Re: [dhcwg] draft-miles-dhc-forcerenew-key-00
"MILES DAVID" <David.Miles@alcatel-lucent.com.au> Thu, 05 March 2009 03:52 UTC
Return-Path: <David.Miles@alcatel-lucent.com.au>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D282528C1DF for <dhcwg@core3.amsl.com>; Wed, 4 Mar 2009 19:52:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32ua3zyVBfQR for <dhcwg@core3.amsl.com>; Wed, 4 Mar 2009 19:52:09 -0800 (PST)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id E50B028C1CB for <dhcwg@ietf.org>; Wed, 4 Mar 2009 19:52:08 -0800 (PST)
Received: from ihrh1.emsr.lucent.com (h135-1-218-53.lucent.com [135.1.218.53]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id n253qTrI004153; Wed, 4 Mar 2009 21:52:30 -0600 (CST)
Received: from mail.apac.alcatel-lucent.com (h202-65-2-130.alcatel.com [202.65.2.130]) by ihrh1.emsr.lucent.com (8.13.8/emsr) with ESMTP id n253qQAK009038; Wed, 4 Mar 2009 21:52:27 -0600 (CST)
Received: from sgsinsbhs01.ad4.ad.alcatel.com (sgsinsbhs01.ap.lucent.com [135.254.109.34]) by mail.apac.alcatel-lucent.com (8.13.7/8.13.7/Alcanet1.0) with ESMTP id n253MGFK002453; Thu, 5 Mar 2009 11:22:17 +0800
Received: from SGSINSMBS02.ad4.ad.alcatel.com ([135.254.109.29]) by sgsinsbhs01.ad4.ad.alcatel.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 5 Mar 2009 11:52:24 +0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 05 Mar 2009 11:52:24 +0800
Message-ID: <986DCE2E44129444B6435ABE8C9E424D02D06408@SGSINSMBS02.ad4.ad.alcatel.com>
In-Reply-To: <8E296595B6471A4689555D5D725EBB210B864090@xmb-rtp-20a.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dhcwg] draft-miles-dhc-forcerenew-key-00
Thread-Index: Acmc4VQNbGWUrFavTSWJ3wo97EHuSAAMGBIQAABP4QA=
References: <986DCE2E44129444B6435ABE8C9E424D02D05FF1@SGSINSMBS02.ad4.ad.alcatel.com> <8E296595B6471A4689555D5D725EBB210B864090@xmb-rtp-20a.amer.cisco.com>
From: MILES DAVID <David.Miles@alcatel-lucent.com.au>
To: "Bernie Volz (volz)" <volz@cisco.com>, dhcwg@ietf.org
X-OriginalArrivalTime: 05 Mar 2009 03:52:24.0448 (UTC) FILETIME=[CB376800:01C99D45]
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
X-Scanned-By: MIMEDefang 2.64 on 202.65.2.130
Cc: James.Bristow@swisscom.com
Subject: Re: [dhcwg] draft-miles-dhc-forcerenew-key-00
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2009 03:52:09 -0000
Hi Bernie, Thanks for the quick review. Comments inline: 1. We already have 0-length data options in DHCPv4 (see http://www.ietf.org/rfc/rfc4039.txt), so not sure what the value of using a 1-byte data option is for the Forcerenew Key Protocol Capability Option. >> Understood. This was part of the original proposal and I admit we glossed over this particular detail. A zero-len option would be fine. 2. Why not use the same techniques as used for DHCPv6 ... DISCOVER includes Forcerenew Key Protocol Capability Option. OFFER includes Forcerenew Key Protocol Capability Option. REQUEST includes Forcerenew Key Protocol Capability Option. ACK includes Forcerenew Key Protocol Capability Option & Auth Option (with key). This avoids the need to send back the AUTH option in the OFFER (and the need for Type of 0). >> Will update this in -01. 3. I don't understand why the following is needed: The client would indicate that it supports the functionality by inserting an Parameter Request List option (option 55, [RFC2131]) containing option <TBD> in the DHCP Discover message. The client has provided the option and if the server supports it, it MUST send it back (if adopt #2 above). This is a "core" protocol option so I see little value to also include it in the PRL.- >> Will remove this line. 4. While perhaps it doesn't matter much because it is easy to snoop packets via promiscous mode anyway, but I wonder whether something needs to be said about the BROADCAST ACK which contains the key (in DHCPv6, messages to the client are always unicast)? Certainly something should be said about it in the Security Considerations? >> Ill add a section describing the problem when the broadcast bit is set. Thanks again!
- [dhcwg] draft-miles-dhc-forcerenew-key-00 MILES DAVID
- Re: [dhcwg] draft-miles-dhc-forcerenew-key-00 Bernie Volz (volz)
- Re: [dhcwg] draft-miles-dhc-forcerenew-key-00 MILES DAVID
- [dhcwg] draft-miles-dhc-forcerenew-key-01 MILES DAVID