Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6

Francis Dupont <Francis.Dupont@fdupont.fr> Wed, 07 June 2017 23:17 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AE681270B4 for <dhcwg@ietfa.amsl.com>; Wed, 7 Jun 2017 16:17:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A_C0KE8yMxKg for <dhcwg@ietfa.amsl.com>; Wed, 7 Jun 2017 16:17:27 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F826126D45 for <dhcwg@ietf.org>; Wed, 7 Jun 2017 16:17:27 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [IPv6:::1]) by givry.fdupont.fr (8.14.7/8.14.7) with ESMTP id v57N2XbZ076691; Thu, 8 Jun 2017 01:02:33 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201706072302.v57N2XbZ076691@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Ted Lemon <mellon@fugue.com>
cc: Tomek Mrugalski <tomasz.mrugalski@gmail.com>, dhcwg@ietf.org
In-reply-to: Your message of Wed, 07 Jun 2017 17:49:25 -0400. <F9256C35-FED1-4CFC-B6EF-103576976177@fugue.com>
Date: Thu, 08 Jun 2017 01:02:33 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/i3XaZ21-pFTt8FZkKE9RfyDd-M8>
Subject: Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 23:17:29 -0000

 In your previous mail you wrote:

>  On Jun 7, 2017, at 5:25 PM, Francis Dupont <Francis.Dupont@fdupont.fr> =
>  wrote:
>  > I am afraid you are replacing the address bootstrap mess by the =
>  security
>  > bootstrap mess but there is a security protocol which includes address
>  > bootstrapping, it is IKEv2 so IMHO we should try it as on the paper
>  > it has all we need.
>  
>  Pretty much everything you said here assumes that the DHCP client has a =
>  routable address.

=> requiring a routable address is what I called the "address bootstrap" mess.
Note we don't need one, just to be able to send a packet to the server
and if possible not using multicast (multicast is where the embedded
relay can help). Note that IKE or DTLS works over link-local addresses
so you can protect directly client-relay.

   It's the fact that it doesn't that makes this hard.

=> yes, the info-request / stateless case is easier.

>  Also, a key agreement protocol is probably not a good idea if we care =
>  about privacy.

=> by key agreement I mean a Diffie-Hellman variant (more ECDH or X25519).
Cf Russ Housley's message.
I can't see what is the impact on privacy: it is just a parameter saying
which variant, and a public random/opaque value which can be changed for
each init (DISCOVER/SOLICIT) message.

>  And we already talked about how to do TOFU, and I think that applies =
>  just as well here as to the current spec.

=> TOFU is a server policy.

Another problem with all IKE, DTLS and reinvented similar mechanisms
is that it is not possible to protect both identities against active
attacks (cf the SIGMA conf paper) so if we want mutual authentication
we have to choose protocols which protect the client/initiator identity
(for instance to put the client public key in clear text in the first
message is not good even against passive attacks).

Regards

Francis.Dupont@fdupont.fr

PS: as candidates with have  HIP, and also some EAP/PANA extensions
to do encryption (IMHO more to get ideas than to use).
PPS: before going further it seems we should first agree about what
we want...