[dhcwg] draft-aboba-dhc-domsearch-08.txt
Thomas Narten <narten@us.ibm.com> Tue, 08 January 2002 17:21 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA00886 for <dhcwg-archive@odin.ietf.org>; Tue, 8 Jan 2002 12:21:33 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id MAA10278 for dhcwg-archive@odin.ietf.org; Tue, 8 Jan 2002 12:21:35 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id LAA07447; Tue, 8 Jan 2002 11:46:54 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id LAA07416 for <dhcwg@optimus.ietf.org>; Tue, 8 Jan 2002 11:46:51 -0500 (EST)
Received: from e4.ny.us.ibm.com (e4.ny.us.ibm.com [32.97.182.104]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA29207 for <dhcwg@ietf.org>; Tue, 8 Jan 2002 11:46:49 -0500 (EST)
Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by e4.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id LAA133806; Tue, 8 Jan 2002 11:42:50 -0500
Received: from rotala.raleigh.ibm.com (rotala.raleigh.ibm.com [9.27.21.26]) by southrelay02.raleigh.ibm.com (8.11.1m3/NCO v5.01) with ESMTP id g08GjmT242368; Tue, 8 Jan 2002 11:45:48 -0500
Received: from rotala.raleigh.ibm.com (narten@localhost) by rotala.raleigh.ibm.com (8.11.6/8.11.6) with ESMTP id g08GhE716312; Tue, 8 Jan 2002 11:43:21 -0500
Message-Id: <200201081643.g08GhE716312@rotala.raleigh.ibm.com>
To: Bernard Aboba <aboba@internaut.com>
cc: dhcwg@ietf.org
Date: Tue, 08 Jan 2002 11:43:14 -0500
From: Thomas Narten <narten@us.ibm.com>
Subject: [dhcwg] draft-aboba-dhc-domsearch-08.txt
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: <dhcwg.ietf.org>
X-BeenThere: dhcwg@ietf.org
The IESG discussed this document a while back, and has the following comments: 1) The abstract and introduction talks about name services and refers to RFC 2937 which specifies things like NIS/YP etc. Is the intent that the domain search list apply to all name services or just to the DNS? [I wouldn't be surprised if implementaions just apply it to the DNS when it is configured manually in e.g. /etc/resolv.conf] Please make the document clear on this point. 2) The security recommendation for avoiding hijack seems to seems to be equivalent to saying don't use the option if you want to be secure: > 5. Security Considerations > > Potential attacks on DHCP are discussed in section 7 of the DHCP > protocol specification [2], as well as in the DHCP authentication > specification [4]. In particular, using the domain search option, a > rogue DHCP server might be able to redirect traffic to another site. > > To avert this attack, where DNS parameters such as the domain searchlist > have been manually configured, these parameters SHOULD NOT be overridden > by DHCP. If I am open to receiving the option, I'll take a searchlist that sends my mail for humanresources.myorg.com to humanresources.rogue.com. Recommendation: what about making implementation of DHCP authentication option a requirement for full compliance with this spec. Sites then at least have the option of enabling it. Not clear how one would otherwise be able to protect against the attack. At very least, point out that the authentication option is needed to prevent this kind of attack. Might also be useful to mention 1535, since it discusses a similar issue. > A Security Problem and Proposed Correction > With Widely Deployed DNS Software Thomas _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-aboba-dhc-domsearch-08.txt Thomas Narten
- [dhcwg] Re: draft-aboba-dhc-domsearch-08.txt Bernard Aboba