IETF Logo Mail Archive

Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!

Mark Stapp <mjs@cisco.com> Wed, 09 July 2008 13:43 UTC

Return-Path: <dhcwg-bounces@ietf.org>
X-Original-To: dhcwg-archive@megatron.ietf.org
Delivered-To: ietfarch-dhcwg-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE6FE3A6A86; Wed, 9 Jul 2008 06:43:04 -0700 (PDT)
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D36473A68DB for <dhcwg@core3.amsl.com>; Wed, 9 Jul 2008 06:43:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v40-3FJhduKI for <dhcwg@core3.amsl.com>; Wed, 9 Jul 2008 06:43:02 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 50F2B3A6950 for <dhcwg@ietf.org>; Wed, 9 Jul 2008 06:43:02 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.30,331,1212364800"; d="scan'208";a="13655437"
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 09 Jul 2008 13:43:12 +0000
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m69DhC9D006086; Wed, 9 Jul 2008 09:43:12 -0400
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by rtp-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m69DhCJ6011811; Wed, 9 Jul 2008 13:43:12 GMT
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 9 Jul 2008 09:43:12 -0400
Received: from [10.86.240.3] ([10.86.240.3]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 9 Jul 2008 09:43:11 -0400
Message-ID: <4874C06F.5090302@cisco.com>
Date: Wed, 09 Jul 2008 09:43:11 -0400
From: Mark Stapp <mjs@cisco.com>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: Sheng Jiang <shengjiang@huawei.com>
References: <000f01c8ddb4$23370800$6a0c6f0a@china.huawei.com>
In-Reply-To: <000f01c8ddb4$23370800$6a0c6f0a@china.huawei.com>
X-OriginalArrivalTime: 09 Jul 2008 13:43:11.0871 (UTC) FILETIME=[BACCA8F0:01C8E1C9]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4159; t=1215610992; x=1216474992; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mjs@cisco.com; z=From:=20Mark=20Stapp=20<mjs@cisco.com> |Subject:=20Re=3A=20[dhcwg]=20A=20new=20draft=20of=20draft- jiang-dhc-secure-dhcpv6=20is=20submitted.=0A=20Comments=20ar e=20welcome! |Sender:=20 |To:=20Sheng=20Jiang=20<shengjiang@huawei.com>; bh=4ZuyC0rJc2wfIKkA4LheL4eG2ynO9zMHcOlno6Y9iM8=; b=MrZBmFLaHathabcAfPjECoDHoAwM/Zru32YdG3M9xvjr5ggwrgAr/mznz5 OVsJ4pwoevIzQOI1Fm9AFw/LKQ/C+KykmXIkOxNz925bgBg5dMYiA5QGKB40 q5NN2bOPof;
Authentication-Results: rtp-dkim-2; header.From=mjs@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: dhcwg@ietf.org
Subject: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org

Hello,

it's certainly worthwhile to explore use of asymmetric keys to secure 
dhcpv6, so it's helpful to see this work. but there are a number of 
issues with the details in this draft:

1. it's not clear why the existing extensible authentication option 
couldn't be used. I believe I could map everything proposed for the new 
"Signature Option" into the existing option, so I have to ask: why not 
do that? I suspect that you can make a case that it would be awkward to 
try to fit the CGA parameters data into the body of the authentication 
option, and so make the case for the new CGA params option. but I'd like 
to see that tradeoff discussed.

2. an important benefit of using the existing option and specification 
that supports it is that the text in rfc3315 is much more detailed and 
rigorous than the text in this draft. the 3315 text is clear and correct 
about the actual computations based on the structure of dhcpv6 messages. 
I don't think there'd be much benefit in extending this draft so that it 
duplicates that existing specification text. I'd much rather see a focus 
on the specifics of the steps required to produce and verify the 
key-pair-based hash and signatures.

2a. doing (2) would help get you out of thinking that you depend on the 
ordering of options - the text in 3315 is correct about that. I second 
Bernie's point that there's no need to require special ordering.

3. there are an unusual number of instances of direct quotation from 
RFCs. IMO, it's generally better to refer to RFCs because small quotes 
can be misleading without the context of an entire protocol. it's one 
thing to use quotations if you're trying to establish a clarification of 
the meaning of a specific passage, but I don't think that's what's 
happening here.

4. it would be more useful to describe a general-purpose way to use 
asymmetric key pairs. the only things specific about the CGA application 
as described here is the details of the use of the CGA parameters 
structure and the dependency on seeing the client's original IP source 
address. but isn't that really just a specialized case, that only 
extends the general case in a couple of ways?

5. do you intend this only to be used when DHCPv6 is used to convey 
configuration options? are there any differences required to support 
address configuration, or prefix delegation?

6. what happens in relayed environments - where the client's original IP 
source address is no longer visible to the DHCP server? is this just 
meant to be hop-by-hop integrity protection?

7. I don't see anything here about authorization. anyone who can 
generate a key pair can use this, right? so ... it's just message 
integrity protection? do you propose to configure clients with server or 
relay public keys? something like SEND, would it be interesting to 
authorize relays and servers via certs? or validate clients' keys with 
certs?

Thanks,
Mark

Sheng Jiang wrote:
> A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are 
> welcome!
>  
> Filename:    draft-jiang-dhc-secure-dhcpv6
> Version:    00
> Staging URL:    
> http://www3.ietf.org/proceedings/staging/draft-jiang-dhc-secure-dhcpv6-00.txt
> Title:     Secure DHCPv6 Using CGAs
> Creation_date:    2008-07-04
> WG ID:     Indvidual Submission
> Number_of_pages: 14
> Abstract:
> The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) enables DHCP 
> servers to pass configuration parameters. It offers configuration 
> flexibility. If not secured, DHCPv6 is vulnerable to various attacks  
> particularly fake attack. This document analyzes the security issues of 
> DHCPv6 and specifies security mechanisms, mainly using CGAs.
>  
> Best regards,
> 
> Sheng JIANG, Ph.D.
> 
> IP Research Department, Networking Research Department, Network Product 
> Line, Huawei Technologies Co. Ltd.
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email