Re: [dhcwg] Fwd: New Version Notification for draft-ogud-dhc-udp-time-option-01.txt

Ted Lemon <ted.lemon@nominum.com> Sun, 01 December 2013 22:29 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEBA11AE1EB for <dhcwg@ietfa.amsl.com>; Sun, 1 Dec 2013 14:29:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44C26HKu8tVd for <dhcwg@ietfa.amsl.com>; Sun, 1 Dec 2013 14:29:20 -0800 (PST)
Received: from exprod7og128.obsmtp.com (exprod7og128.obsmtp.com [64.18.2.121]) by ietfa.amsl.com (Postfix) with ESMTP id BDBA51AE1DE for <dhcwg@ietf.org>; Sun, 1 Dec 2013 14:29:20 -0800 (PST)
Received: from shell-too.nominum.com ([64.89.228.229]) (using TLSv1) by exprod7ob128.postini.com ([64.18.6.12]) with SMTP ID DSNKUpu4PkAGgMqdU2uWPb2DKs+vhEFtLEHI@postini.com; Sun, 01 Dec 2013 14:29:19 PST
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 73FF81B82EA for <dhcwg@ietf.org>; Sun, 1 Dec 2013 14:29:18 -0800 (PST)
Received: from webmail.nominum.com (cas-01.win.nominum.com [64.89.228.131]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id 5086A190043; Sun, 1 Dec 2013 14:29:18 -0800 (PST)
Received: from [10.0.10.40] (192.168.1.10) by CAS-01.WIN.NOMINUM.COM (192.168.1.100) with Microsoft SMTP Server (TLS) id 14.3.158.1; Sun, 1 Dec 2013 14:29:18 -0800
Content-Type: text/plain; charset="windows-1252"
MIME-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
From: Ted Lemon <ted.lemon@nominum.com>
In-Reply-To: <B0A571B5-438A-47AB-AAA4-00D3FC077E22@ogud.com>
Date: Sun, 1 Dec 2013 17:29:14 -0500
Content-Transfer-Encoding: quoted-printable
Message-ID: <331C154E-1A09-4BDD-A70A-AB67BEA2E1E8@nominum.com>
References: <20131201204227.7978.2067.idtracker@ietfa.amsl.com> <83842BD2-0261-472F-9CA1-AFBFB47EAD91@ogud.com> <C0A2F49F-7695-47E9-8AB0-7F94116437F9@nominum.com> <B0A571B5-438A-47AB-AAA4-00D3FC077E22@ogud.com>
To: Olafur Gudmundsson <ogud@ogud.com>
X-Mailer: Apple Mail (2.1822)
X-Originating-IP: [192.168.1.10]
Cc: "dhcwg@ietf.org WG" <dhcwg@ietf.org>
Subject: Re: [dhcwg] Fwd: New Version Notification for draft-ogud-dhc-udp-time-option-01.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Dec 2013 22:29:22 -0000

On Dec 1, 2013, at 5:05 PM, Olafur Gudmundsson <ogud@ogud.com> wrote:
> The "threat" the document is trying to address, device wants to DNSSEC or CERT validation but clock is far off thus VALID credentials fail validation. 

Ah, thanks for explaining.   This is what I was missing—you're not doing this to avoid a threat at all, but rather to simply make DNSSEC work in a possibly non-secure mode until such time as you can bootstrap better time information.

This would be worth mentioning in the introduction and/or the security considerations section. You allude to it in the security considerations, but it's pretty oblique.

It is worth pointing out that NTP doesn't actually need DNS to work—DHCP can deliver NTP server addresses as IP addresses.   That said, this option seems to add value, since there is no guarantee that devices that implement the existing DHCP NTP will not send FQDNs rather than IP addresses.