RE: [dhcwg] IPsec for DHCPv6 client ?
"Bound, Jim" <Jim.Bound@hp.com> Wed, 11 September 2002 04:16 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04458 for <dhcwg-archive@odin.ietf.org>; Wed, 11 Sep 2002 00:16:56 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g8B4IGn10895 for dhcwg-archive@odin.ietf.org; Wed, 11 Sep 2002 00:18:16 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8B4IGv10892 for <dhcwg-web-archive@optimus.ietf.org>; Wed, 11 Sep 2002 00:18:16 -0400
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04445 for <dhcwg-web-archive@ietf.org>; Wed, 11 Sep 2002 00:16:26 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8B4DRv10657; Wed, 11 Sep 2002 00:13:27 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8B4CZv10622 for <dhcwg@optimus.ietf.org>; Wed, 11 Sep 2002 00:12:35 -0400
Received: from zmamail03.zma.compaq.com (zmamail03.zma.compaq.com [161.114.64.103]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04382 for <dhcwg@ietf.org>; Wed, 11 Sep 2002 00:10:45 -0400 (EDT)
Received: from tayexg11.americas.cpqcorp.net (tayexg11.americas.cpqcorp.net [16.103.130.96]) by zmamail03.zma.compaq.com (Postfix) with ESMTP id 5F45765B4; Wed, 11 Sep 2002 00:12:26 -0400 (EDT)
Received: from tayexc13.americas.cpqcorp.net ([16.103.130.26]) by tayexg11.americas.cpqcorp.net with Microsoft SMTPSVC(5.0.2195.2966); Wed, 11 Sep 2002 00:12:26 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: RE: [dhcwg] IPsec for DHCPv6 client ?
Date: Wed, 11 Sep 2002 00:12:25 -0400
Message-ID: <9C422444DE99BC46B3AD3C6EAFC9711B02BE91AE@tayexc13.americas.cpqcorp.net>
Thread-Topic: [dhcwg] IPsec for DHCPv6 client ?
Thread-Index: AcJYpKAF53UIPaDxQrumD+/v84XIFwApLyMQ
From: "Bound, Jim" <Jim.Bound@hp.com>
To: Ted Lemon <Ted.Lemon@nominum.com>, Jean-Mickael Guerin <jean-mickael.guerin@6wind.com>
Cc: dhcwg@ietf.org
X-OriginalArrivalTime: 11 Sep 2002 04:12:26.0043 (UTC) FILETIME=[6FA600B0:01C25949]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by www1.ietf.org id g8B4Cav10623
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit
To add to this dhcpv6 is multicast based. That don't work to well with IPsec. We still have not figured that out. /jim > -----Original Message----- > From: Ted Lemon [mailto:Ted.Lemon@nominum.com] > Sent: Tuesday, September 10, 2002 4:21 AM > To: Jean-Mickael Guerin > Cc: dhcwg@ietf.org > Subject: Re: [dhcwg] IPsec for DHCPv6 client ? > > > > My point concerns the possibility of using IPsec in scenario where > > DHCP Authentication is proposed. Because DHCP > Authentication relies on > > shared secret, I think the draft should have a section about this, > > even if it would be limited to client and relays or client > and server > > on same link. > > Your reasoning is flawed. IPsec is not shared-secret > authentication. > It is an entire security infrastructure, carefully designed > to solve a > certain class of problems. It happens to support the use of > shared-secret authentication, among other authentication > schemes. The > DHCP security option also supports shared-secret > authentication. This > is nothing more than a coincidence - it does not mean that DHCP > security can work with IPsec. > > The DHCP server and clients need to see packets with "bad" > authentication keys in order for DHCP authentication to work, because > they can't really prepare in advance for all the possible > uses of keys > by roaming clients and servers in locations to which they may roam. > If the packet is signed with the wrong key with IPsec, it will simply > be dropped by the DHCP agent's IP stack. This is not what we want. > > Intuitively it seems obvious that one should use IPsec for DHCP > authentication. Personally, I'd *love* to be able to claim > that IPsec > was a solution to securing DHCP transactions. But this > working group > has a long history of trying to solve this problem with > IPsec. Every > time we've tried to figure out a good way to do it, we've come up > either with nothing, or with an unworkable kludge. So > there's a good > reason why we didn't do it - it's not an oversight. > > If you think that there is a way to make IPsec work with DHCP > authentication, please take the extra time to actually sit down and > reason it through before insisting that we make changes. > What happens > when a server sees a new client for the first time? What > happens when > a client that's got a security association with a server at one site > roams to a different site? Does the server at the other > site even see > packets from that client? How does it get them? How does all this > work with relay agents? Like it or not, DHCP *requires* > relay agents, > so the protocol has to work when the DHCP client is talking > to a relay > agent rather than a server. If you put the signature in the > payload, > all these problems go away. That's why we've put the > signature in the > payload. > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www1.ietf.org/mailman/listinfo/dhcwg > _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] IPsec for DHCPv6 client ? Jean-Mickael Guerin
- Re: [dhcwg] IPsec for DHCPv6 client ? Ted Lemon
- Re: [dhcwg] IPsec for DHCPv6 client ? Jean-Mickael Guerin
- Re: [dhcwg] IPsec for DHCPv6 client ? Ted Lemon
- RE: [dhcwg] IPsec for DHCPv6 client ? Bound, Jim