Re: [dhcwg] IESG Discusses/Comments on draft-ietf-dhc-dhcpv6-subid-00.txt
Ted Lemon <Ted.Lemon@nominum.com> Sat, 21 January 2006 03:39 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F09au-0003Hk-Iu; Fri, 20 Jan 2006 22:39:16 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F09as-0003Hc-QH; Fri, 20 Jan 2006 22:39:14 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA26174; Fri, 20 Jan 2006 22:37:46 -0500 (EST)
Received: from toccata.fugue.com ([204.152.186.142]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F09jh-0001Ok-Um; Fri, 20 Jan 2006 22:48:24 -0500
Received: from [192.168.2.103] (207-114-177-86.vtc.net [207.114.177.86]) by toccata.fugue.com (Postfix) with ESMTP id CA28F1B20D6; Fri, 20 Jan 2006 20:38:53 -0700 (MST)
From: Ted Lemon <Ted.Lemon@nominum.com>
Organization: Nominum, Inc.
To: dhcwg@ietf.org
Subject: Re: [dhcwg] IESG Discusses/Comments on draft-ietf-dhc-dhcpv6-subid-00.txt
Date: Fri, 20 Jan 2006 20:38:51 -0700
User-Agent: KMail/1.8.3
References: <8E296595B6471A4689555D5D725EBB21011FE156@xmb-rtp-20a.amer.cisco.com>
In-Reply-To: <8E296595B6471A4689555D5D725EBB21011FE156@xmb-rtp-20a.amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200601202038.51411.Ted.Lemon@nominum.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Content-Transfer-Encoding: 7bit
Cc: "Bernie Volz (volz)" <volz@cisco.com>, iesg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
On Friday 20 January 2006 15:17, Bernie Volz (volz) wrote: > There's also the assumption that a relay-agent, that will relay the > message using IPsec, doesn't relay a relayed message except if received > from an IPsec secured relay (since the relays down the chain and the > server can't know which earlier hops were secured or not - except the > last). A relay-agent only relay's a client message and an IPsec secured > relay message? (There isn't anything that I found that explicitly states > this in RFC 3315, so perhaps something to consider as we advance the > document. Or do we feel that is naturally obvious.) Generally speaking, if you state something clearly and explicitly in an RFC, there is a *chance* that all implementors will understand what you meant. If you don't state that thing in an RFC, there is a *chance* that a few implementors will understand what you meant or ask you. So of the two options, I think being explicit is better. > Isn't there inherently an assumption that a relay know whether it should > only be a first hop relay and thus ONLY relay client traffic (and not > relayed messages). No, there's no such assumption. > This would be useful in both directions, since if so > configured, the relay would never want to relay a RELAY-REPLY either. (I > guess servers could also be told the maximum hops expected and drop > messages that have more than the maximum hops.) That seems balky. I like your first suggestion better. In general I think it might be challenging to completely specify the behaviour you're suggesting here. I hate to say it, given where we are in the process, but it might be better to require that a relay-forward option in a DHCPv6 packet that is itself being authenticated must always indicate whether or not the message being relayed was authenticated. This would have to be done via a new option we haven't talked about yet. I don't know if this is necessary, though - perhaps it's enough to simply explain the problem in the security considerations section and let the administrator impose a solution locally, which I think is basically what you're saying here. _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] IESG Discusses/Comments on draft-ietf-dhc… Bernie Volz (volz)
- Re: [dhcwg] IESG Discusses/Comments on draft-ietf… Ted Lemon
- [dhcwg] RE: IESG Discusses/Comments on draft-ietf… Wijnen, Bert (Bert)
- [dhcwg] RE: IESG Discusses/Comments on draft-ietf… Bernie Volz (volz)
- RE: [dhcwg] IESG Discusses/Comments on draft-ietf… Bernie Volz (volz)
- Re: [dhcwg] IESG Discusses/Comments on draft-ietf… Ted Lemon
- [dhcwg] RE: IESG Discusses/Comments on draft-ietf… Wijnen, Bert (Bert)
- [dhcwg] RE: IESG Discusses/Comments on draft-ietf… Bernie Volz (volz)