Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services

"Bernie Volz (volz)" <> Tue, 10 January 2017 16:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C5CE71295F9 for <>; Tue, 10 Jan 2017 08:25:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.721
X-Spam-Status: No, score=-17.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8d6oAf5HXIru for <>; Tue, 10 Jan 2017 08:25:24 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2B21D1293FC for <>; Tue, 10 Jan 2017 08:25:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=1383; q=dns/txt; s=iport; t=1484065523; x=1485275123; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=2iLweljoyc5OlOtvUjVqeutHw9JyEM2+3WFn5wi+7sU=; b=KR6DjSpba4VFAhD5bqMunWlx77RJukyXjJue8QM3hE9H42SLhK6seanK PkevifnKC0+8pN2PMZTdo77ubNBWYi83aJWSBBd9v8DswfE/K10e0aGZ7 K/8AVgT/OxlGbz+rGjGu4HUJQlqyNvAlNXSKNf2FnB/4dEEb6G8O086n7 I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.33,344,1477958400"; d="scan'208";a="196485787"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jan 2017 16:25:23 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id v0AGPNDF010324 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 10 Jan 2017 16:25:23 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 10 Jan 2017 10:25:22 -0600
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Tue, 10 Jan 2017 10:25:22 -0600
From: "Bernie Volz (volz)" <>
To: Simon Hobson <>, "" <>
Thread-Topic: [dhcwg] DHCP and DHCPv6 options for LWM2M services
Thread-Index: AQHSaxiNtMtku6LXnUKRviOCHtSIw6Ex5cBg
Date: Tue, 10 Jan 2017 16:25:22 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Jan 2017 16:25:26 -0000

Maybe if seDHCPv6 is used, this could resolve some issues ... though of course, there is still the question of how to trust the seDHCPv6 certificate!

- Bernie

-----Original Message-----
From: dhcwg [] On Behalf Of Simon Hobson
Sent: Tuesday, January 10, 2017 3:07 AM
Subject: Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services

Srinivasa Rao Nalluri <> wrote:

> If I understand correct, you are asking how certificate supplied through DHCP option is validated.
> The certificate supplied through DHCP option is not validated but it can be used to validate certificate offered by LWM2M server during LWM2M bootstrapping phase.
> Instead of hardcoding root certificate in device by manufacturer, we are proposing to obtain same through DHCP option.

I can see the use case, but now you validating the information being provided ... using a certificate provided by an untrusted source.
Thus, if someone has enough access to redirect your devices to use their server, they probably have enough access to provide the fake certificate to make their server trusted. I'm assuming this is what Ted was alluring to.

dhcwg mailing list