RE: [dhcwg] Response to IESG comments on draft-ietf-dhc-isnsoptio n-08.txt
Black_David@emc.com Sat, 06 September 2003 10:51 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA05491 for <dhcwg-archive@odin.ietf.org>; Sat, 6 Sep 2003 06:51:51 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19vaf0-0001W9-HP for dhcwg-archive@odin.ietf.org; Sat, 06 Sep 2003 06:51:29 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h86ApIC5005819 for dhcwg-archive@odin.ietf.org; Sat, 6 Sep 2003 06:51:18 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19vaf0-0001Vj-Bj for dhcwg-web-archive@optimus.ietf.org; Sat, 06 Sep 2003 06:51:18 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA05387 for <dhcwg-web-archive@ietf.org>; Sat, 6 Sep 2003 06:51:01 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19vaen-0005tJ-00 for dhcwg-web-archive@ietf.org; Sat, 06 Sep 2003 06:51:05 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19vaem-0005tC-00 for dhcwg-web-archive@ietf.org; Sat, 06 Sep 2003 06:51:04 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19vaek-0001T4-0K; Sat, 06 Sep 2003 06:51:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19vO5k-0008Us-MV for dhcwg@optimus.ietf.org; Fri, 05 Sep 2003 17:26:04 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA19928 for <dhcwg@ietf.org>; Fri, 5 Sep 2003 17:25:57 -0400 (EDT)
From: Black_David@emc.com
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19vO5i-0003Eg-00 for dhcwg@ietf.org; Fri, 05 Sep 2003 17:26:02 -0400
Received: from mxic2.corp.emc.com ([128.221.31.40]) by ietf-mx with esmtp (Exim 4.12) id 19vO5h-0003Bw-00 for dhcwg@ietf.org; Fri, 05 Sep 2003 17:26:01 -0400
Received: by mxic2.corp.emc.com with Internet Mail Service (5.5.2653.19) id <RAVDR739>; Fri, 5 Sep 2003 17:25:31 -0400
Message-ID: <B459CE1AFFC52D4688B2A5B842CA35EA7A4F36@corpmx14.us.dg.com>
To: cmonia@NishanSystems.com, ElizabethRodriguez@ieee.org, rdroms@cisco.com, smb@research.att.com
Cc: narten@us.ibm.com, dhcwg@ietf.org, ips@ece.cmu.edu, Black_David@emc.com, mankin@isi.edu, jtseng@NishanSystems.com, kgibbons@NishanSystems.com
Subject: RE: [dhcwg] Response to IESG comments on draft-ietf-dhc-isnsoptio n-08.txt
Date: Fri, 05 Sep 2003 17:25:29 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
At the risk of complicating this further, I don't think "RECOMMENDED" is going to be the right solution, as "cannot obtain an implementation" does not strike me as a "valid reason in particular circumstances" (cf. RFC 2119) to ignore a "RECOMMENDED" requirement statement. I think the right thing to do here is to address Ralph's concern directly rather than trying to craft language that avoids it. In other words, discuss the usefulness of DHCP Authentication, but point out that it is not widely implemented, recommend its use when available (lower case "recommended"), and discuss alternative measures that can prevent contact with a rogue iSNS server (e.g., in addition to not using the iSNS DHCP option, IPsec can provide countermeasures based on setting policy for traffic to the TCP port used by iSNS, but one has to have local policy override the IPsec on/off setting in the iSNS DHCP option). Thanks, --David ---------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------- > Hi: > > In response to the security issues, the following change to the security > section is proposed. Please let me know if this is satisfactory. > > ===================== > Security: > > Security considerations pertinent to DHCP are described in [RFC3118]. Among > these is the potential for a "man-in-the-middle" attack by a hostile entity > modifying or replacing the original iSNS option message. If the > authentication option in [RFC3118] is not implemented, then an attacker may > trick the iSNS client into connecting into rogue iSNS servers. > > It is therefore RECOMMENDED that [RFC3118] be implemented and used on the > client and server. If the authentication option for DHCP is not implemented > and it is determined that the potential exists for one of the attacks > described in [RFC3118], then the DHCP option message for iSNS should not be > utilized. > > ====================== > > Thanks, > Charles Monia > > > -----Original Message----- > > From: Elizabeth G. Rodriguez [mailto:ElizabethRodriguez@ieee.org] > > Sent: Friday, August 29, 2003 9:56 AM > > To: 'Charles Monia'; 'Ralph Droms'; 'Steven Bellovin' > > Cc: 'Thomas Narten (E-mail)'; 'DHCP (E-mail)'; 'Ips > > (E-mail)'; 'David Black (E-mail)'; 'Allison Mankin (E-mail)'; > > 'Joshua Tseng'; 'Kevin Gibbons' > > Subject: RE: [dhcwg] Response to IESG comments on > > draft-ietf-dhc-isnsoption-08.txt > > > > > > Hi all, > > > > I am struggling with the new wording here. > > I understand Ralph Droms' concerns, but not sure that this is > > the right solution. In addition, the current wording is > > mandating use, something that in general we try to avoid in > > IETF documents. > > > > I have added Steve Bellovin to the distribution, and hope he > > will comment on this proposed change -- he is the AD who > > questioned making RFC 3118 optional. If he is OK with the > > proposed change to keep RFC 3118 optional, then I recommend > > changes to the effect of: > > > > 1) It is RECOMMENDED that RFC 3118 be implemented. > > > > 2) It is recommended that if RFC 3118 is available on both > > the client and server, it be used. > > > > Elizabeth Rodriguez > > > > > > -----Original Message----- > > From: Charles Monia [mailto:cmonia@NishanSystems.com] > > Sent: Thursday, August 28, 2003 4:31 PM > > To: 'Ralph Droms'; Charles Monia > > Cc: Thomas Narten (E-mail); DHCP (E-mail); Ips (E-mail); > > David Black (E-mail); Elizabeth Rodriguez (E-mail); Allison > > Mankin (E-mail); Charles Monia; Joshua Tseng; Kevin Gibbons > > Subject: RE: [dhcwg] Response to IESG comments on > > draft-ietf-dhc-isnsoption-08.txt > > > > Hi: > > > > I have incorporated Ralph's suggestion in revision 9 of the > > spec, along with changes to reflect the other IESG comments. > > This new version has been submitted to the IETF archive. > > > > Pending the announcement of document availability from the > > archive, the spec can be obtained from > > ftp://ftp.nishansystems.com/outgoing/draft-ietf-dhc-isnsoption > > -09.pdf or > > > ftp://ftp.nishansystems.com/outgoing/draft-ietf-dhc-isnsoption-09.txt. > > > > Markups visible in the PDF version show the text that was > > added or deleted. > > > > Charles > > > -----Original Message----- > > > From: Ralph Droms [mailto:rdroms@cisco.com] > > > Sent: Wednesday, August 27, 2003 3:09 AM > > > To: Charles Monia > > > Cc: Thomas Narten (E-mail); DHCP (E-mail); Ips (E-mail); > > > David Black (E-mail); Elizabeth Rodriguez (E-mail); Allison > > > Mankin (E-mail); Charles Monia; Joshua Tseng; Kevin Gibbons > > > Subject: Re: [dhcwg] Response to IESG comments on > > > draft-ietf-dhc-isnsoption-08.txt > > > > > > > > > Note that, because there are no implementations of RFC 3118 > > > today, and no > > > plans by any important vendors to implement RFC 3118 in the > > > future, making > > > RFC 3118 authentication mandatory will effectively disallo > > > any use of this > > > option. > > > > > > Perhaps we can modify this requirement to something like "use > > > of RFC 3118 > > > is mandatory if it is available in the client and server". > > > > > > - Ralph > > > > > > At 03:37 PM 8/19/2003 -0700, Charles Monia wrote: > > > > > > > > "Steven M. Bellovin" <smb@research.att.com> writes: > > > > > > > > > Is 3118 mandatory-to-implement or not? I have a hard time > > > > > understanding why it should be optional. > > > > > > > >We will revise the spec to make implementation of RFC 3118 > > mandatory. > > > > > > > > > > > > > > > > > > _______________________________________________ > > > dhcwg mailing list > > > dhcwg@ietf.org > > > https://www1.ietf.org/mailman/listinfo/dhcwg > > > > > > > > > > > _______________________________________________ > > dhcwg mailing list > > dhcwg@ietf.org > > https://www1.ietf.org/mailman/listinfo/dhcwg > > > _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- RE: [dhcwg] Response to IESG comments on draft-ie… Elizabeth G. Rodriguez
- RE: [dhcwg] Response to IESG comments on draft-ie… Charles Monia
- RE: [dhcwg] Response to IESG comments on draft-ie… Charles Monia
- RE: [dhcwg] Response to IESG comments on draft-ie… Elizabeth G. Rodriguez
- RE: [dhcwg] Response to IESG comments on draft-ie… Black_David
- RE: [dhcwg] Response to IESG comments on draft-ie… Charles Monia
- RE: [dhcwg] Response to IESG comments on draft-ie… Charles Monia