Re: [dhcwg] AD review of draft-ietf-dhc-relay-agent-auth-01.txt

Thomas Narten <narten@us.ibm.com> Fri, 27 June 2003 20:19 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18980 for <dhcwg-archive@odin.ietf.org>; Fri, 27 Jun 2003 16:19:02 -0400 (EDT)
Received: (from exim@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5RKIZN27644 for dhcwg-archive@odin.ietf.org; Fri, 27 Jun 2003 16:18:35 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19Vzg3-0007Bn-0a for dhcwg-web-archive@optimus.ietf.org; Fri, 27 Jun 2003 16:18:35 -0400
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18860 for <dhcwg-web-archive@ietf.org>; Fri, 27 Jun 2003 16:18:32 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VzfV-0006qg-JM; Fri, 27 Jun 2003 16:18:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VzeZ-0006fy-Gf for dhcwg@optimus.ietf.org; Fri, 27 Jun 2003 16:17:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18609 for <dhcwg@ietf.org>; Fri, 27 Jun 2003 16:16:45 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19VzU6-0005va-00 for dhcwg@ietf.org; Fri, 27 Jun 2003 16:06:14 -0400
Received: from e32.co.us.ibm.com ([32.97.110.130]) by ietf-mx with esmtp (Exim 4.12) id 19VzTl-0005ug-00 for dhcwg@ietf.org; Fri, 27 Jun 2003 16:05:53 -0400
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com [9.17.195.11]) by e32.co.us.ibm.com (8.12.9/8.12.2) with ESMTP id h5RK3q8w289438; Fri, 27 Jun 2003 16:03:52 -0400
Received: from rotala.raleigh.ibm.com (d03av02.boulder.ibm.com [9.17.193.82]) by westrelay02.boulder.ibm.com (8.12.9/NCO/VER6.5) with ESMTP id h5RK3pPB113720; Fri, 27 Jun 2003 14:03:51 -0600
Received: from rotala.raleigh.ibm.com (localhost.localdomain [127.0.0.1]) by rotala.raleigh.ibm.com (8.12.8/8.12.5) with ESMTP id h5RK348k004702; Fri, 27 Jun 2003 16:03:04 -0400
Received: from rotala.raleigh.ibm.com (narten@localhost) by rotala.raleigh.ibm.com (8.12.8/8.12.5/Submit) with ESMTP id h5RK34Rk004698; Fri, 27 Jun 2003 16:03:04 -0400
Message-Id: <200306272003.h5RK34Rk004698@rotala.raleigh.ibm.com>
To: Ralph Droms <rdroms@cisco.com>
cc: mjs@cisco.com, dhcwg@ietf.org
Subject: Re: [dhcwg] AD review of draft-ietf-dhc-relay-agent-auth-01.txt
In-Reply-To: Message from rdroms@cisco.com of "Fri, 27 Jun 2003 14:38:12 EDT." <4.3.2.7.2.20030625173824.00bbd0f8@funnel.cisco.com>
Date: Fri, 27 Jun 2003 16:03:04 -0400
From: Thomas Narten <narten@us.ibm.com>
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

Hi Ralph.

> The two techniques in this document both address the same
> problem: the authentication of messages exchanged between
> DHCP relay agents and DHCP servers.

Yes. But the solutions are very different, and will likely be
implemented by different people or as different products. I.e,. the
IPsec part will require help from the platform on which the server
runs, as opposed to be part of the DHC package. In fact, it may be
implementable without touching the DHC server at all.

Another thing, when vendors say "we've implemented RFC XX", will that
mean the IPsec technique, or the relay agent option, or both? Having
both in the same document will likely be a bit more confusing.

> The title of the document should, perhaps, read "Authentication of
> DHCP Message Exchanged Between Relay Agents and Servers".  The two
> techniques for authentication are described in a single document
> because they are applicable in different scenarios.

If both were likely to be implemented together, I'd not have an issue
with this. But I suspect this won't be the case.

> Prior to the last dhc WG meeting, you had asked for a comparison
> of the two techniques, which John Schnizlein published on the
> dhc WG mailing list.  Based on that comparison, the consensus
> of the WG was that the two techniques should be advanced
> together, because neither was appropriate for all operational
> scenarios.

I have no problem with this.

> At the dhc WG meeting in San Francisco we agreed
> to advance the two techniques in a single document.

I guess I wasn't paying attention during this part of the
conversation, and am suggesting that keeping them in separate
documents would be preferable.

> The description of the use of IPsec for authentication was copied
> from an earlier draft of the DHCPv6 specification.  The text in
> draft-ietf-dhc-relay-agent-auth-01.txt is the same as in the version
> of the DHCPv6 specification that has been accepted as a Proposed
> Standard.  The more detailed list of rules in the DHCPv6
> specification will be used as the basis to provide additional detail
> in this document.

Fair enough. For background, I was also partly reflecting a private
comment bellovin made a while back when I pointed him to the
document. He said it was "thin" (or some such) and would probably need
more detail. But he didn't provide specifics. It's also the case that
in the IESG, we've seen a number of documents that for security say
"just use IPsec". But in practice, the details can sometimes be tricky
if you really want interoperability. E.g., there is a whole document
on the topic for L2tp (RFC 3193). And MIPv6 also has a separate
document (draft-ietf-mobileip-mipv6-ha-ipsec-03.html). In any case, I
think we probably agree that there are fairly few words. If folk from
the IPsec community think that is all that is needed, great. But we
haven't seen such a review yet, AFAIK.

Thomas

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg