Re: [dhcwg] Deployment consideration for SeDHCPv6
Ralph Droms <rdroms.ietf@gmail.com> Tue, 17 June 2014 17:15 UTC
Return-Path: <rdroms.ietf@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C7F81A0103 for <dhcwg@ietfa.amsl.com>; Tue, 17 Jun 2014 10:15:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.3
X-Spam-Level:
X-Spam-Status: No, score=-0.3 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qyNxyRWsNHJO for <dhcwg@ietfa.amsl.com>; Tue, 17 Jun 2014 10:15:51 -0700 (PDT)
Received: from mail-qa0-x235.google.com (mail-qa0-x235.google.com [IPv6:2607:f8b0:400d:c00::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7A341A010F for <dhcwg@ietf.org>; Tue, 17 Jun 2014 10:15:45 -0700 (PDT)
Received: by mail-qa0-f53.google.com with SMTP id j15so9615487qaq.12 for <dhcwg@ietf.org>; Tue, 17 Jun 2014 10:15:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3DByaURbrIDVNnBRy5z7JYsMEy83ul0IvcxPdafSBtc=; b=sADpGv7McZKruuo/nDnH+kmBooekc81bOMILo12Br2ONDARHLAJwT/vYt1m9D7/62W cQ5it63NIlrZcDZDM9cgiVGwS2gyb9BdgeJuvJVTMk7lWfkUOLotHIyJjVDy75EUmnSr hK20q5ckSw3tqx6xdR3Q4pc5RVLdlF84fk2j6sqyVIwgZt9Tk/kZ+fAj1vo2ststUkO/ aHu18aIYoFlHJ/wnt6C80D9fUtMQoKMYVIdnYjz9yuFPrWbi7RfrsAsyayhl5+iamGt3 EadGXSBP6NGHGOSn8TUxvsDd1jKopzdUzNE1D22+IpiKBF9hYkAMt28L784Tn0go3CeB aMZA==
X-Received: by 10.224.114.145 with SMTP id e17mr37930007qaq.53.1403025343802; Tue, 17 Jun 2014 10:15:43 -0700 (PDT)
Received: from [10.82.101.26] (rtp-isp-nat1.cisco.com. [64.102.254.33]) by mx.google.com with ESMTPSA id k5sm7489190qao.30.2014.06.17.10.15.41 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Jun 2014 10:15:42 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Ralph Droms <rdroms.ietf@gmail.com>
In-Reply-To: <CAJE_bqfJmdeTXwZNYx2XcLeMOJ2DhBkzXTQ61S8q4s=PL-28dA@mail.gmail.com>
Date: Tue, 17 Jun 2014 13:15:39 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <791EB108-E4E8-4A82-84BC-CB36E277CAC4@gmail.com>
References: <535FEDAD.5010103@gmail.com> <5388F901.1000709@gmail.com> <78B235AF-D94C-40F1-9C76-4159B3A0A043@nominum.com> <CAJE_bqf4UZeFifHMhM=Vo2X66+ab7cnhb19K-XD_+_pr7-VS1A@mail.gmail.com> <FF49B4DE-E45F-4FF7-9C2D-5FA72FE66A4D@gmail.com> <C7C8884E-499D-4B55-B978-8D7A4D21EE3C@nominum.com> <5D36713D8A4E7348A7E10DF7437A4B923AE88462@nkgeml512-mbx.china.huawei.com> <5D36713D8A4E7348A7E10DF7437A4B923AE891C2@nkgeml512-mbx.china.huawei.com> <CAJE_bqfJmdeTXwZNYx2XcLeMOJ2DhBkzXTQ61S8q4s=PL-28dA@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>, Sheng Jiang <jiangsheng@huawei.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/yAG5xAJ-8hR1nmVQhQlC8w73WHA
Cc: dhcwg <dhcwg@ietf.org>, Lemon Ted <ted.lemon@nominum.com>
Subject: Re: [dhcwg] Deployment consideration for SeDHCPv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jun 2014 17:15:53 -0000
Sheng - I think Jinmei-san's suggested text is very good, although I do have one question about authentication on a server. The text includes examples for the various scenarios, which addresses my primary concern. Jinmei-san - I have one question about your text. Can you explain in a little more detail how the second and third examples of authentication on a server work, in which you say the server only has to remember the client's public key so neither full authentication nor LoF is required? - Ralph On Jun 6, 2014, at 2:51 PM 6/6/14, 神明達哉 <jinmei@wide.ad.jp> wrote: > At Thu, 5 Jun 2014 09:38:41 +0000, > Sheng Jiang <jiangsheng@huawei.com> wrote: > >> The below text is the proposal from SeDHCPv6 authors in order to >> clarify the applicability. We plan to add these text, of course >> after reaching consensus in the mail list, into the next update >> version. Any comments are appreciated. > > The proposed text seems to be almost a minor revise of my outline I > showed on the list, so I guess Ted would still complain that it's > incomplete:-). I'm not sure how much we should be "complete" in this > document (especially if we wouldn't like to make the document a > kitchen sink), but I'll show my own try below. Not intending to push > this particular text, but I thought I'm responsible for providing > something more concrete as someone who keeps raising the point. > > X. Deployment consideration > > This document defines two levels of authentication: full > authentication based on certificate or pre-shared key verification and > weaker authentication based on leap-of-faith (LoF). As a mechanism, > both levels can be applied on servers and clients. Depending on the > details of expected threats and other constraints, some cases may have > limited applicability. This section discusses such details. > > X.1 Authentication on a client > > For clients, DHCP authentication generally means authenticating the > server (the sender of DHCP messages) and verifying message integrity. > > This is satisfied with full authentication. Due to the configuration > overhead, however, full authentication may not always be feasible. It > would still be viable in a controlled environment with skilled stuff, > such as a corporate intranet. > > If LoF is used, message integrity is provided but there is a chance > for the client to incorrectly trust a malicious server at the > beginning of the first session with the server (and therefore keep > trusting it thereafter). But LoF guarantees the subsequent messages > are sent by the same server that sent the public key, and therefore > narrows the attack scope. This may make sense if the network can be > reasonably considered secure and requesting pre-configuration is > deemed to be infeasible. A small home network would be an example of > such cases. > > For environments that are neither controlled nor really trustworthy, > such as a network cafe, full authentication wouldn't be feasible due > to configuration overhead, while pure LoF, i.e. silently trusting the > server at the first time, would be too insecure. But some > middleground might be justified, such as requiring human intervention > at the point of LoF. > > X.2 Authentication on a server > > As for authentication on a server, there are several different > scenarios to consider, each of which has different applicability > issues. > > A server may have to selectively serve a specific client or deny > specific clients depending on the identify of the client. This will > require full authentication, since if the server allows LoF any > malicious user can pretend to be a new legitimate client. Also, the > use of certification wouldn't be feasible in this case, since it's > less likely for all such clients to have valid (and generally > different) certificates. So the applicable case may be limited, but a > controlled environment with skilled stuff and a specifically expected > set of clients such as a corporate intranet may still find it useful > and viable. > > A server can prevent an attack on the DHCP session with an existing > client from a malicious client, e.g., by sending a bogus Release > message: the server would remember the original client's public key > at the beginning of the DHCP session and authenticate subsequent > messages (and their sender). Neither full authentication nor LoF is > needed for this purpose, since the server does not have to trust the > public key itself. So this can be generally used for any usage of > DHCP. > > A server can prevent an attack by a malicious client that pretends to > be a valid past client and tries to establish a new DHCP session > (whether this is a real security threat may be a subject of debate, > but this is probably at least annoying). This is similar to the first > scenario, but full authentication may not necessarily be required; > since the purpose is to confirm a returning client has the same > identify as a valid past client, the server only has to remember the > client's public key at the first time. So LoF can be used at the risk > of allowing a malicious client to mount this attack before the initial > session with a valid client. An uncontrolled, but reasonable reliable > network like a home network may use this defense with LoF. > > -- > JINMEI, Tatuya
- [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Res… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Liubing (Leo)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Declan Ma
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Bernie Volz (volz)
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… liuzilong8266
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ted Lemon
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Sheng Jiang
- [dhcwg] WGLC summary for draft-ietf-dhc-sedhcpv6-… Tomek Mrugalski
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… 神明達哉
- Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 -… Ralph Droms
- [dhcwg] Deployment consideration for SeDHCPv6 Sheng Jiang
- Re: [dhcwg] Deployment consideration for SeDHCPv6 神明達哉
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Ralph Droms
- Re: [dhcwg] Deployment consideration for SeDHCPv6 神明達哉
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Sheng Jiang
- Re: [dhcwg] Deployment consideration for SeDHCPv6 Ralph Droms