[dhcwg] Deployment consideration for SeDHCPv6

[Sheng Jiang <jiangsheng@huawei.com>]

Hi, Jinmei, Ralph, Ted and all,

The below text is the proposal from SeDHCPv6 authors in order to clarify the applicability. We plan to add these text, of course after reaching consensus in the mail list, into the next update version. Any comments are appreciated.

Deployment consideration

This document has defined two levels of authentication: full authentication based on certificate or pre-shared key verification and weaker authentication based on leap-of-faith. Both levels can be applied on servers and clients. The deployment scenarios can be categorized as below:

	Authenticating a server on a client
	   - Both fully authentication and leap-of-faith can be used. The latter is weaker. But, it is better than no protection by narrowing the attack scope.

	Authenticating a client on a server
	   - With fully authentication, the server can selectively serve a specific client (or deny specific clients). The server can prevent an attacker from breaking an existing DHCPv6 session of a client. The server can also prevent an attacker from pretending to be a past legitimate client.
	   - With leap-of-faith authentication, the server can only prevent an attacker from breaking an existing DHCPv6 session of a client and pretending to be a past legitimate client.
	   - A server may maintain both fully authentication and leap-of-faith authentication at the same time. In such scenarios, the clients authenticated through leap-of-faith normally have lower priority or/and limited network access. One example would be in an enterprise network, office devices or employers’ devices used full authentication are allowed to access all network resources, including the internal database; devices of occasional visitors also get authenticated, but through leap-of-faith, they can only access public web services of this enterprise and the Internet.

Best regards,

Sheng

>-----Original Message-----
>From: dhcwg [mailto:dhcwg-bounces@ietf.org] On Behalf Of Sheng Jiang
>Sent: Tuesday, June 03, 2014 1:55 PM
>To: Ted Lemon; Ralph Droms
>Cc: dhcwg; 神明達哉
>Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May
>18
>
>The authors plan to produce an update version, which addresses the
>comments received during the WGLC, in two weeks. The "applicability
>statement" would be major target in this update. We will come up with a
>proposal text and invoke discussion in email list in a couple of days.
>
>Best regards,
>
>Sheng
>
>>-----Original Message-----
>>From: dhcwg [mailto:dhcwg-bounces@ietf.org] On Behalf Of Ted Lemon
>>Sent: Tuesday, June 03, 2014 4:53 AM
>>To: Ralph Droms
>>Cc: dhcwg; 神明達哉
>>Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May
>>18
>>
>>I have no personal objection to Jinmei's text, although I think it's incomplete.
>>Could you guys work with Sheng to see if you can come up with a mutually
>>agreeable update?
>>
>>_______________________________________________
>>dhcwg mailing list
>>dhcwg@ietf.org
>>https://www.ietf.org/mailman/listinfo/dhcwg
>_______________________________________________
>dhcwg mailing list
>dhcwg@ietf.org
>https://www.ietf.org/mailman/listinfo/dhcwg