RE: [dhcwg] Security for leasequery messages

Seems like a good approach ... But will the IESG be happy with it?

Today, there's always the basic security of only allowing the requests
from specific addresses (and since it is the reply that has the
interesting information, spoofing the sender doesn't buy you that much).

- Bernie

-----Original Message-----
From: dhcwg-admin@ietf.org [mailto:dhcwg-admin@ietf.org] On Behalf Of
Kim Kinnear
Sent: Wednesday, April 07, 2004 4:38 PM
To: Ralph Droms; dhcwg@ietf.org
Cc: kkinnear@cisco.com
Subject: Re: [dhcwg] Security for leasequery messages

Folks,

This is clearly an issue, and there are no easy answers.
Here is one approach:

Nothing is mandatory to implement, since one approach is to ensure that
there is physical security between the access concentrator and the DHCP
server.

A better approach is to use some form of the not-yet-fully-baked relay
agent authentication.  For example:

http://www.ietf.org/internet-drafts/draft-ietf-dhc-auth-suboption-03.txt

but since this is still coming along, it can't be mandatory, that's for
sure.  We could wait to standardize leasequery until something was
approved for relay agent authentication, but that will further delay
something that has already undergone numerous delays.  There are large
number of similar-to-the-standard leasequery installations, and more
every day.  It would be nice to bring them all into compliance over
time, and time is getting away from us.

One approach would be to make something mandatory once that something
exists, which is a little odd but perhaps doable.  We might be able to
say:

        "When some form of relay-agent to DHCP server
        authentication becomes a standard, its use for leasequery
        becomes mandatory."

Something to consider.

Any other ideas for handle this one?

Cheers -- Kim

At 07:56 PM 4/6/2004, Ralph Droms wrote:
>The following issues relate to security for leasequery messages:
>
>Steve Bellovin:
>
>Discuss:
>(26 March 2004)
>The Security Considerations section says this:
>
>   DHCP servers SHOULD prevent exposure of location information
>   (particularly the mapping of hardware address to IP address lease,
>   which can be an invasion of broadband subscriber privacy) by
>   employing some form of relay agent authentication between the
>   DHCPLEASEQUERY client and the DHCP server.
>
>   Clients of the DHCPLEASEQUERY message SHOULD ensure that their data
>   path to the DHCP server is secure.  Clients SHOULD use Relay Agent
>   Information security as a way to achieve this goal.
>
>What is "some form of ... authentication"?  What is "Relay Agent 
>Information security"?  Put another way, what is mandatory to 
>implement?
>
>Russ Housley:
>
>Discuss:
>  Section 7 says:
>  >
>  > DHCP servers SHOULD prevent exposure of location information
>  > (particularly the mapping of hardware address to IP address lease,
>  > which can be an invasion of broadband subscriber privacy) by
>  > employing some form of relay agent authentication between the
>  > DHCPLEASEQUERY client and the DHCP server.
>  >
>  There needs to be more discussion of the authentication requirements.
>  I would prefer the specification to name a mandatory-to-implement
>  mechanism, but that may be asking too much.
>
>  Section 7 also says:
>  >
>  > Clients of the DHCPLEASEQUERY message SHOULD ensure that their data

> > path to the DHCP server is secure.  >
>  What security services are needed?  Integrity, authentication, access
>  control, replay protection confidentiality?  The hint about Relay
Agent
>  Information security, with no reference, is not sufficient.
>
>
>
>_______________________________________________
>dhcwg mailing list
>dhcwg@ietf.org
>https://www1.ietf.org/mailman/listinfo/dhcwg

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg