in the
> > BOOTP-DHCP Parameters Registry.  The initial bit definitions are described
> > in section 4 of this document.  IANA is requested to register future bit
> > mask definitions via an "IETF Consensus" approval policy as described in
> > RFC 2434 [add ref}."
>
>works for me.

OK


> > > >       However, the scenario described above is unlikely to occur.
> > > >       Within the cable delivery architecture required by the various
> > > >       CableLabs projects, the DHCP client is connected to a network
> > > >       through a cable modem and the CMTS (head-end). The CMTS is
> > > >       explicitly configured with a set of DHCP servers to which DHCP
> > > >       requests are forwarded.  Further, a correctly configured CMTS
> > > >       will only allow downstream traffic from specific IP
> > > >       addresses/ranges.
> > >
> > >Could be more clear. I don't follow the last sentence, for example.
>
> > Last sentence change to...
>
> > "Further, the CMTS is explicitly configured to allow downstream traffic
> > only from specific IP addresses/ranges."
>
>I don't follow the overall discussion to be honest. When clients are
>using DHC, they don't have addresses yet. So what addresses are being
>filtered? ANd how does this filtering prevent spoofing  of DHC
>responses?
>
>Are you saying that the CMTS verifies that all traffic supposedly
>coming from a DHC server comes from a proper IP address (i.e., one
>assigned ot a server?). That offers some protection.

Yes

>But what about
>packets from spoofed addresses that correspond to DHC server
>addresses?

AFAIK, we are vulnerable.


> > P.S.  Should I hold the next draft until after IESG LC ?
>
>Sounds reasonable.

OK


>Thomas

--

Paul Duffy
Cisco Systems, Inc.
paduffy@cisco.com


_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg