IETF Logo Mail Archive

Re: [dhcwg] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04

Ted Lemon <mellon@fugue.com> Mon, 07 December 2020 13:03 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B1643A0CF5 for <dhcwg@ietfa.amsl.com>; Mon, 7 Dec 2020 05:03:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.885
X-Spam-Level:
X-Spam-Status: No, score=-1.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, NO_DNS_FOR_FROM=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NMiJMd39mJo for <dhcwg@ietfa.amsl.com>; Mon, 7 Dec 2020 05:03:25 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31D1B3A0CEE for <dhcwg@ietf.org>; Mon, 7 Dec 2020 05:03:24 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id q5so12313400qkc.12 for <dhcwg@ietf.org>; Mon, 07 Dec 2020 05:03:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=1Inf+boT2UOMV8IkveQMzSfyezfl9bf6DhKvWXruLOk=; b=bjz62xTOlRRSLtJwJ8eODXbMiPaUzzqjJGaWFo6Cifqcl66p8mvUUcFYAdzzG29FfK XXjM1IfK3JjJs99+DMOqA6t5ApLCMyjkIcELp2U+XzY+ZEnP7X6rcYLtg7RyIPWj6QWQ dUBEIk3b2mst8Y13r8P3vWl9KItnAKcvLZV4932+aI+k7Cu9H3yarq0Sqd+iEKEHkrxM FHmsK46tnC9DNE8pfF6hHy0hUNUlHvLn1rYAOxB1pEarrq+E2Qc6Ak5syT6+Nu8PWC2b /mCq0NELHdx1VeuRjiCDoFQqQatcgYec4oGg2yTGwtiCHEe2skZDFzCF7RbgIosATU+L 4hPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=1Inf+boT2UOMV8IkveQMzSfyezfl9bf6DhKvWXruLOk=; b=ePxGy8vklizNNi7Ei+4Sm4zJkhblfRDLqstgcSOVc+F/aXmWcExnspfcDSCNKIQEab GKeeoVc6Lcd5EG9VwMIdqh34+UYj4huPcn7Jpgc0A4fUASv3Uqa9Y1YqP+rh9/v5GsTW fnD3rLDQjIbUrIfb1YCO19JF/Yy11ofjAcWscj2LOqs8NhngSI2UWDXEMk1toGB1nhG6 xCCakhwMfPp5+iVAW3383p1G55DQOpaUEn1KE/heqAJ0XbY/yxJSZ8JKiHCC63EXAfTG BjdJI3YEFU9INoPslHjwZ9ZdQp7uhH0x4/OVyRoXLElznZkJ1daXi610+OtiRs5UcCdt 4F5w==
X-Gm-Message-State: AOAM533dWxxtLpKfQ2zDn8dLVK9McRrBaTHayD93+lwYHBFa5ytaaZIM HliJPNtS03z3ZUp/MYnGT1BrdQ==
X-Google-Smtp-Source: ABdhPJxPegRrBESCgfuu+2bSdo0CIfsrZiWMVZD7b5YlRuDfVfHUzKUys6jF1jjUGAM04RO5Sc1mTg==
X-Received: by 2002:a05:620a:148d:: with SMTP id w13mr23251623qkj.299.1607346203966; Mon, 07 Dec 2020 05:03:23 -0800 (PST)
Received: from [192.168.4.114] (c-24-91-177-160.hsd1.ma.comcast.net. [24.91.177.160]) by smtp.gmail.com with ESMTPSA id k188sm11792612qkd.98.2020.12.07.05.03.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 07 Dec 2020 05:03:23 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-6515CAC2-4197-402D-879D-F55E42D0AB19"
Content-Transfer-Encoding: 7bit
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 07 Dec 2020 08:03:22 -0500
Message-Id: <1B6C9B2E-A750-44C5-A1AC-703482FB1AF4@fugue.com>
References: <F5FE0A09-351E-4ED5-8880-A7EE943B8EA9@cisco.com>
Cc: Naveen Kottapalli <naveen.sarma@gmail.com>, last-call@ietf.org, Christian Huitema <huitema@huitema.net>, draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, dhcwg@ietf.org, secdir@ietf.org
In-Reply-To: <F5FE0A09-351E-4ED5-8880-A7EE943B8EA9@cisco.com>
To: "Bernie Volz (volz)" <volz=40cisco.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (18C65)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/mGgdPC2VscYmE7uijhNJf5jG6FY>
Subject: Re: [dhcwg] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 13:03:27 -0000

Also, Christian, RA guard only works in a managed environment. In an unmanaged environment it will break things. It would be wise to be careful about when and where you recommend it or we will wind up with interoperability problems. This is probably outside of the DHC wg’s bailiwick. 

> On Dec 7, 2020, at 07:32, Bernie Volz (volz) <volz=40cisco.com@dmarc.ietf.org> wrote:
> 
>  FYI:
> 
>>> I understand that solutions like RA
>>> Guard will in practice provide some protection, but the use of these solutions are
>>> not discussed in RFC 8213. The DHCP WG might want to address that.
> 
> RFC8415’s security considerations is rather extensive and includes reference to many techniques to reduce the issues. 8213 was written while 8415 was under development.
> 
> - Bernie
> 
>>> On Dec 7, 2020, at 6:06 AM, Naveen Kottapalli <naveen.sarma@gmail.com> wrote:
>>> 
>> 
>> Thanks Christian.  Reference is corrected and will be available in next version.
>> 
>> Yours,
>> Naveen.
>> 
>> 
>>> On Sat, 5 Dec 2020 at 01:34, Christian Huitema via Datatracker <noreply@ietf.org> wrote:
>>> Reviewer: Christian Huitema
>>> Review result: Ready
>>> 
>>> This document presents a set of requirements for how "Prefix Delegating Relays" should
>>> handle the relaying of IPv6 Prefix delegation requests between DHCP clients and DHCP servers.
>>> 
>>> This document is Ready. But please fix one tiny nit.
>>> 
>>> Prefix Delegating Relays are more complex than simple DHCP relays. Instead of
>>> merely passing information back and forth between DHCP clients and DHCP servers,
>>> they also need to install IPv6 routes so the allocated IPv6 prefix is routed towards
>>> the client to which the prefix is allocated via DHCP. The document explains
>>> issues found during past deployments, and presents a set of requirements to
>>> ensure smooth operation of the service.
>>> 
>>> As written in the security section, stating these requrements does not add
>>> any new security considerations beyond those mentioned in RFC 8213, which requires
>>> using IPSEC between DHCP relay and DHCP server. This is fine and I believe that
>>> the draft is ready, except for one nit. The draft mentions "Section 22 of [RFC8213]",
>>> but RFC 8213 only has 6 sections. Since that RFC is entirely about "Security of
>>> Messages Exchanged between Servers and Relay Agents", I don't understand why the
>>> draft needs to mention this bogus "Section 22". Are the authors trying to trick
>>> this reviewer?
>>> 
>>> There is a security issue concerning communication between clients and relays. This
>>> draft is not the place to address it, which is why I think it is ready, but I can't
>>> resist using this review to pass a message to the working group. On link attackers
>>> could spoof requests for prefix delegation, or responses, just like
>>> they can spoof any DHCP message. Spoofing prefix delegation requests might be a way
>>> to attack networks, or to cause support issues between clients and providers.
>>> RFC 8213 "suggests" using secure DHCPv6 between client and server, but the "secure
>>> DHCPv6" draft cited in RFC 8213 is now expired. I understand that solutions like RA
>>> Guard will in practice provide some protection, but the use of these solutions are
>>> not discussed in RFC 8213. The DHCP WG might want to address that.
>>> 
>>> 
>>> 
>>> 
> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call

v2.23.0 | Report a Bug | By Email