Re: [dhcwg] AD review of draft-ietf-dhc-relay-agent-auth-01.txt
Thomas Narten <narten@us.ibm.com> Fri, 27 June 2003 20:19 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18980 for <dhcwg-archive@odin.ietf.org>; Fri, 27 Jun 2003 16:19:02 -0400 (EDT)
Received: (from exim@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5RKIZN27644 for dhcwg-archive@odin.ietf.org; Fri, 27 Jun 2003 16:18:35 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19Vzg3-0007Bn-0a for dhcwg-web-archive@optimus.ietf.org; Fri, 27 Jun 2003 16:18:35 -0400
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18860 for <dhcwg-web-archive@ietf.org>; Fri, 27 Jun 2003 16:18:32 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VzfV-0006qg-JM; Fri, 27 Jun 2003 16:18:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VzeZ-0006fy-Gf for dhcwg@optimus.ietf.org; Fri, 27 Jun 2003 16:17:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18609 for <dhcwg@ietf.org>; Fri, 27 Jun 2003 16:16:45 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19VzU6-0005va-00 for dhcwg@ietf.org; Fri, 27 Jun 2003 16:06:14 -0400
Received: from e32.co.us.ibm.com ([32.97.110.130]) by ietf-mx with esmtp (Exim 4.12) id 19VzTl-0005ug-00 for dhcwg@ietf.org; Fri, 27 Jun 2003 16:05:53 -0400
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com [9.17.195.11]) by e32.co.us.ibm.com (8.12.9/8.12.2) with ESMTP id h5RK3q8w289438; Fri, 27 Jun 2003 16:03:52 -0400
Received: from rotala.raleigh.ibm.com (d03av02.boulder.ibm.com [9.17.193.82]) by westrelay02.boulder.ibm.com (8.12.9/NCO/VER6.5) with ESMTP id h5RK3pPB113720; Fri, 27 Jun 2003 14:03:51 -0600
Received: from rotala.raleigh.ibm.com (localhost.localdomain [127.0.0.1]) by rotala.raleigh.ibm.com (8.12.8/8.12.5) with ESMTP id h5RK348k004702; Fri, 27 Jun 2003 16:03:04 -0400
Received: from rotala.raleigh.ibm.com (narten@localhost) by rotala.raleigh.ibm.com (8.12.8/8.12.5/Submit) with ESMTP id h5RK34Rk004698; Fri, 27 Jun 2003 16:03:04 -0400
Message-Id: <200306272003.h5RK34Rk004698@rotala.raleigh.ibm.com>
To: Ralph Droms <rdroms@cisco.com>
cc: mjs@cisco.com, dhcwg@ietf.org
Subject: Re: [dhcwg] AD review of draft-ietf-dhc-relay-agent-auth-01.txt
In-Reply-To: Message from rdroms@cisco.com of "Fri, 27 Jun 2003 14:38:12 EDT." <4.3.2.7.2.20030625173824.00bbd0f8@funnel.cisco.com>
Date: Fri, 27 Jun 2003 16:03:04 -0400
From: Thomas Narten <narten@us.ibm.com>
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Hi Ralph. > The two techniques in this document both address the same > problem: the authentication of messages exchanged between > DHCP relay agents and DHCP servers. Yes. But the solutions are very different, and will likely be implemented by different people or as different products. I.e,. the IPsec part will require help from the platform on which the server runs, as opposed to be part of the DHC package. In fact, it may be implementable without touching the DHC server at all. Another thing, when vendors say "we've implemented RFC XX", will that mean the IPsec technique, or the relay agent option, or both? Having both in the same document will likely be a bit more confusing. > The title of the document should, perhaps, read "Authentication of > DHCP Message Exchanged Between Relay Agents and Servers". The two > techniques for authentication are described in a single document > because they are applicable in different scenarios. If both were likely to be implemented together, I'd not have an issue with this. But I suspect this won't be the case. > Prior to the last dhc WG meeting, you had asked for a comparison > of the two techniques, which John Schnizlein published on the > dhc WG mailing list. Based on that comparison, the consensus > of the WG was that the two techniques should be advanced > together, because neither was appropriate for all operational > scenarios. I have no problem with this. > At the dhc WG meeting in San Francisco we agreed > to advance the two techniques in a single document. I guess I wasn't paying attention during this part of the conversation, and am suggesting that keeping them in separate documents would be preferable. > The description of the use of IPsec for authentication was copied > from an earlier draft of the DHCPv6 specification. The text in > draft-ietf-dhc-relay-agent-auth-01.txt is the same as in the version > of the DHCPv6 specification that has been accepted as a Proposed > Standard. The more detailed list of rules in the DHCPv6 > specification will be used as the basis to provide additional detail > in this document. Fair enough. For background, I was also partly reflecting a private comment bellovin made a while back when I pointed him to the document. He said it was "thin" (or some such) and would probably need more detail. But he didn't provide specifics. It's also the case that in the IESG, we've seen a number of documents that for security say "just use IPsec". But in practice, the details can sometimes be tricky if you really want interoperability. E.g., there is a whole document on the topic for L2tp (RFC 3193). And MIPv6 also has a separate document (draft-ietf-mobileip-mipv6-ha-ipsec-03.html). In any case, I think we probably agree that there are fairly few words. If folk from the IPsec community think that is all that is needed, great. But we haven't seen such a review yet, AFAIK. Thomas _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] AD review of draft-ietf-dhc-relay-agent-a… Thomas Narten
- Re: [dhcwg] AD review of draft-ietf-dhc-relay-age… Ralph Droms
- Re: [dhcwg] AD review of draft-ietf-dhc-relay-age… Thomas Narten
- Re: [dhcwg] AD review of draft-ietf-dhc-relay-age… Mark Stapp
- Re: [dhcwg] AD review of draft-ietf-dhc-relay-age… Ralph Droms