Re: [dhcwg] dhc WG last call on "Domain Suffix Option for DHCPv6"
Francis Dupont <Francis.Dupont@enst-bretagne.fr> Thu, 15 December 2005 09:40 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmpbE-0001AC-Ma; Thu, 15 Dec 2005 04:40:32 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmpbA-00016h-St for dhcwg@megatron.ietf.org; Thu, 15 Dec 2005 04:40:30 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA09456 for <dhcwg@ietf.org>; Thu, 15 Dec 2005 04:39:14 -0500 (EST)
Received: from laposte.rennes.enst-bretagne.fr ([192.44.77.17]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EmpcH-0001nS-Cp for dhcwg@ietf.org; Thu, 15 Dec 2005 04:41:38 -0500
Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id jBF9dnh29084; Thu, 15 Dec 2005 10:39:49 +0100
Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.13.1/8.13.1) with ESMTP id jBF9dmOa026023; Thu, 15 Dec 2005 10:39:49 +0100 (CET) (envelope-from dupont@givry.rennes.enst-bretagne.fr)
Message-Id: <200512150939.jBF9dmOa026023@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: CTO YAN Renxiang <Renxiang.Yan@alcatel-sbell.com.cn>
Subject: Re: [dhcwg] dhc WG last call on "Domain Suffix Option for DHCPv6"
In-reply-to: Your message of Thu, 15 Dec 2005 16:18:43 +0800. <9570C1261494D54D9D3115BC2C83429AA2F6BA@asbmail2.sbell.com.cn>
Date: Thu, 15 Dec 2005 10:39:48 +0100
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Cc: dhcwg@ietf.org, volz@cisco.com
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
In your previous mail you wrote: I am still wondering about the issue of security. I want to say some extra words to clarify. Suppose a case where some home devices connecte to access network through a home gateway, and home gateway includes an embedding DHCP server, DNS server, and DHCP client (which used to get IPv6 prefix and "domain suffix" from access gateway, i.e. BRAS). => you should split the update issue into direct tree and reverse tree updates: - for the direct tree there is no need at all to use a "domain suffix" related to the ISP, so the home network can (should!) be made autonomous and obviously the DHPC client on the home gateway can only use the "domain prefix" for the name of its interface to the ISP... a very marginal issue. - for the reverse tree its base can be derived from the delegated prefix so I don't understand what is the "domain suffix" for in this context. So I can't see any security issue. The DNS update security issues may exist in the following procedures: (1) DHCP server in home gateway perform DNS update to local DNS server => what is the local DNS server? for home devices using FQDNv6 option. The security issues has been mentioned in FQDNv6 option, as follows, Unauthenticated updates to the DNS can lead to tremendous confusion, through malicious attack or through inadvertent misconfiguration. Administrators should be wary of permitting unsecured DNS updates to zones which are exposed to the global Internet. Both DHCPv6 clients and servers SHOULD use some form of update request origin authentication procedure (e.g., Secure DNS Dynamic Update [10]) when performing DNS updates. => but the FQDNv6 option has nothing to do with dynamic DNS updates so this text should be removed. (2) In order to "link" two DNS server, home gateway's DNS server and Up-level DNS server, => why do you want to link them? Delegation of prefixes and delegation of direct domains have only in common the word "delegation"! home gateway need to perform DNS update to up-level DNS server by adding a NS record in it. There DOES exist security issue here. This can be solved using different way. I prefer it piggybacked by DHCP session between home gateway and access node, beacuse DHCP session is secure, home gateway should be authenticated before (or along with) initating DHCP session. => two (other) comments: - you can't create a zone with a dynamic DNS update - DHCP is not the right tool to perform any authentication in this context, the authentication is done by the NAS and DHCP relies on this using a mix of: draft-ietf-dhc-v6-relay-radius-01.txt draft-salowey-radext-delegated-prefix-01.txt draft-droms-dhc-dhcpv6-agentopt-delegate-00.txt Regards Francis.Dupont@enst-bretagne.fr _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] dhc WG last call on "Domain Suffix Option… Stig Venaas
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Ted Lemon
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Francis Dupont
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Francis Dupont
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Francis Dupont
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Ted Lemon
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Ted Lemon
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Francis Dupont
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Stig Venaas
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- [dhcwg] dhc WG last call on "Domain Suffix Option… Stig Venaas
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Ted Lemon
- RE: [dhcwg] dhc WG last call on "Domain Suffix Op… Bernie Volz (volz)
- re: [dhcwg] dhc WG last call on "Domain Suffix Op… CTO YAN Renxiang
- Re: [dhcwg] dhc WG last call on "Domain Suffix Op… Stig Venaas