RE: [dhcwg] IPsec for DHCPv6 client ?
"Bound, Jim" <Jim.Bound@hp.com> Wed, 11 September 2002 04:16 UTC
Received: from www1.ietf.org (ietf.org [188.8.131.52] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04458 for <firstname.lastname@example.org>; Wed, 11 Sep 2002 00:16:56 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g8B4IGn10895 for email@example.com; Wed, 11 Sep 2002 00:18:16 -0400
Received: from ietf.org (odin.ietf.org [184.108.40.206]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8B4IGv10892 for <firstname.lastname@example.org>; Wed, 11 Sep 2002 00:18:16 -0400
Received: from www1.ietf.org (ietf.org [220.127.116.11] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04445 for <email@example.com>; Wed, 11 Sep 2002 00:16:26 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8B4DRv10657; Wed, 11 Sep 2002 00:13:27 -0400
Received: from ietf.org (odin.ietf.org [18.104.22.168]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8B4CZv10622 for <firstname.lastname@example.org>; Wed, 11 Sep 2002 00:12:35 -0400
Received: from zmamail03.zma.compaq.com (zmamail03.zma.compaq.com [22.214.171.124]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04382 for <email@example.com>; Wed, 11 Sep 2002 00:10:45 -0400 (EDT)
Received: from tayexg11.americas.cpqcorp.net (tayexg11.americas.cpqcorp.net [126.96.36.199]) by zmamail03.zma.compaq.com (Postfix) with ESMTP id 5F45765B4; Wed, 11 Sep 2002 00:12:26 -0400 (EDT)
Received: from tayexc13.americas.cpqcorp.net ([188.8.131.52]) by tayexg11.americas.cpqcorp.net with Microsoft SMTPSVC(5.0.2195.2966); Wed, 11 Sep 2002 00:12:26 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: RE: [dhcwg] IPsec for DHCPv6 client ?
Date: Wed, 11 Sep 2002 00:12:25 -0400
Thread-Topic: [dhcwg] IPsec for DHCPv6 client ?
From: "Bound, Jim" <Jim.Bound@hp.com>
To: Ted Lemon <Ted.Lemon@nominum.com>, Jean-Mickael Guerin <firstname.lastname@example.org>
X-OriginalArrivalTime: 11 Sep 2002 04:12:26.0043 (UTC) FILETIME=[6FA600B0:01C25949]
X-MIME-Autoconverted: from quoted-printable to 8bit by www1.ietf.org id g8B4Cav10623
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:email@example.com?subject=unsubscribe>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:firstname.lastname@example.org?subject=subscribe>
To add to this dhcpv6 is multicast based. That don't work to well with IPsec. We still have not figured that out. /jim > -----Original Message----- > From: Ted Lemon [mailto:Ted.Lemon@nominum.com] > Sent: Tuesday, September 10, 2002 4:21 AM > To: Jean-Mickael Guerin > Cc: email@example.com > Subject: Re: [dhcwg] IPsec for DHCPv6 client ? > > > > My point concerns the possibility of using IPsec in scenario where > > DHCP Authentication is proposed. Because DHCP > Authentication relies on > > shared secret, I think the draft should have a section about this, > > even if it would be limited to client and relays or client > and server > > on same link. > > Your reasoning is flawed. IPsec is not shared-secret > authentication. > It is an entire security infrastructure, carefully designed > to solve a > certain class of problems. It happens to support the use of > shared-secret authentication, among other authentication > schemes. The > DHCP security option also supports shared-secret > authentication. This > is nothing more than a coincidence - it does not mean that DHCP > security can work with IPsec. > > The DHCP server and clients need to see packets with "bad" > authentication keys in order for DHCP authentication to work, because > they can't really prepare in advance for all the possible > uses of keys > by roaming clients and servers in locations to which they may roam. > If the packet is signed with the wrong key with IPsec, it will simply > be dropped by the DHCP agent's IP stack. This is not what we want. > > Intuitively it seems obvious that one should use IPsec for DHCP > authentication. Personally, I'd *love* to be able to claim > that IPsec > was a solution to securing DHCP transactions. But this > working group > has a long history of trying to solve this problem with > IPsec. Every > time we've tried to figure out a good way to do it, we've come up > either with nothing, or with an unworkable kludge. So > there's a good > reason why we didn't do it - it's not an oversight. > > If you think that there is a way to make IPsec work with DHCP > authentication, please take the extra time to actually sit down and > reason it through before insisting that we make changes. > What happens > when a server sees a new client for the first time? What > happens when > a client that's got a security association with a server at one site > roams to a different site? Does the server at the other > site even see > packets from that client? How does it get them? How does all this > work with relay agents? Like it or not, DHCP *requires* > relay agents, > so the protocol has to work when the DHCP client is talking > to a relay > agent rather than a server. If you put the signature in the > payload, > all these problems go away. That's why we've put the > signature in the > payload. > > _______________________________________________ > dhcwg mailing list > firstname.lastname@example.org > https://www1.ietf.org/mailman/listinfo/dhcwg > _______________________________________________ dhcwg mailing list email@example.com https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] IPsec for DHCPv6 client ? Jean-Mickael Guerin
- Re: [dhcwg] IPsec for DHCPv6 client ? Ted Lemon
- Re: [dhcwg] IPsec for DHCPv6 client ? Jean-Mickael Guerin
- Re: [dhcwg] IPsec for DHCPv6 client ? Ted Lemon
- RE: [dhcwg] IPsec for DHCPv6 client ? Bound, Jim