Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services

"Bernie Volz (volz)" <volz@cisco.com> Tue, 10 January 2017 16:25 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5CE71295F9 for <dhcwg@ietfa.amsl.com>; Tue, 10 Jan 2017 08:25:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.721
X-Spam-Level:
X-Spam-Status: No, score=-17.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8d6oAf5HXIru for <dhcwg@ietfa.amsl.com>; Tue, 10 Jan 2017 08:25:24 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B21D1293FC for <dhcwg@ietf.org>; Tue, 10 Jan 2017 08:25:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1383; q=dns/txt; s=iport; t=1484065523; x=1485275123; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=2iLweljoyc5OlOtvUjVqeutHw9JyEM2+3WFn5wi+7sU=; b=KR6DjSpba4VFAhD5bqMunWlx77RJukyXjJue8QM3hE9H42SLhK6seanK PkevifnKC0+8pN2PMZTdo77ubNBWYi83aJWSBBd9v8DswfE/K10e0aGZ7 K/8AVgT/OxlGbz+rGjGu4HUJQlqyNvAlNXSKNf2FnB/4dEEb6G8O086n7 I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AVAQC+CXVY/51dJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgzoBAQEBAR9fgQ0HjVCSJpUnggsfC4V4AoICPxQBAgEBAQEBAQF?= =?us-ascii?q?jKIRpAQEBAwEBATg0EAcEAgEIDgMEAQEfCQcnCxQJCAIEARIIiGAIDrJqiiMBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBAQEBAQEYBYsmhDCFfAWIf5IkAZFIkGqSXQEfOIFAFTi?= =?us-ascii?q?GLXMBhiorgQOBDQEBAQ?=
X-IronPort-AV: E=Sophos;i="5.33,344,1477958400"; d="scan'208";a="196485787"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jan 2017 16:25:23 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v0AGPNDF010324 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 10 Jan 2017 16:25:23 GMT
Received: from xch-aln-003.cisco.com (173.36.7.13) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 10 Jan 2017 10:25:22 -0600
Received: from xch-aln-003.cisco.com ([173.36.7.13]) by XCH-ALN-003.cisco.com ([173.36.7.13]) with mapi id 15.00.1210.000; Tue, 10 Jan 2017 10:25:22 -0600
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Simon Hobson <dhcp1@thehobsons.co.uk>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] DHCP and DHCPv6 options for LWM2M services
Thread-Index: AQHSaxiNtMtku6LXnUKRviOCHtSIw6Ex5cBg
Date: Tue, 10 Jan 2017 16:25:22 +0000
Message-ID: <379fe60ed0c44f7fb4649bb16400b5df@XCH-ALN-003.cisco.com>
References: <HE1PR0701MB191453938CCDD842F97014F3DE640@HE1PR0701MB1914.eurprd07.prod.outlook.com> <0827A698-2AF7-4D16-87BE-A86BC8E44C63@fugue.com> <HE1PR0701MB1914138E2293BA8C976DC9C2DE670@HE1PR0701MB1914.eurprd07.prod.outlook.com> <8382A4BB-303D-468D-9453-1A426096FAAE@thehobsons.co.uk>
In-Reply-To: <8382A4BB-303D-468D-9453-1A426096FAAE@thehobsons.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.1.196]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/jDTIxPwLSK70J1LL4fwb74FeSiU>
Subject: Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jan 2017 16:25:26 -0000

Maybe if seDHCPv6 is used, this could resolve some issues ... though of course, there is still the question of how to trust the seDHCPv6 certificate!

- Bernie

-----Original Message-----
From: dhcwg [mailto:dhcwg-bounces@ietf.org] On Behalf Of Simon Hobson
Sent: Tuesday, January 10, 2017 3:07 AM
To: dhcwg@ietf.org
Subject: Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services

Srinivasa Rao Nalluri <srinivasa.rao.nalluri@ericsson.com>; wrote:

> If I understand correct, you are asking how certificate supplied through DHCP option is validated.
>  
> The certificate supplied through DHCP option is not validated but it can be used to validate certificate offered by LWM2M server during LWM2M bootstrapping phase.
>  
> Instead of hardcoding root certificate in device by manufacturer, we are proposing to obtain same through DHCP option.

I can see the use case, but now you validating the information being provided ... using a certificate provided by an untrusted source.
Thus, if someone has enough access to redirect your devices to use their server, they probably have enough access to provide the fake certificate to make their server trusted. I'm assuming this is what Ted was alluring to.

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg