Re: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-clarify-auth-00
Stig Venaas <Stig.Venaas@uninett.no> Tue, 20 July 2004 15:21 UTC
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA27438; Tue, 20 Jul 2004 11:21:04 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BmwAa-0004e2-9L; Tue, 20 Jul 2004 11:04:40 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Bmw3H-0002QU-Km for dhcwg@megatron.ietf.org; Tue, 20 Jul 2004 10:57:07 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA25869 for <dhcwg@ietf.org>; Tue, 20 Jul 2004 10:57:05 -0400 (EDT)
Received: from tyholt.uninett.no ([158.38.60.10]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Bmw3G-0001HW-BO for dhcwg@ietf.org; Tue, 20 Jul 2004 10:57:17 -0400
Received: from sverresborg.uninett.no (sverresborg.uninett.no [IPv6:2001:700:e000:0:204:75ff:fee4:423b]) by tyholt.uninett.no (8.12.10/8.12.10) with ESMTP id i6KEtNV0024308; Tue, 20 Jul 2004 16:55:43 +0200
Received: (from venaas@localhost) by sverresborg.uninett.no (8.12.8/8.12.8/Submit) id i6KEt8Rn030467; Tue, 20 Jul 2004 16:55:08 +0200
X-Authentication-Warning: sverresborg.uninett.no: venaas set sender to Stig.Venaas@uninett.no using -f
Date: Tue, 20 Jul 2004 16:55:08 +0200
From: Stig Venaas <Stig.Venaas@uninett.no>
To: Christian Strauf <strauf@rz.tu-clausthal.de>
Subject: Re: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-clarify-auth-00
Message-ID: <20040720145508.GL29655@sverresborg.uninett.no>
References: <1090333421.11056.266.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1090333421.11056.266.camel@localhost>
User-Agent: Mutt/1.4.1i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: dhcwg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
One concern I have is regarding per-client state on the server. I would like to avoid that if possible. In 2.1 in the draft it's suggested for 21.4.5.x that: The server MUST record the identifier of the key selected for the client so that it can validate further Information-request messages from the client if the client reuses the same key for the future exchanges. I must confess I haven't looked much at DHCP authentication, but I think it's nice to prevent per-client state for "stateless" (RFC3736) DHCP servers if possible. Wouldn't it be possible to pass some sort of key id to the client, which the client can include in future exchanges? The server could perhaps have a fixed mapping between key id's and keys, and based on the id, the server knows which key to use. I'm not sure if you see what I mean, but my idea is if possible to keep the necessary state in the clients rather than the servers. Might this be possible? Or would there be security problems? Using assymetric crypto one could easily have just one fixed key for all messages sent by the client. But I guess that might make the server vulnerable to DoS attacks. For stateless I think it's generally enough to authenticate the DHCP server. In most cases I don't think it's important to guard against replay, or to authenticate the client. That could perhaps simplify the security mechanism. It's relatively easy to guard against replay anyway though. Stig _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-clari… Christian Strauf
- Re: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-c… Stig Venaas
- Re: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-c… JINMEI Tatuya / 神明達哉
- Re: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-c… JINMEI Tatuya / 神明達哉
- RE: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-c… Bernie Volz
- Re: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-c… JINMEI Tatuya / 神明達哉
- Re: [dhcwg] Comments on draft-jinmei-dhc-dhcpv6-c… JINMEI Tatuya / 神明達哉