IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May 18

神明達哉 <jinmei@wide.ad.jp> Fri, 09 May 2014 18:39 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D5F1A0099 for <dhcwg@ietfa.amsl.com>; Fri, 9 May 2014 11:39:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uqBPMOm2XQaW for <dhcwg@ietfa.amsl.com>; Fri, 9 May 2014 11:39:35 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA541A00B0 for <dhcwg@ietf.org>; Fri, 9 May 2014 11:39:34 -0700 (PDT)
Received: by mail-wi0-f182.google.com with SMTP id r20so1787289wiv.3 for <dhcwg@ietf.org>; Fri, 09 May 2014 11:39:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=XtA6z8W6tOZxjDlSskkFZ6krq13SXo5UobxBagpWUTc=; b=aLc74oQCtJSeJTnr7IhNcoC9CTaqKVzxn6MhNsTihct5x7blrbxgo0ZIzMzZlb98Mj LXFGj+fmLr6mHdONz8LN1vIYF41KkJZs7qtTucPiAykL58zdGpSCsi0HcM/606XXJF/x nTn31o8pYiMZKFPjhRSXWAsDDZjLQlHPJAR2pj/74ph58YSQccFCXGfPXKaPyYOFYHmf AFq/c5PQkMgkvcjaN8Q70it6EhntuNDrqoayFMCcnSOOJShwfRw3NeYKzVMZ71EAuEhc xXKKlc2AaMFbobfZvudFGTlgo3CM/4SVzP+FSUnAOoitpUePrexKYL3VTN0ZKCQQk2au j1yg==
MIME-Version: 1.0
X-Received: by 10.194.242.66 with SMTP id wo2mr4509730wjc.37.1399660769615; Fri, 09 May 2014 11:39:29 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.194.95.5 with HTTP; Fri, 9 May 2014 11:39:29 -0700 (PDT)
In-Reply-To: <5D53E8BB-F692-4752-A1B2-9BB09747C58B@nominum.com>
References: <535FEDAD.5010103@gmail.com> <CAJE_bqen37j5UCsKZj6syVyvk2Xed4V_xGp-t4xY8shjmS+H5g@mail.gmail.com> <5D36713D8A4E7348A7E10DF7437A4B923AE43272@nkgeml512-mbx.china.huawei.com> <CAJE_bqe75D7oRJq=XmjPR9Dfvu3-AcL8kF9Pkm3JEOVsyxhr5A@mail.gmail.com> <5D36713D8A4E7348A7E10DF7437A4B923AE442FD@nkgeml512-mbx.china.huawei.com> <CAJE_bqc+Z8awb5773OLs8QtXuCRxYCWFRAKuQ9YP8anFwEQqsQ@mail.gmail.com> <5D53E8BB-F692-4752-A1B2-9BB09747C58B@nominum.com>
Date: Fri, 09 May 2014 11:39:29 -0700
X-Google-Sender-Auth: YYKB-IegiNyXF57h-kGpZIbTKlE
Message-ID: <CAJE_bqeNNW1=dSnj4f=t7Fx9waG81cDeHdcikqk0ECUoLvgVzQ@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Ted Lemon <ted.lemon@nominum.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/oOkimr5FqmtS1dHVnRxw5pYO4GA
Cc: dhcwg <dhcwg@ietf.org>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May 18
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 May 2014 18:39:36 -0000

At Thu, 8 May 2014 13:30:01 -0500,
Ted Lemon <ted.lemon@nominum.com> wrote:

> >>> - whether we really need (public key) authentication in that
> >>> direction, and if we do, why
>
> Public key authentication makes sense in both directions.   Servers
> may be configured to grant different access to clients that
> authenticate than to clients that don't.  Clients may have lists of

Okay, I can see that usage.

> servers that either are known to be legitimate, or that are known to
> have worked in the past (leap of faith).   Being able to
> discriminate between a good server and a rogue server using this
> mechanism is desirable.

I have no problem with this either.

My main concern is the combination of authenticating clients with the
leap of faith model.  This model isn't suitable for the "grant
different access" usage, since anyone can pretend to be an
authenticated client with that model.

> >>> - also if we do, what's the commonly expected model of "trust anchor":
> >>> leap of faith or use of CA or something else, and if it's more
> >>> likely to be a weaker model like leap of faith (I suspect so, for
> >>> the direction of clients to servers), whether the motivation (1st
> >>> bullet) is worth the weaker security
>
> This seems to be out of scope for the current document, which just specifies a mechanism for authenticating transactions given that a key is known.   It's possible that this needs to be stated more clearly.   The reason (IMHO) why it's out of scope is that there are a variety of mechanisms that might make sense and that could be implemented.

I'm okay with separating such discussions outside of this document.
But then I'd personally like to see a "threat analysis" document
first (covering these points), not the other way around.  As a
believer of the YAGNI principle, I personally cannot be so
enthusiastic about defining/implementing something that just *might*
make sense somewhere.  Especially so, if we need to worry about a
security impact as mentioned in the security considerations section of
the draft.

> For instance, a DHCP server might give an unknown client an address in a walled garden where it could arrange to pay for service, and then its key would be known to the DHCP server and could be used to authenticate service in the future without requiring registration.

I'm impressed with your imagination:-) Although I'm not sure if this
example is persuasive enough, I see we can come up with some
*possible* usage of client authentication with leap of faith.

> >>> - and, if it's more likely to rely on leap of faith, what kind of
> >>> consideration is needed
>
> You mean in terms of risk assessments?

Considerations like the possibility of resource exhaustion attacks as
mentioned in Section 7 of the draft.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email