re: [dhcwg] dhc WG last call on "Domain Suffix Option for DHCPv6"
"CTO YAN Renxiang" <Renxiang.Yan@alcatel-sbell.com.cn> Fri, 16 December 2005 03:23 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1En6Br-0004ko-UE; Thu, 15 Dec 2005 22:23:28 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1En6Bn-0004kf-Ht for dhcwg@megatron.ietf.org; Thu, 15 Dec 2005 22:23:23 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA24267 for <dhcwg@ietf.org>; Thu, 15 Dec 2005 22:22:22 -0500 (EST)
Received: from nat1.alcatel-sbell.com.cn ([202.96.203.177] helo=mail.alcatel-sbell.com.cn) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1En6DG-0003Ud-WE for dhcwg@ietf.org; Thu, 15 Dec 2005 22:24:57 -0500
Received: from asbmail4.sbell.com.cn (localhost [127.0.0.1]) by mail.alcatel-sbell.com.cn (8.12.11/8.12.11/Alcanet1.0) with ESMTP id jBG3M5G3009036; Fri, 16 Dec 2005 11:22:07 +0800
Received: from asbmail2.sbell.com.cn ([172.24.208.62]) by asbmail4.sbell.com.cn with Microsoft SMTPSVC(5.0.2195.6713); Fri, 16 Dec 2005 11:21:53 +0800
X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: quoted-printable
Subject: re: [dhcwg] dhc WG last call on "Domain Suffix Option for DHCPv6"
Date: Fri, 16 Dec 2005 11:21:53 +0800
Message-ID: <9570C1261494D54D9D3115BC2C83429A0BB792@asbmail2.sbell.com.cn>
Thread-Topic: [dhcwg] dhc WG last call on "Domain Suffix Option for DHCPv6"
Thread-Index: AcYBXF8uZoBCziNqQZeMWANE/G5DJAAfmy0g
From: CTO YAN Renxiang <Renxiang.Yan@alcatel-sbell.com.cn>
To: Francis.Dupont@enst-bretagne.fr
X-OriginalArrivalTime: 16 Dec 2005 03:21:53.0940 (UTC) FILETIME=[DCC5CD40:01C601EF]
X-imss-version: 2.034
X-imss-result: Passed
X-imss-approveListMatch: *@alcatel-sbell.com.cn
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Content-Transfer-Encoding: quoted-printable
Cc: dhcwg@ietf.org, volz@cisco.com
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
Please see inline. > In your previous mail you wrote: > > I am still wondering about the issue of security. I want to say some > extra words to clarify. > > Suppose a case where some home devices connecte to access network > through a home gateway, and home gateway includes an embedding DHCP > server, DNS server, and DHCP client (which used to get IPv6 prefix and > "domain suffix" from access gateway, i.e. BRAS). > > => you should split the update issue into direct tree and reverse tree updates: > - for the direct tree there is no need at all to use a "domain > suffix" related to the ISP, so the home network can (should!) be > made autonomous and obviously the DHPC client on the home gateway > can only use the "domain prefix" for the name of its interface to > the ISP... a very marginal issue. > - for the reverse tree its base can be derived from the delegated > prefix so I don't understand what is the "domain suffix" for > in this context. > So I can't see any security issue. > > The DNS update security issues may exist in the following > procedures: > > (1) DHCP server in home gateway perform DNS update to > local DNS server > > => what is the local DNS server? Local DNS server is the DNS server in home gateway. > > for home devices using FQDNv6 option. The security issues has been > mentioned in FQDNv6 option, as follows, > > Unauthenticated updates to the DNS can lead to > tremendous confusion, > through malicious attack or through inadvertent > misconfiguration. > Administrators should be wary of permitting unsecured > DNS updates to > zones which are exposed to the global Internet. Both > DHCPv6 clients > and servers SHOULD use some form of update request origin > authentication procedure (e.g., Secure DNS Dynamic > Update [10]) when > performing DNS updates. > > => but the FQDNv6 option has nothing to do with dynamic DNS updates > so this text should be removed. I meant FQDNv6 option is used to update DNS with the associated AAAA and PTR RRs for DHCPv6 clients. > > (2) In order to "link" two DNS server, home gateway's DNS > server and Up-level DNS server, > > => why do you want to link them? Delegation of prefixes and delegation > of direct domains have only in common the word "delegation"! I am not expert in DNS, I meant to said, to make hosts in home network be accessed using Domain name from outside network, we need to add a NS record in ISP's DNS server for the DNS server in home gateway. > home gateway need to perform DNS update to up-level > DNS server by adding a NS record in it. There DOES exist > security issue > here. This can be solved using different way. I prefer it > piggybacked by > DHCP session between home gateway and access node, beacuse > DHCP session > is secure, home gateway should be authenticated before (or > along with) > initating DHCP session. > > => two (other) comments: > - you can't create a zone with a dynamic DNS update > - DHCP is not the right tool to perform any authentication in this > context, the authentication is done by the NAS and DHCP > relies on this > using a mix of: > draft-ietf-dhc-v6-relay-radius-01.txt > draft-salowey-radext-delegated-prefix-01.txt > draft-droms-dhc-dhcpv6-agentopt-delegate-00.txt Thanks, I'll digest these draft. I believe it's helpful for me in writing another draft on how to use the domain suffix option. Anyway, I think the "DNS update" issues is resolved by now. I'll update the draft and request for another WGLC. > Regards > > Francis.Dupont@enst-bretagne.fr > _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] dhc WG last call on "Domain Suffix Option… Stig Venaas
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Ted Lemon
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Francis Dupont
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Francis Dupont
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Francis Dupont
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Ted Lemon
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Ted Lemon
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Francis Dupont
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Stig Venaas
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- [dhcwg] dhc WG last call on "Domain Suffix Option… Stig Venaas
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Ted Lemon
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Stig Venaas