Re: [dhcwg] Deployment consideration for SeDHCPv6
神明達哉 <jinmei@wide.ad.jp> Fri, 06 June 2014 18:51 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 894741A016C for <dhcwg@ietfa.amsl.com>; Fri, 6 Jun 2014 11:51:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8l2ujaFfUHd8 for <dhcwg@ietfa.amsl.com>; Fri, 6 Jun 2014 11:51:54 -0700 (PDT)
Received: from mail-we0-x233.google.com (mail-we0-x233.google.com [IPv6:2a00:1450:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 425BB1A0156 for <dhcwg@ietf.org>; Fri, 6 Jun 2014 11:51:54 -0700 (PDT)
Received: by mail-we0-f179.google.com with SMTP id q59so3242522wes.38 for <dhcwg@ietf.org>; Fri, 06 Jun 2014 11:51:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=wBGO4awlAT/3Gp7dp2Wqf4ReOgwKQOmNBbvh7OlCYIY=; b=WcazypuPortMqlguMhbkDFx5V5FWdgdRUb9lF3Osg6ikxGSblFYWsR3Fm16Jvn5QQB nsMCblKVqR5cJX0Wdj81jCDy371v+869Uzv5+BOqQaNVgFcYU+qKuKIXWtPOut9jiLHh ZEYDafNcOh2tWof0OSlUc/jpwfapNpIQGRL6BPiysWRLEvi83dn7mUdDZ7FQGDD39bsa URc7X9PEihOyhBbUJ64q5LxL2manesuGY7GElYVMYrM+Pn6Ra3rNFyIJNhhUbhXj1EcX M5hyvqCRB70q6+YzhVH9NXvJ1uaSfwtalMsPUDoOR+SYfzhoHM7vvl1ZenXxi4QUap7L Irug==
MIME-Version: 1.0
X-Received: by 10.194.57.225 with SMTP id l1mr9703038wjq.25.1402080706227; Fri, 06 Jun 2014 11:51:46 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.194.222.7 with HTTP; Fri, 6 Jun 2014 11:51:46 -0700 (PDT)
In-Reply-To: <5D36713D8A4E7348A7E10DF7437A4B923AE891C2@nkgeml512-mbx.china.huawei.com>
References: <535FEDAD.5010103@gmail.com> <5388F901.1000709@gmail.com> <78B235AF-D94C-40F1-9C76-4159B3A0A043@nominum.com> <CAJE_bqf4UZeFifHMhM=Vo2X66+ab7cnhb19K-XD_+_pr7-VS1A@mail.gmail.com> <FF49B4DE-E45F-4FF7-9C2D-5FA72FE66A4D@gmail.com> <C7C8884E-499D-4B55-B978-8D7A4D21EE3C@nominum.com> <5D36713D8A4E7348A7E10DF7437A4B923AE88462@nkgeml512-mbx.china.huawei.com> <5D36713D8A4E7348A7E10DF7437A4B923AE891C2@nkgeml512-mbx.china.huawei.com>
Date: Fri, 06 Jun 2014 11:51:46 -0700
X-Google-Sender-Auth: 4cjidjLINS23WNIFged4EBQf28Q
Message-ID: <CAJE_bqfJmdeTXwZNYx2XcLeMOJ2DhBkzXTQ61S8q4s=PL-28dA@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Sheng Jiang <jiangsheng@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/c22Tb2bG9OhsklcLlvFPIIuAsO8
Cc: dhcwg <dhcwg@ietf.org>, Ted Lemon <ted.lemon@nominum.com>, Ralph Droms <rdroms.ietf@gmail.com>
Subject: Re: [dhcwg] Deployment consideration for SeDHCPv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jun 2014 18:51:56 -0000
At Thu, 5 Jun 2014 09:38:41 +0000, Sheng Jiang <jiangsheng@huawei.com> wrote: > The below text is the proposal from SeDHCPv6 authors in order to > clarify the applicability. We plan to add these text, of course > after reaching consensus in the mail list, into the next update > version. Any comments are appreciated. The proposed text seems to be almost a minor revise of my outline I showed on the list, so I guess Ted would still complain that it's incomplete:-). I'm not sure how much we should be "complete" in this document (especially if we wouldn't like to make the document a kitchen sink), but I'll show my own try below. Not intending to push this particular text, but I thought I'm responsible for providing something more concrete as someone who keeps raising the point. X. Deployment consideration This document defines two levels of authentication: full authentication based on certificate or pre-shared key verification and weaker authentication based on leap-of-faith (LoF). As a mechanism, both levels can be applied on servers and clients. Depending on the details of expected threats and other constraints, some cases may have limited applicability. This section discusses such details. X.1 Authentication on a client For clients, DHCP authentication generally means authenticating the server (the sender of DHCP messages) and verifying message integrity. This is satisfied with full authentication. Due to the configuration overhead, however, full authentication may not always be feasible. It would still be viable in a controlled environment with skilled stuff, such as a corporate intranet. If LoF is used, message integrity is provided but there is a chance for the client to incorrectly trust a malicious server at the beginning of the first session with the server (and therefore keep trusting it thereafter). But LoF guarantees the subsequent messages are sent by the same server that sent the public key, and therefore narrows the attack scope. This may make sense if the network can be reasonably considered secure and requesting pre-configuration is deemed to be infeasible. A small home network would be an example of such cases. For environments that are neither controlled nor really trustworthy, such as a network cafe, full authentication wouldn't be feasible due to configuration overhead, while pure LoF, i.e. silently trusting the server at the first time, would be too insecure. But some middleground might be justified, such as requiring human intervention at the point of LoF. X.2 Authentication on a server As for authentication on a server, there are several different scenarios to consider, each of which has different applicability issues. A server may have to selectively serve a specific client or deny specific clients depending on the identify of the client. This will require full authentication, since if the server allows LoF any malicious user can pretend to be a new legitimate client. Also, the use of certification wouldn't be feasible in this case, since it's less likely for all such clients to have valid (and generally different) certificates. So the applicable case may be limited, but a controlled environment with skilled stuff and a specifically expected set of clients such as a corporate intranet may still find it useful and viable. A server can prevent an attack on the DHCP session with an existing client from a malicious client, e.g., by sending a bogus Release message: the server would remember the original client's public key at the beginning of the DHCP session and authenticate subsequent messages (and their sender). Neither full authentication nor LoF is needed for this purpose, since the server does not have to trust the public key itself. So this can be generally used for any usage of DHCP. A server can prevent an attack by a malicious client that pretends to be a valid past client and tries to establish a new DHCP session (whether this is a real security threat may be a subject of debate, but this is probably at least annoying). This is similar to the first scenario, but full authentication may not necessarily be required; since the purpose is to confirm a returning client has the same identify as a valid past client, the server only has to remember the client's public key at the first time. So LoF can be used at the risk of allowing a malicious client to mount this attack before the initial session with a valid client. An uncontrolled, but reasonable reliable network like a home network may use this defense with LoF. -- JINMEI, Tatuya
- [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Res… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Liubing (Leo)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Declan Ma
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… liuzilong8266
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- [dhcwg] WGLC summary for draft-ietf-dhc-sedhcpv6-… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- [dhcwg] Deployment consideration for SeDHCPv6 Sheng Jiang
- Re: [dhcwg] Deployment consideration for SeDHCPv6 神明達哉
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Ralph Droms
- Re: [dhcwg] Deployment consideration for SeDHCPv6 神明達哉
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Sheng Jiang
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Ralph Droms