IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 - Respond by Nov 3, 2014

"Templin, Fred L" <Fred.L.Templin@boeing.com> Thu, 30 October 2014 19:02 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13CA11A1AF7 for <dhcwg@ietfa.amsl.com>; Thu, 30 Oct 2014 12:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.911
X-Spam-Level:
X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EF1xsug-0zyE for <dhcwg@ietfa.amsl.com>; Thu, 30 Oct 2014 12:02:08 -0700 (PDT)
Received: from stl-mbsout-01.boeing.com (stl-mbsout-01.boeing.com [130.76.96.169]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70D0E1A1B39 for <dhcwg@ietf.org>; Thu, 30 Oct 2014 12:01:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by stl-mbsout-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id s9UJ1c64025191; Thu, 30 Oct 2014 14:01:38 -0500
Received: from XCH-PHX-112.sw.nos.boeing.com (xch-phx-112.sw.nos.boeing.com [130.247.25.134]) by stl-mbsout-01.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id s9UJ1Sme024966 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK); Thu, 30 Oct 2014 14:01:29 -0500
Received: from XCH-BLV-504.nw.nos.boeing.com ([169.254.4.66]) by XCH-PHX-112.sw.nos.boeing.com ([169.254.12.92]) with mapi id 14.03.0210.002; Thu, 30 Oct 2014 12:01:28 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Thread-Topic: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 - Respond by Nov 3, 2014
Thread-Index: AQHP86H7PwFak2fyckefZB8F6L6EcZxHfJFggAHVjwD//64P0A==
Date: Thu, 30 Oct 2014 19:01:27 +0000
Message-ID: <2134F8430051B64F815C691A62D9831832D70B85@XCH-BLV-504.nw.nos.boeing.com>
References: <489D13FBFA9B3E41812EA89F188F018E1B6F6882@xmb-rcd-x04.cisco.com> <2134F8430051B64F815C691A62D9831832D5B51E@XCH-BLV-504.nw.nos.boeing.com> <5D36713D8A4E7348A7E10DF7437A4B923AF6A5C0@nkgeml512-mbx.china.huawei.com> <2134F8430051B64F815C691A62D9831832D6E707@XCH-BLV-504.nw.nos.boeing.com> <CAJE_bqeLugy4UuJdT2wLYN6Kr_B-WGBnqXo5x5j0iNGAmCqNCA@mail.gmail.com> <2134F8430051B64F815C691A62D9831832D6FD2C@XCH-BLV-504.nw.nos.boeing.com> <CAJE_bqd54u_msDjwO0Khaz3o+vTe=wbPjOCSAPSr=_gBbzaHgw@mail.gmail.com>
In-Reply-To: <CAJE_bqd54u_msDjwO0Khaz3o+vTe=wbPjOCSAPSr=_gBbzaHgw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/mVir2BzxFDu0P0CMuky-IeOml0o
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, "Bernie Volz (volz)" <volz@cisco.com>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 - Respond by Nov 3, 2014
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 19:02:12 -0000

Hi,

> -----Original Message-----
> From: jinmei.tatuya@gmail.com [mailto:jinmei.tatuya@gmail.com] On Behalf Of ????
> Sent: Thursday, October 30, 2014 9:53 AM
> To: Templin, Fred L
> Cc: dhcwg@ietf.org; Bernie Volz (volz)
> Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 - Respond by Nov 3, 2014
> 
> At Wed, 29 Oct 2014 20:03:42 +0000,
> "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:
> 
> > Take for example a client C1 that provides a valid certificate but includes a DUID
> > corresponding to client C2 in a DHCPv6 PD Request. Will the server return an
> > IA_PD to client C1 that includes a prefix that is intended for client C2? That is
> > the scenario I need to defend against.
> 
> Again just in my understanding, the protocol described in the sedhcpv6
> draft wouldn't be able to prevent it by itself.  I suspect it's a
> matter of the server implementation/operation.  In practice, the
> server should maintain some relationship between the certificate's
> subject (i.e., that particular client, whether it's in the form of
> DUID or of an FQDN or something else) and information (address,
> prefix, etc) that the server would assign to the client; otherwise,
> just validating the certificate wouldn't be much useful.  I believe
> your goal can be achieved by using sedhcpv6 with this setup.
> 
> > > Enforcing it could be part of the server implementation/configuration,
> > > though.
> >
> > Enforce by linking the client's certificate to its DUID? Something else?
> 
> Enforce by linking the client's certificate to *some ID* of the client
> (which might be the DUID or something else).  See above.

OK, that sounds good but could perhaps could use some concluding discussion
at the upcoming meeting. I have a bullet on this on my presentation charts.

Thanks - Fred
fred.l.templin@boeing.com

> --
> JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email