IETF Logo Mail Archive

Re: [dhcwg] dhc WG last call on "Domain Suffix Option for DHCPv6"

Francis Dupont <Francis.Dupont@enst-bretagne.fr> Thu, 15 December 2005 09:40 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmpbE-0001AC-Ma; Thu, 15 Dec 2005 04:40:32 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmpbA-00016h-St for dhcwg@megatron.ietf.org; Thu, 15 Dec 2005 04:40:30 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA09456 for <dhcwg@ietf.org>; Thu, 15 Dec 2005 04:39:14 -0500 (EST)
Received: from laposte.rennes.enst-bretagne.fr ([192.44.77.17]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EmpcH-0001nS-Cp for dhcwg@ietf.org; Thu, 15 Dec 2005 04:41:38 -0500
Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id jBF9dnh29084; Thu, 15 Dec 2005 10:39:49 +0100
Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.13.1/8.13.1) with ESMTP id jBF9dmOa026023; Thu, 15 Dec 2005 10:39:49 +0100 (CET) (envelope-from dupont@givry.rennes.enst-bretagne.fr)
Message-Id: <200512150939.jBF9dmOa026023@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: CTO YAN Renxiang <Renxiang.Yan@alcatel-sbell.com.cn>
Subject: Re: [dhcwg] dhc WG last call on "Domain Suffix Option for DHCPv6"
In-reply-to: Your message of Thu, 15 Dec 2005 16:18:43 +0800. <9570C1261494D54D9D3115BC2C83429AA2F6BA@asbmail2.sbell.com.cn>
Date: Thu, 15 Dec 2005 10:39:48 +0100
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Cc: dhcwg@ietf.org, volz@cisco.com
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org

 In your previous mail you wrote:

   I am still wondering about the issue of security. I want to say some
   extra words to clarify.

   Suppose a case where some home devices connecte to access network
   through a home gateway, and home gateway includes an embedding DHCP
   server, DNS server, and DHCP client (which used to get IPv6 prefix and
   "domain suffix" from access gateway, i.e. BRAS).

=> you should split the update issue into direct tree and reverse
tree updates:
 - for the direct tree there is no need at all to use a "domain
   suffix" related to the ISP, so the home network can (should!) be
   made autonomous and obviously the DHPC client on the home gateway
   can only use the "domain prefix" for the name of its interface to
   the ISP... a very marginal issue.
 - for the reverse tree its base can be derived from the delegated
   prefix so I don't understand what is the "domain suffix" for
   in this context.
So I can't see any security issue.

   The DNS update security issues may exist in the following procedures:
   
   (1) DHCP server in home gateway perform DNS update to local DNS server

=> what is the local DNS server?

   for home devices using FQDNv6 option. The security issues has been
   mentioned in FQDNv6 option, as follows,
     
      Unauthenticated updates to the DNS can lead to tremendous confusion,
      through malicious attack or through inadvertent misconfiguration.
      Administrators should be wary of permitting unsecured DNS updates to
      zones which are exposed to the global Internet.  Both DHCPv6 clients
      and servers SHOULD use some form of update request origin
      authentication procedure (e.g., Secure DNS Dynamic Update [10]) when
      performing DNS updates.
   
=> but the FQDNv6 option has nothing to do with dynamic DNS updates
so this text should be removed.

   (2) In order to "link" two DNS server, home gateway's DNS server and
   Up-level DNS server,

=> why do you want to link them? Delegation of prefixes and delegation
of direct domains have only in common the word "delegation"!

   home gateway need to perform DNS update to up-level
   DNS server by adding a NS record in it. There DOES exist security issue
   here. This can be solved using different way. I prefer it piggybacked by
   DHCP session between home gateway and access node, beacuse DHCP session
   is secure, home gateway should be authenticated before (or along with)
   initating DHCP session.
   
=> two (other) comments:
 - you can't create a zone with a dynamic DNS update
 - DHCP is not the right tool to perform any authentication in this
   context, the authentication is done by the NAS and DHCP relies on this
   using a mix of:
    draft-ietf-dhc-v6-relay-radius-01.txt
    draft-salowey-radext-delegated-prefix-01.txt
    draft-droms-dhc-dhcpv6-agentopt-delegate-00.txt

Regards

Francis.Dupont@enst-bretagne.fr

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email