Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 - Respond by Nov 3, 2014
"Templin, Fred L" <Fred.L.Templin@boeing.com> Wed, 29 October 2014 20:03 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9B71A8907 for <dhcwg@ietfa.amsl.com>; Wed, 29 Oct 2014 13:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.911
X-Spam-Level:
X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hHuAwA4XnM6 for <dhcwg@ietfa.amsl.com>; Wed, 29 Oct 2014 13:03:53 -0700 (PDT)
Received: from slb-mbsout-02.boeing.com (slb-mbsout-02.boeing.com [130.76.64.129]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9961E1A87AD for <dhcwg@ietf.org>; Wed, 29 Oct 2014 13:03:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id s9TK3rKB026863; Wed, 29 Oct 2014 13:03:53 -0700
Received: from XCH-BLV-107.nw.nos.boeing.com (xch-blv-107.nw.nos.boeing.com [130.247.25.123]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id s9TK3gUe026757 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK); Wed, 29 Oct 2014 13:03:43 -0700
Received: from XCH-BLV-504.nw.nos.boeing.com ([169.254.4.66]) by XCH-BLV-107.nw.nos.boeing.com ([169.254.7.99]) with mapi id 14.03.0210.002; Wed, 29 Oct 2014 13:03:42 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Thread-Topic: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 - Respond by Nov 3, 2014
Thread-Index: AQHP86H7PwFak2fyckefZB8F6L6EcZxHfJFg
Date: Wed, 29 Oct 2014 20:03:42 +0000
Message-ID: <2134F8430051B64F815C691A62D9831832D6FD2C@XCH-BLV-504.nw.nos.boeing.com>
References: <489D13FBFA9B3E41812EA89F188F018E1B6F6882@xmb-rcd-x04.cisco.com> <2134F8430051B64F815C691A62D9831832D5B51E@XCH-BLV-504.nw.nos.boeing.com> <5D36713D8A4E7348A7E10DF7437A4B923AF6A5C0@nkgeml512-mbx.china.huawei.com> <2134F8430051B64F815C691A62D9831832D6E707@XCH-BLV-504.nw.nos.boeing.com> <CAJE_bqeLugy4UuJdT2wLYN6Kr_B-WGBnqXo5x5j0iNGAmCqNCA@mail.gmail.com>
In-Reply-To: <CAJE_bqeLugy4UuJdT2wLYN6Kr_B-WGBnqXo5x5j0iNGAmCqNCA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/nYWAmY7j2a6aU1MQi7LY0k-wD-I
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, "Bernie Volz (volz)" <volz@cisco.com>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 - Respond by Nov 3, 2014
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 20:03:55 -0000
Hi, > -----Original Message----- > From: jinmei.tatuya@gmail.com [mailto:jinmei.tatuya@gmail.com] On Behalf Of ???? > Sent: Wednesday, October 29, 2014 10:58 AM > To: Templin, Fred L > Cc: Sheng Jiang; Bernie Volz (volz); dhcwg@ietf.org > Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 - Respond by Nov 3, 2014 > > At Tue, 28 Oct 2014 14:56:35 +0000, > "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote: > > > > This version has provided a certificate-based mechanism for the client to authenticated by the server. It is assuming the client has > a > > > certificate honored by the server. > > > > Right, I saw that but help me out here. If the client claims a DUID is the certificate > > proof enough that the client is the authorized owner of the DUID? > > In my understanding it's not guaranteed by the described protocol: any > client that has a valid certificate can "steal" someone else's DUID > in a signed DHCPv6 message that will be validated. Thanks for this useful explanation. In my scenario, clients can trust their servers by leap-of-faith because there is another trust basis for assuring the Client that the server is authorized to act as a server. However, the server needs some way of knowing that clients that pass authentication are actually authorized to receive the resources they are asking for. Take for example a client C1 that provides a valid certificate but includes a DUID corresponding to client C2 in a DHCPv6 PD Request. Will the server return an IA_PD to client C1 that includes a prefix that is intended for client C2? That is the scenario I need to defend against. > Enforcing it could be part of the server implementation/configuration, > though. Enforce by linking the client's certificate to its DUID? Something else? Thanks - Fred fred.l.templin@boeing.com > -- > JINMEI, Tatuya
- [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 - Res… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Templin, Fred L
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Templin, Fred L
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Templin, Fred L
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Templin, Fred L
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Templin, Fred L
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Templin, Fred L
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Templin, Fred L
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Francis Dupont
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Francis Dupont
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Francis Dupont
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Francis Dupont
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Tomek Mrugalski
- [dhcwg] WGLC summary on draft-ietf-dhc-sedhcpv6-0… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-04 -… Sheng Jiang
- Re: [dhcwg] WGLC summary on draft-ietf-dhc-sedhcp… Sheng Jiang