IETF Logo Mail Archive

Re: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-clarify-auth-00

Stig Venaas <Stig.Venaas@uninett.no> Tue, 20 July 2004 15:21 UTC

Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA27438; Tue, 20 Jul 2004 11:21:04 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BmwAa-0004e2-9L; Tue, 20 Jul 2004 11:04:40 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Bmw3H-0002QU-Km for dhcwg@megatron.ietf.org; Tue, 20 Jul 2004 10:57:07 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA25869 for <dhcwg@ietf.org>; Tue, 20 Jul 2004 10:57:05 -0400 (EDT)
Received: from tyholt.uninett.no ([158.38.60.10]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Bmw3G-0001HW-BO for dhcwg@ietf.org; Tue, 20 Jul 2004 10:57:17 -0400
Received: from sverresborg.uninett.no (sverresborg.uninett.no [IPv6:2001:700:e000:0:204:75ff:fee4:423b]) by tyholt.uninett.no (8.12.10/8.12.10) with ESMTP id i6KEtNV0024308; Tue, 20 Jul 2004 16:55:43 +0200
Received: (from venaas@localhost) by sverresborg.uninett.no (8.12.8/8.12.8/Submit) id i6KEt8Rn030467; Tue, 20 Jul 2004 16:55:08 +0200
X-Authentication-Warning: sverresborg.uninett.no: venaas set sender to Stig.Venaas@uninett.no using -f
Date: Tue, 20 Jul 2004 16:55:08 +0200
From: Stig Venaas <Stig.Venaas@uninett.no>
To: Christian Strauf <strauf@rz.tu-clausthal.de>
Subject: Re: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-clarify-auth-00
Message-ID: <20040720145508.GL29655@sverresborg.uninett.no>
References: <1090333421.11056.266.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1090333421.11056.266.camel@localhost>
User-Agent: Mutt/1.4.1i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: dhcwg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org

One concern I have is regarding per-client state on the server. I would
like to avoid that if possible.

In 2.1 in the draft it's suggested for 21.4.5.x that:

The server MUST record the identifier of the key selected for the
client so that it can validate further Information-request
messages from the client if the client reuses the same key for the
future exchanges.

I must confess I haven't looked much at DHCP authentication, but I think
it's nice to prevent per-client state for "stateless" (RFC3736) DHCP
servers if possible.

Wouldn't it be possible to pass some sort of key id to the client,
which the client can include in future exchanges? The server could
perhaps have a fixed mapping between key id's and keys, and based
on the id, the server knows which key to use. I'm not sure if you
see what I mean, but my idea is if possible to keep the necessary
state in the clients rather than the servers. Might this be
possible? Or would there be security problems?

Using assymetric crypto one could easily have just one fixed key
for all messages sent by the client. But I guess that might make
the server vulnerable to DoS attacks.

For stateless I think it's generally enough to authenticate the DHCP
server. In most cases I don't think it's important to guard against
replay, or to authenticate the client. That could perhaps simplify
the security mechanism. It's relatively easy to guard against replay
anyway though.

Stig

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email