IETF Logo Mail Archive

Re: [dhcwg] FW: RFC3315 question

"David W. Hankins" <David_Hankins@isc.org> Mon, 19 February 2007 23:09 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HJHdE-0004CG-Cy; Mon, 19 Feb 2007 18:09:16 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HJHdD-0004Av-NA for dhcwg@ietf.org; Mon, 19 Feb 2007 18:09:15 -0500
Received: from goliath.isc.org ([2001:4f8:3:bb::72]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HJHdA-0004xj-7w for dhcwg@ietf.org; Mon, 19 Feb 2007 18:09:15 -0500
Received: by goliath.isc.org (Postfix, from userid 10200) id 2DB1D5A6ED; Mon, 19 Feb 2007 15:08:51 -0800 (PST)
Date: Mon, 19 Feb 2007 15:08:51 -0800
From: "David W. Hankins" <David_Hankins@isc.org>
To: dhcwg@ietf.org
Subject: Re: [dhcwg] FW: RFC3315 question
Message-ID: <20070219230851.GD2628@isc.org>
References: <C1FB91F4.3AB2D%rdroms@cisco.com> <8E296595B6471A4689555D5D725EBB2103467C67@xmb-rtp-20a.amer.cisco.com> <39C363776A4E8C4A94691D2BD9D1C9A1017746F5@XCH-NW-7V2.nw.nos.boeing.com>
Mime-Version: 1.0
In-Reply-To: <39C363776A4E8C4A94691D2BD9D1C9A1017746F5@XCH-NW-7V2.nw.nos.boeing.com>
User-Agent: Mutt/1.5.9i
X-Spam-Score: -2.8 (--)
X-Scan-Signature: e8a67952aa972b528dd04570d58ad8fe
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0566098214=="
Errors-To: dhcwg-bounces@ietf.org

On Sat, Feb 17, 2007 at 11:38:12AM -0800, Templin, Fred L wrote:
> In particular, it might be useful to define
> a new DUID type that includes a client's public key such as
> required by RFC3972. The actual format of the DUID type is for
> further study, e.g., in addition to the public key it might be
> desireable to include a link-layer address, a timestamp, etc.

I think it's a fantastic idea.

If servers and clients could identify themselves with a public
key, then we could exchange greater varieties of configuration
information (which may require encryption) over an encapsulated
option.

The trust model for such exchanges would need some careful
thought, but on first inspection I see no reason why the SSH
model can't be adopted here (ask the operator, then cache the
key with link layer hints).


I've long wanted to experiment with public keys in DHCPv4
authentication...due to the size limitations in DHCPv4 payloads,
that's sent me down some ratholes I have vague notions for, but
nothing (yet) I wish to expose to the scrutiny of public review.

Since DHCPv4 now defines RFC3315 DUID's as client-identifier
contents (with the IAID prepended), I think there's a great
deal of good that could come from defining a method to transport
unique indexes to public keys, rather than the keys themselves,
in the DUID so that we could leverage the same mechanism for
both protocols (by writing a draft that lifts the DHCPv4 server
restriction that client identifiers be opaque).


I think there are some non-trivial challenges here, but any
effort down this path is worth our learning something from it.

-- 
ISC Training!  http://www.isc.org/training/  training@isc.org
Washington DC area, April 16-20 2007.  DNS & BIND, DDNS & DHCP.
-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		you'll just have to do it again."
Internet Systems Consortium, Inc.	-- Jack T. Hankins

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email