Re: [dhcwg] Alissa Cooper's No Objection on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with COMMENT)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 01 October 2015 01:13 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DF241ACDFD; Wed, 30 Sep 2015 18:13:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5VPuRvG0Dpa; Wed, 30 Sep 2015 18:13:31 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 821971ACDF8; Wed, 30 Sep 2015 18:13:31 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so6718505wic.0; Wed, 30 Sep 2015 18:13:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=tPMDWt+7gjulLTPpnAdZbn5unFHNJlGGOVmy+TtI540=; b=YUCr7WBo9PUZil6dMqC00M/x/mONhseSVIt2DT0+dKcch+uUW+pihso3v+fNhvhDR9 7SgZRoiNhlxDdItpeSeQ1n9Hm4V5eHR1B0tekkwD0leOpjxwNqHjnjziiP5oivLbjzRW AfNQ3IC8czZaTEPZnAmmPi7yNUuRpi4K5hPRIPiRKr5HPJOijFBlm0/C1sDJAXwUKZDD rtkcbYiFggmZweJi0+/VDpnNgU73Iv/lC7JGT9VmutBp+BytBOEHSCSHZKjYCjf9SooC gBVXQtzO2je/TCwTTRRQTk21bDsrprW919/4fVFa+Rzbp6jbIILv1WuHz1vY2WpaER8B NOgQ==
MIME-Version: 1.0
X-Received: by 10.194.234.40 with SMTP id ub8mr7127472wjc.95.1443662010019; Wed, 30 Sep 2015 18:13:30 -0700 (PDT)
Received: by 10.28.214.213 with HTTP; Wed, 30 Sep 2015 18:13:29 -0700 (PDT)
In-Reply-To: <F9BABEE4-D8E1-4A92-8776-9BE711C8A8A2@gmail.com>
References: <20150930225600.1742.48032.idtracker@ietfa.amsl.com> <F9BABEE4-D8E1-4A92-8776-9BE711C8A8A2@gmail.com>
Date: Wed, 30 Sep 2015 21:13:29 -0400
Message-ID: <CAHbuEH7Xy7ap7VOo7dZd-v0ewibgCUkkNLAoAhAMz1QhphmUvA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Alissa Cooper <alissa@cooperw.in>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/xl52knM2fwP33tbLE5mrYh69YFg>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [dhcwg] Alissa Cooper's No Objection on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 01:13:33 -0000
On Wed, Sep 30, 2015 at 7:29 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: > > > Sent from my iPhone > >> On Sep 30, 2015, at 6:56 PM, Alissa Cooper <alissa@cooperw.in> wrote: >> >> Alissa Cooper has entered the following ballot position for >> draft-ietf-dhc-dhcpv4-active-leasequery-06: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv4-active-leasequery/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I think it would help to explain the rationale for having both secure and >> insecure modes supported. >> >> In sections 7.2, 8.1, and 9, this is a bit of a strange layering of >> normative requirements: >> >> The recommendations in [RFC7525] SHOULD be followed when negotiating >> this connection. >> >> If you were going to use normative language here I think this would more >> appropriately be a MUST, but I would actually recommend something along >> the lines of "The recommendations in [RFC7525] apply" since the >> recommendations contained therein vary in their normative strength. >> Perhaps the security ADs have a preferred formulation, I'm not sure. > > In my opinion, RFC7525 only applies in some situations. I probably should have said that I am okay with the SHOULD here, rather than the statement I left before... I was thinking more about use of DHCP on internal networks prior to NAT translation or with multiple levels of security including access controls and firewalls/gateways/IPS (which will translate and possibly record the addresses assigned anyway). Looking at the full picture is important. Ideally, these sessions would be encrypted, but as Brian pointed out, the database is accessible (protected with controls) on the same network. The infrastructure typically via a switch (not shared Ethernet), so traffic is directly between the server and DHCP client. I'm okay with the SHOULD and would rather have the secure mode when confidentiality is needed (my preference in that case is more than OS). > If DHCP is being used in a local network, there are other security controls in place. As such, a risk assessment of the actual threat to determine if secure mode is needed would be fine. Having made this operational decision on highly secure networks, I think it's okay to allow for flexibility to look at the bigger picture and determine the appropriate set of controls. Since the draft provides a secure option, I think that's enough. > > Thanks, > Kathleen > >> >> -- Best regards, Kathleen
- [dhcwg] Alissa Cooper's No Objection on draft-iet… Alissa Cooper
- Re: [dhcwg] Alissa Cooper's No Objection on draft… Kathleen Moriarty
- Re: [dhcwg] Alissa Cooper's No Objection on draft… Kathleen Moriarty