Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) Options for DHCPv6

Ralph Droms <rdroms@cisco.com> Fri, 16 November 2007 04:32 UTC

Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IsssP-0000Ef-IE; Thu, 15 Nov 2007 23:32:21 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IsssN-0000CQ-Vt for dhcwg@ietf.org; Thu, 15 Nov 2007 23:32:19 -0500
Received: from rtp-iport-1.cisco.com ([64.102.122.148]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IsssH-0006wQ-Og for dhcwg@ietf.org; Thu, 15 Nov 2007 23:32:19 -0500
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-1.cisco.com with ESMTP; 15 Nov 2007 23:32:13 -0500
Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id lAG4WDmB009913; Thu, 15 Nov 2007 23:32:13 -0500
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id lAG4W3ES005229; Fri, 16 Nov 2007 04:32:03 GMT
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 Nov 2007 23:32:02 -0500
Received: from [192.168.1.100] ([10.86.243.77]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 Nov 2007 23:32:01 -0500
In-Reply-To: <473D1BEB.1090102@ntp.org>
References: <A05118C6DF9320488C77F3D5459B17B7062ED3C6@xmb-ams-333.emea.cisco.com> <4733482A.7020302@sun.com> <A05118C6DF9320488C77F3D5459B17B70634E4E5@xmb-ams-333.emea.cisco.com> <4735A243.6090905@sun.com> <47368636.3070007@udel.edu> <4736F7A7.2090707@sun.com> <473D1BEB.1090102@ntp.org>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <4DE1A6EA-10E5-4707-AD34-28C95153EF6D@cisco.com>
Content-Transfer-Encoding: 7bit
From: Ralph Droms <rdroms@cisco.com>
Subject: Re: [dhcwg] Re: [ntpwg] Network Time Protocol (NTP) Options for DHCPv6
Date: Thu, 15 Nov 2007 23:32:05 -0500
To: Danny Mayer <mayer@ntp.org>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 16 Nov 2007 04:32:01.0959 (UTC) FILETIME=[A21B8B70:01C82809]
X-TM-AS-Product-Ver: SMEX-8.0.0.1181-5.000.1023-15546.002
X-TM-AS-Result: No--18.753700-8.000000-2
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1191; t=1195187533; x=1196051533; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=rdroms@cisco.com; z=From:=20Ralph=20Droms=20<rdroms@cisco.com> |Subject:=20Re=3A=20[dhcwg]=20Re=3A=20[ntpwg]=20Network=20Time=20Protocol =20(NTP)=20Options=20for=20DHCPv6 |Sender:=20 |To:=20Danny=20Mayer=20<mayer@ntp.org>; bh=1Q6n3ElEmGdviNWQyMoX48a8we6oYnHj5k9pC3QzvPg=; b=R27NpZmZIjKicu9QB+3AHlxfridJIi7Un8/XEhjXKTr8cz41cJhRCkBQleya+MQnOS7xHrnO NqQ1BujFuzqirMTzBn6xbX9loSvU1wi+JwFcA3RH47bjT9fjkl8qo+jF;
Authentication-Results: rtp-dkim-1; header.From=rdroms@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Cc: ntpwg@lists.ntp.org, dhcwg@ietf.org, Brian Utterback <Brian.Utterback@Sun.COM>, "Richard Gayraud ((rgayraud))" <rgayraud@cisco.com>, "David L. Mills" <mills@udel.edu>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org

DHCPv6 does not use IPSEC between the client and the server.  Rather,  
it uses a shared key for authentication and message verification.

It is possible to use IPSEC between a relay agent and a server.

- Ralph

On Nov 15, 2007, at Nov 15, 2007,11:26 PM, Danny Mayer wrote:

> Brian Utterback wrote:
>> Interesting. I agree that a key needs to be specified somehow, but it
>> is not clear to me how to do it. We have to assume that the client
>> does not have the same NTP keys. However, we would like a way to
>> specify a server and keys securely, so that the security of the
>> network depends only on the security of DHCP. Again I am not up to
>> date, *is* there a secure DHCP? If so, then how to get keys to the
>> clients becomes an issue.
>
> DHCPv6 uses IPSEC for security. However, as I pointed out in my own
> response, if you are provisioning an NTP server then it means that NTP
> is not running at the time and any security that requires reasonably
> close timestamps at both ends is likely to fail.
>
> Danny
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www1.ietf.org/mailman/listinfo/dhcwg

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg