Re: [dhcwg] Fw:New Version Notification for draft-li-dhc-secure-dhcpv6-deployment-00.txt
Lishan Li <lilishan48@gmail.com> Fri, 16 October 2015 15:25 UTC
Return-Path: <lilishan48@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8ABB1B314F for <dhcwg@ietfa.amsl.com>; Fri, 16 Oct 2015 08:25:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.449
X-Spam-Level:
X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t8p21_kXeNeN for <dhcwg@ietfa.amsl.com>; Fri, 16 Oct 2015 08:25:32 -0700 (PDT)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4F761B3136 for <dhcwg@ietf.org>; Fri, 16 Oct 2015 08:25:31 -0700 (PDT)
Received: by lffv3 with SMTP id v3so81749610lff.0 for <dhcwg@ietf.org>; Fri, 16 Oct 2015 08:25:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=/9WIQ9oqa7ULJpTT22+j+wibDfpuPiyjM5nB9uB1bvY=; b=YboGkfSd3HZwDsMHfLXQbV3nvwlu/JsAULVR+lPj6zvr5bG0MArZGoGUzL3dtuzFRM +7J6QvXEZJ9yWvXmAvha2kpYYlnPoF1a5MnWZg50gTd8uio8TvE1diLWaIXoOUtklCZ/ g99vbAw8v5mP2bKo4IUfc2OUP0nqqXaGRRbbzpdQn+eQI3NCtITeHHxuFcYik2eeqn9y g5MoYQkFLcm9ugovnSIGiMR3xH73WdID4gAhZRWMyLeqhxRex8XS0OjG2F1+Ygktvt5e Y+B2qDuFIHpIdGgORDAep+Nx25mTHTqkj1zNeg8As4bCF1OAT9aA/1v45WZfi/0aNxrL Ebew==
MIME-Version: 1.0
X-Received: by 10.25.143.73 with SMTP id r70mr5674245lfd.108.1445009130126; Fri, 16 Oct 2015 08:25:30 -0700 (PDT)
Received: by 10.114.199.176 with HTTP; Fri, 16 Oct 2015 08:25:30 -0700 (PDT)
Date: Fri, 16 Oct 2015 23:25:30 +0800
Message-ID: <CAJ3w4NdkEL+juf3dOkP2DGMtXNT5BAJGxnr-iyMxCib_3dz=FA@mail.gmail.com>
From: Lishan Li <lilishan48@gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a11401590e6062305223a67fa"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/scpQPVdhMV614RxkI1FOqbi7q-s>
Cc: dhcwg <dhcwg@ietf.org>
Subject: Re: [dhcwg] Fw:New Version Notification for draft-li-dhc-secure-dhcpv6-deployment-00.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 15:25:33 -0000
Dear Jinmei, Thanks very much for your review. Please see inline. Best Regards, Lishan 2015-10-16 2:45 GMT+08:00 神明達哉 <jinmei@wide.ad.jp>: > At Wed, 14 Oct 2015 22:38:49 +0800, > Lishan Li <lilishan48@gmail.com> wrote: > > > We have submitted a new draft draft-li-dhc-secure-dhcpv6-deployment-00. > > This draft analysis the DHCPv6 threat model, various key management > schemes > > for secure DHCPv6 mechanisms deployment, and recommend the opportunistic > > security for DHCPv6. > > Could you please review the draft and any comments are welcome. > > (making a couple of notes I happened to notice from a quick glance. > It's not a complete review). [LS]: Your comments are valuable to the draft improvement. Looking forward to your complete review. > In section 4 it states: > > TOFU MAY play a role in the scenario where the DHCPv6 client is > mobile and connects to random networks such as public coffee shops. > > It's surprising to me that the coffee shop scenario is referenced as a > case for TOFU several times (at least once in a sedhcpv6 discussion, > and now in this draft). I'd say it's very naive to assume it can be safe > on first use in such a random network with random other users. > [LS]: I agree with you. In my opinion, coffee shop is the scenario where the security policy is loss. In the scenario, it is difficult for the client to verify the server's identity without the pre-configured authentication information. In the section 5, For this type of scenario where the security policy is loss, we recommend the non-authenticated encryption. The server authentication is optional in order not to impede the following DHCPv6 communication. > > In section 5: > > In the scenario where the security policy is loss, the DHCPv6 server > MAY NOT be preconfigured the authentication information, such as the > > I suspect you meant 'MUST NOT' instead of 'MAY NOT'. > [LS]: Thanks for your correction. It should be "MUST NOT". We will correct it in the next version. Thanks, Lishan