RE: [dhcwg] WG last call on draft-ietf-dhc-relay-agent-auth-00
"Woundy, Richard" <Richard_Woundy@cable.comcast.com> Mon, 12 May 2003 02:48 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA17819 for <dhcwg-archive@odin.ietf.org>; Sun, 11 May 2003 22:48:13 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4C2DXk04385 for dhcwg-archive@odin.ietf.org; Sun, 11 May 2003 22:13:33 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4C2DWB04382 for <dhcwg-web-archive@optimus.ietf.org>; Sun, 11 May 2003 22:13:33 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA17808 for <dhcwg-web-archive@ietf.org>; Sun, 11 May 2003 22:47:43 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19F3Nl-0004AH-00 for dhcwg-web-archive@ietf.org; Sun, 11 May 2003 22:49:41 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19F3Nl-0004AD-00 for dhcwg-web-archive@ietf.org; Sun, 11 May 2003 22:49:41 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4C2BvB04335; Sun, 11 May 2003 22:11:57 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4C28eB04256 for <dhcwg@optimus.ietf.org>; Sun, 11 May 2003 22:08:40 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA17738 for <dhcwg@ietf.org>; Sun, 11 May 2003 22:42:50 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19F3J3-00049L-00 for dhcwg@ietf.org; Sun, 11 May 2003 22:44:49 -0400
Received: from coral.tci.com ([198.178.8.81] helo=peacock.tci.com) by ietf-mx with esmtp (Exim 4.12) id 19F3J2-00049E-00 for dhcwg@ietf.org; Sun, 11 May 2003 22:44:48 -0400
Received: from mms01-relayb.tci.com (mms01-relayb.broadband.att.com [147.191.90.1]) by peacock.tci.com (8.12.9/8.12.9) with ESMTP id h4C2jDPa018111; Sun, 11 May 2003 20:45:13 -0600 (MDT)
Received: from 147.191.90.10 by mms01-relayb.tci.com with ESMTP ( Tumbleweed MMS SMTP Relay (MMS v5.5.0)); Sun, 11 May 2003 20:45:02 -0600
Received: by entexchimc03.broadband.att.com with Internet Mail Service ( 5.5.2653.19) id <J5CAZC04>; Sun, 11 May 2003 20:43:04 -0600
Message-ID: <6732623D2548D61193C90002A5C88DCC0855141C@entmaexch02.broadband.att.com>
From: "Woundy, Richard" <Richard_Woundy@cable.comcast.com>
To: Ralph Droms <rdroms@cisco.com>
cc: dhcwg@ietf.org
Subject: RE: [dhcwg] WG last call on draft-ietf-dhc-relay-agent-auth-00
Date: Sun, 11 May 2003 20:44:35 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-WSS-ID: 12A1D5244750458-01-01
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Ralph, I generally support this document. But here are some specific comments on the current draft. - The Abstract should refer to IPsec per RFC 2401, not RFC 2041. Also, shouldn't RFC 2401 be included as a normative reference? - Section 5 explains the use of IPsec ESP. It would seems that a normative reference to RFC 2406, "IP Encapsulating Security Payload (ESP)", would be in order. That means that this draft's requirement that "Packet authentication MUST be applied" implies a requirement to support "HMAC with MD5" and "HMAC with SHA-1" per section 5 of RFC 2406. Is that intended? - Some updates may be needed in the "Authors' Addresses" section. ;^) - This might not be a critical flaw, but... only the HMAC-MD5 algorithm is defined for the Relay Agent Option Authentication Sub-option. I notice that in several other IETF contexts (IPsec AH, RFC 2402; IPsec ESP, RFC 2406; SNMPv3 USM, RFC 3414; TLS, RFC 2246), the HMAC-SHA1 keyed hash is also leveraged. The following text from RFC 2104 may help explain why: Note: To the date of writing of this document MD5 and SHA-1 are the most widely used cryptographic hash functions. MD5 has been recently shown to be vulnerable to collision search attacks [Dobb]. This attack and other currently known weaknesses of MD5 do not compromise the use of MD5 within HMAC as specified in this document (see [Dobb]); however, SHA-1 appears to be a cryptographically stronger function. To this date, MD5 can be considered for use in HMAC for applications where the superior performance of MD5 is critical. Note that RFC 2747, "RSVP Cryptographic Authentication", is a good counter-example in that it only defines HMAC-MD5 for the INTEGRITY object, but explains its rationale in section 1 if its RFC. Another counter-example is RFC 2845, "Secret Key Transaction Authentication for DNS (TSIG)" -- but also see <http://www.ietf.org/internet-drafts/draft-eastlake-tsig-sha-01.txt>. -- Rich -----Original Message----- From: Ralph Droms [mailto:rdroms@cisco.com] Sent: Wednesday, April 30, 2003 12:03 PM To: dhcwg@ietf.org Subject: [dhcwg] WG last call on draft-ietf-dhc-relay-agent-auth-00 This message announces a WG last call on "The Authentication Suboption for the DHCP Relay Agent Option" <draft-ietf-dhc-relay-agent-auth-00>. The last call will conclude on Friday, May 16. Please respond to this WG last call. If you support acceptance of the document without change, respond with a simple acknowledgment, so that support for the document can be assessed. This specification defines two mechanisms for securing the messages exchanged between a relay agent and a server. The first mechanism defines a new authentication suboption for the Relay Agent Information Option that supports source entity authentication and data integrity for relayed DHCP messages. The authentication suboption contains a cryptographic signature in a payload derived from the option used in DHCP Authentication (RFC 3118). The second mechanism uses IPsec (RFC 2041) to protect messages exchanged between relay agents and servers. This document is being considered for publication as Informational, and is available as http://www.ietf.org/internet-drafts/draft-ietf-dhc-relay-agent-auth-00.txt - Ralph Droms _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] WG last call on draft-ietf-dhc-relay-agen… Ralph Droms
- Re: [dhcwg] WG last call on draft-ietf-dhc-relay-… John Schnizlein
- RE: [dhcwg] WG last call on draft-ietf-dhc-relay-… Woundy, Richard