RE: [dhcwg] IPsec for DHCPv6 client ?

"Bound, Jim" <Jim.Bound@hp.com> Wed, 11 September 2002 04:16 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04458 for <dhcwg-archive@odin.ietf.org>; Wed, 11 Sep 2002 00:16:56 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g8B4IGn10895 for dhcwg-archive@odin.ietf.org; Wed, 11 Sep 2002 00:18:16 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8B4IGv10892 for <dhcwg-web-archive@optimus.ietf.org>; Wed, 11 Sep 2002 00:18:16 -0400
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04445 for <dhcwg-web-archive@ietf.org>; Wed, 11 Sep 2002 00:16:26 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8B4DRv10657; Wed, 11 Sep 2002 00:13:27 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8B4CZv10622 for <dhcwg@optimus.ietf.org>; Wed, 11 Sep 2002 00:12:35 -0400
Received: from zmamail03.zma.compaq.com (zmamail03.zma.compaq.com [161.114.64.103]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04382 for <dhcwg@ietf.org>; Wed, 11 Sep 2002 00:10:45 -0400 (EDT)
Received: from tayexg11.americas.cpqcorp.net (tayexg11.americas.cpqcorp.net [16.103.130.96]) by zmamail03.zma.compaq.com (Postfix) with ESMTP id 5F45765B4; Wed, 11 Sep 2002 00:12:26 -0400 (EDT)
Received: from tayexc13.americas.cpqcorp.net ([16.103.130.26]) by tayexg11.americas.cpqcorp.net with Microsoft SMTPSVC(5.0.2195.2966); Wed, 11 Sep 2002 00:12:26 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: RE: [dhcwg] IPsec for DHCPv6 client ?
Date: Wed, 11 Sep 2002 00:12:25 -0400
Message-ID: <9C422444DE99BC46B3AD3C6EAFC9711B02BE91AE@tayexc13.americas.cpqcorp.net>
Thread-Topic: [dhcwg] IPsec for DHCPv6 client ?
Thread-Index: AcJYpKAF53UIPaDxQrumD+/v84XIFwApLyMQ
From: "Bound, Jim" <Jim.Bound@hp.com>
To: Ted Lemon <Ted.Lemon@nominum.com>, Jean-Mickael Guerin <jean-mickael.guerin@6wind.com>
Cc: dhcwg@ietf.org
X-OriginalArrivalTime: 11 Sep 2002 04:12:26.0043 (UTC) FILETIME=[6FA600B0:01C25949]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by www1.ietf.org id g8B4Cav10623
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit

To add to this dhcpv6 is multicast based.  That don't work to well with IPsec.  We still have not figured that out.

/jim

> -----Original Message-----
> From: Ted Lemon [mailto:Ted.Lemon@nominum.com]
> Sent: Tuesday, September 10, 2002 4:21 AM
> To: Jean-Mickael Guerin
> Cc: dhcwg@ietf.org
> Subject: Re: [dhcwg] IPsec for DHCPv6 client ?
> 
> 
> > My point concerns the possibility of using IPsec in scenario where 
> > DHCP Authentication is proposed. Because DHCP 
> Authentication relies on 
> > shared secret, I think the draft should have a section about this, 
> > even if it would be limited to client and relays or client 
> and server 
> > on same link.
> 
> Your reasoning is flawed.   IPsec is not shared-secret 
> authentication.  
>   It is an entire security infrastructure, carefully designed 
> to solve a 
> certain class of problems.   It happens to support the use of 
> shared-secret authentication, among other authentication 
> schemes.  The 
> DHCP security option also supports shared-secret 
> authentication.   This 
> is nothing more than a coincidence - it does not mean that DHCP 
> security can work with IPsec.
> 
> The DHCP server and clients need to see packets with "bad" 
> authentication keys in order for DHCP authentication to work, because 
> they can't really prepare in advance for all the possible 
> uses of keys 
> by roaming clients and servers in locations to which they may roam.   
> If the packet is signed with the wrong key with IPsec, it will simply 
> be dropped by the DHCP agent's IP stack.   This is not what we want.
> 
> Intuitively it seems obvious that one should use IPsec for DHCP 
> authentication.   Personally, I'd *love* to be able to claim 
> that IPsec 
> was a solution to securing DHCP transactions.   But this 
> working group 
> has a long history of trying to solve this problem with 
> IPsec.   Every 
> time we've tried to figure out a good way to do it, we've come up 
> either with nothing, or with an unworkable kludge.   So 
> there's a good 
> reason why we didn't do it - it's not an oversight.
> 
> If you think that there is a way to make IPsec work with DHCP 
> authentication, please take the extra time to actually sit down and 
> reason it through before insisting that we make changes.   
> What happens 
> when a server sees a new client for the first time?   What 
> happens when 
> a client that's got a security association with a server at one site 
> roams to a different site?   Does the server at the other 
> site even see 
> packets from that client?   How does it get them?   How does all this 
> work with relay agents?   Like it or not, DHCP *requires* 
> relay agents, 
> so the protocol has to work when the DHCP client is talking 
> to a relay 
> agent rather than a server.   If you put the signature in the 
> payload, 
> all these problems go away.   That's why we've put the 
> signature in the 
> payload.
> 
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www1.ietf.org/mailman/listinfo/dhcwg
> 
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg