IETF Logo Mail Archive

Re: [dhcwg] Deployment consideration for SeDHCPv6

Ralph Droms <rdroms.ietf@gmail.com> Thu, 19 June 2014 16:03 UTC

Return-Path: <rdroms.ietf@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2FCC1A027E for <dhcwg@ietfa.amsl.com>; Thu, 19 Jun 2014 09:03:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dlGFTXFYTI0I for <dhcwg@ietfa.amsl.com>; Thu, 19 Jun 2014 09:03:22 -0700 (PDT)
Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com [IPv6:2607:f8b0:400d:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CB041A026F for <dhcwg@ietf.org>; Thu, 19 Jun 2014 09:03:22 -0700 (PDT)
Received: by mail-qa0-f44.google.com with SMTP id hw13so2106428qab.17 for <dhcwg@ietf.org>; Thu, 19 Jun 2014 09:03:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:from:subject:date:to; bh=LdRTKROvwTtWtykKMQwG8RiWP+m181W7mmpoSJTkDcw=; b=G/n3jZD42jaAKr8wsu5QSi1KHgiF2ekgjt7oHQg4oLrsE25FRvVLnqKAd6Yt21/zr6 LQKozxOxkKzCdRfibxgi2YVpdcixiwjGA7XBaw3czpbKshDcXn2+V4VBvjOhcIhAD70v 2IcTnSsgeaeOFkGOSwxCu94NJ7uiR8QUF/FL9IP8VK3PCRTNn6jmxCS52GLLbwvc5OSJ JYnT4buzJVfG585fT/BqUYGcejEJ5wvgwYApg+1csexvXIOIS2s6hmcnZxz6oKcLf5QD bR8a62FVF1mJ/UcKIUjJzNn+7XN8g3oXXFM8VJB3VUtO44mySHWOpbiTM0+d14st39Tx UPIw==
X-Received: by 10.229.44.65 with SMTP id z1mr8544019qce.7.1403193801728; Thu, 19 Jun 2014 09:03:21 -0700 (PDT)
Received: from [10.116.164.51] (rtp-isp-nat1.cisco.com. [64.102.254.33]) by mx.google.com with ESMTPSA id v10sm9089029qas.40.2014.06.19.09.03.20 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 19 Jun 2014 09:03:20 -0700 (PDT)
References: <535FEDAD.5010103@gmail.com> <5388F901.1000709@gmail.com> <78B235AF-D94C-40F1-9C76-4159B3A0A043@nominum.com> <CAJE_bqf4UZeFifHMhM=Vo2X66+ab7cnhb19K-XD_+_pr7-VS1A@mail.gmail.com> <FF49B4DE-E45F-4FF7-9C2D-5FA72FE66A4D@gmail.com> <C7C8884E-499D-4B55-B978-8D7A4D21EE3C@nominum.com> <5D36713D8A4E7348A7E10DF7437A4B923AE88462@nkgeml512-mbx.china.huawei.com> <5D36713D8A4E7348A7E10DF7437A4B923AE891C2@nkgeml512-mbx.china.huawei.com> <CAJE_bqfJmdeTXwZNYx2XcLeMOJ2DhBkzXTQ61S8q4s=PL-28dA@mail.gmail.com> <791EB108-E4E8-4A82-84BC-CB36E277CAC4@gmail.com> <CAJE_bqcOPzK_HJn=NGoVeNpqR8iOiz+aLHAFteOHHeX=fsOm1Q@mail.gmail.com>
In-Reply-To: <CAJE_bqcOPzK_HJn=NGoVeNpqR8iOiz+aLHAFteOHHeX=fsOm1Q@mail.gmail.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
Message-Id: <FF1E90C4-1E66-4C87-AA91-62A57245CA4E@gmail.com>
X-Mailer: iPhone Mail (11D201)
From: Ralph Droms <rdroms.ietf@gmail.com>
Date: Thu, 19 Jun 2014 12:03:18 -0400
To: 神明達哉 <jinmei@wide.ad.jp>
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/gAY4Z-GcJy9qe-_vP6VmTMyslQo
Cc: dhcwg <dhcwg@ietf.org>, Lemon Ted <ted.lemon@nominum.com>
Subject: Re: [dhcwg] Deployment consideration for SeDHCPv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jun 2014 16:03:23 -0000


> On Jun 17, 2014, at 6:27 PM, 神明達哉 <jinmei@wide.ad.jp> wrote:
> 
> At Tue, 17 Jun 2014 13:15:39 -0400,
> Ralph Droms <rdroms.ietf@gmail.com> wrote:
> 
>> Jinmei-san - I have one question about your text.  Can you explain in a little more detail how the second and third examples of authentication on a server work, in which you say the server only has to remember the client's public key so neither full authentication nor LoF is required?
> 
> In the second example, the client sends its public key in Solicit, and
> the server remembers it during the DHCP session starting from that
> Solicit.  The server uses the public key to authenticate any
> subsequent message from that client (or anyone claiming to be that
> client) for that DHCP session.  I said LoF (let alone full
> authentication) isn't needed because when the server accepts and
> remembers the public key sent in the Solicit, it doesn't do so for the
> purpose of authenticating the Solicit itself.  It only remembers the
> public key to confirm that subsequent messages of the session are
> certainly sent from the same client as the one sent the Solicit, and
> there's no "leap" here.

I see.  I missed the point that the messages still use the authentication option to prove that the messages come from the same source and to prove message integrity, but the source is not checked for authorization to use the server.

> 
> In the third example, I actually didn't say LoF isn't required.  Could
> the text read as if I did?

I reread the text.  You are right, it does not say LoF is not required.  I misread the text initially.

- Ralph




> 
> --
> JINMEI, Tatuya
> 
> p.s., I noticed one type in the text, a kind only non native English
> user would do: s/stuff/staff/ below:
> 
>>> This is satisfied with full authentication.  Due to the configuration
>>> overhead, however, full authentication may not always be feasible.  It
>>> would still be viable in a controlled environment with skilled stuff,
>>> such as a corporate intranet.
> [...]
>>> different) certificates.  So the applicable case may be limited, but a
>>> controlled environment with skilled stuff and a specifically expected
>>> set of clients such as a corporate intranet may still find it useful
>>> and viable.
> 
> if we use any part of my suggested text, please correct these > authors.

v2.23.0 | Report a Bug | By Email