IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May 18

神明達哉 <jinmei@wide.ad.jp> Mon, 12 May 2014 17:12 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47EC41A0733 for <dhcwg@ietfa.amsl.com>; Mon, 12 May 2014 10:12:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lBvvK7ENSegX for <dhcwg@ietfa.amsl.com>; Mon, 12 May 2014 10:11:55 -0700 (PDT)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 5FBE71A0741 for <dhcwg@ietf.org>; Mon, 12 May 2014 10:11:54 -0700 (PDT)
Received: by mail-we0-f174.google.com with SMTP id k48so7063174wev.5 for <dhcwg@ietf.org>; Mon, 12 May 2014 10:11:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=rHCmto7TQG0K9lPTB1JS2w9gY+NECUdjiO1QufqU5Kc=; b=HT3g634dh0eP1IVFj3zLZ28Py5LgqV9wmgO655IPBHlSrsr6SLbDDgy3xos4B7Ez8w nEuQAqWbEgwkVcbKMitUrpNMwhspXs3aD7nAx0H5eUdTzI0nN1U3l+pODo/UiqzfJEYH 36XCKxUE1O+QT22J01ihJsbwHmRYF0obg+nF+6YsiOztmzORy30pB6k9VrPT7tdfO2Rp XwekSHwAXySj/FBnn+lJK8a2SuVWPhuN9CNSvE5ByTOgjRb6wSv+whc84ibtCofItpx7 oS07x/GAziO6R0S4Ti8+u+znsg6beaZj8nbmmT2SNOpTB7jZwxwwpjC5BPeLIgBlNJ44 MioA==
MIME-Version: 1.0
X-Received: by 10.195.17.169 with SMTP id gf9mr993860wjd.10.1399914707782; Mon, 12 May 2014 10:11:47 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.194.222.9 with HTTP; Mon, 12 May 2014 10:11:47 -0700 (PDT)
In-Reply-To: <86DAC0E6-BC1A-4247-9AD1-C13DA01F170D@nominum.com>
References: <535FEDAD.5010103@gmail.com> <CAJE_bqen37j5UCsKZj6syVyvk2Xed4V_xGp-t4xY8shjmS+H5g@mail.gmail.com> <5D36713D8A4E7348A7E10DF7437A4B923AE43272@nkgeml512-mbx.china.huawei.com> <CAJE_bqe75D7oRJq=XmjPR9Dfvu3-AcL8kF9Pkm3JEOVsyxhr5A@mail.gmail.com> <5D36713D8A4E7348A7E10DF7437A4B923AE442FD@nkgeml512-mbx.china.huawei.com> <CAJE_bqc+Z8awb5773OLs8QtXuCRxYCWFRAKuQ9YP8anFwEQqsQ@mail.gmail.com> <5D53E8BB-F692-4752-A1B2-9BB09747C58B@nominum.com> <CAJE_bqeNNW1=dSnj4f=t7Fx9waG81cDeHdcikqk0ECUoLvgVzQ@mail.gmail.com> <86DAC0E6-BC1A-4247-9AD1-C13DA01F170D@nominum.com>
Date: Mon, 12 May 2014 10:11:47 -0700
X-Google-Sender-Auth: rUGWd1W7xDwr0XNyqxp4TUOLAzw
Message-ID: <CAJE_bqfnOhziaiOzf89gFK3vy_bC+SSWqUFwtLqusNtRRiyFkg@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Ted Lemon <ted.lemon@nominum.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/pz698qvju6I6XEx0WpD46rWyQGE
Cc: dhcwg <dhcwg@ietf.org>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May 18
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 17:12:00 -0000

At Fri, 9 May 2014 18:44:57 -0400,
Ted Lemon <ted.lemon@nominum.com> wrote:

> > My main concern is the combination of authenticating clients with the
> > leap of faith model. [...]
>
> You are right--I don't think there is a use case for leap-of-faith with clients.

Okay.

> > I'm okay with separating such discussions outside of this document.
> > But then I'd personally like to see a "threat analysis" document
> > first (covering these points), not the other way around. [...]
>
> We are in the awkward situation that lots of DHCP people already know what the threat models are, although I think you are correct that they have not been clearly articulated in a threat analysis document.   I think such a document would be a good idea.   However, I'm reluctant to delay this document on that basis.   It might make sense to do so, but I will leave that up to the working group to debate.

I don't want to be a blocker for this document because of this,
either.  If the rest of the wg thinks this is sufficiently
substantial, that's fine; if not, but it's actually to be considered,
hopefully a security AD will raise a concern at the time the IESG
review; and if that's not even the case, presumably my point is not
really that important.  I'm okay with any of these possibilities.

With noting this, if I may make a specific suggestion for the draft:

- provide some specific common use cases of server authentication and
  client authentication
- provide considerations on the applicability of the leap of faith
  model for these cases.  in particular, note that there is no known
  use case for client authentication with leap of faith

These can go to the introduction or a small separate section.  And, I
believe these can be sufficiently concise to fit in the protocol
document without breaking its scope too much (and I think it's a
reasonable compromise if we don't want to delay this document for a
more formal threat analysis).

On top of these, I'd even say: client authentication with leap of
faith SHOULD NOT be used until a clear use case is identified.

And, for the security considerations section on the resource
exhaustion attacks I'd revise it so it will:

- note that as long as the above 'SHOULD NOT' is honored this should
  be less concerned because this "attack" is much less
  likely/realistic on clients.  (in other words, this is another
  reason why we should discourage the use of client authentication
  with leap of faith)

> > Considerations like the possibility of resource exhaustion attacks as
> > mentioned in Section 7 of the draft.
>
> Leap-of-faith typically involves some kind of act of faith before trusting a key.   E.g., with ssh, that's the user saying "yes, go ahead."   I don't think you could do a resource exhaustion attack in this situation.

True, but this type of "act of faith" is not very feasible for servers
since it requires human intervention (ssh itself is a proof of this).
In the case of DHCP servers, I'm actually still not sure if this is a
real threat (because they should already manage other types of
possibly stale client related resources), but if we still consider
this as a security matter, we need something else than the ssh kind of
"act of faith".  My suggestion above is one such thing.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email