IETF Logo Mail Archive

Re: [dhcwg] I-D Action: draft-ietf-dhc-relay-server-security-01.txt

"Bernie Volz (volz)" <volz@cisco.com> Mon, 17 October 2016 17:17 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E9B91298C6 for <dhcwg@ietfa.amsl.com>; Mon, 17 Oct 2016 10:17:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.952
X-Spam-Level:
X-Spam-Status: No, score=-14.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1M9ZvAy-svGs for <dhcwg@ietfa.amsl.com>; Mon, 17 Oct 2016 10:17:29 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38F80129579 for <dhcwg@ietf.org>; Mon, 17 Oct 2016 10:17:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1417; q=dns/txt; s=iport; t=1476724649; x=1477934249; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=JrvDL3XMObPKHGEaQYdGEBWE3di046itrV5ujm21nKg=; b=bB6/HA0jPsVqbd09yr84dmEYdlrMK3ew7bVogW/icM/r8ZkMFK+K/XJp 3BfQf/jOUBzhPphc4r4XIzmYFP46J/sJ3dBE1M4vp5DEgI9f8Q0z8gD// MmsBjp4ImQKFIKkmF6P+garmyYgkWaTR8mwIroJJ0FEu0+4+cuy12kk31 Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CZAQByBgVY/4MNJK1cGgEBAQECAQEBAQgBAQEBgzwBAQEBAR2BUweNLZcElDiCCIYiAoFrOBQBAgEBAQEBAQFeJ4RhAQEBBDpLBAIBCBEEAQEfCQcyFAkIAgQBEgiISsJgAQEBAQEBAQEBAQEBAQEBAQEBAQEBHYsShDGFdQWaBgGPfI98jHuDfwEeNlKDAxeBU3IBiACBAAEBAQ
X-IronPort-AV: E=Sophos;i="5.31,357,1473120000"; d="scan'208";a="334931877"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Oct 2016 17:17:28 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id u9HHHSFl014431 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 17 Oct 2016 17:17:28 GMT
Received: from xch-aln-003.cisco.com (173.36.7.13) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 17 Oct 2016 12:17:27 -0500
Received: from xch-aln-003.cisco.com ([173.36.7.13]) by XCH-ALN-003.cisco.com ([173.36.7.13]) with mapi id 15.00.1210.000; Mon, 17 Oct 2016 12:17:27 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] I-D Action: draft-ietf-dhc-relay-server-security-01.txt
Thread-Index: AQHSKH3w1/3ia17nOkO1pDvYv33g36CsqvKAgACEfwD//7LqoA==
Date: Mon, 17 Oct 2016 17:17:27 +0000
Message-ID: <6a8f5646aedb44b5af85d7a45039eb02@XCH-ALN-003.cisco.com>
References: <147671242179.4527.12337010225582460227.idtracker@ietfa.amsl.com> <7e03afc26a08461e8308d5bdf985bed9@XCH-ALN-003.cisco.com> <ccbfe561da43469e8f894e2235c4b429@XCH15-06-08.nw.nos.boeing.com>
In-Reply-To: <ccbfe561da43469e8f894e2235c4b429@XCH15-06-08.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.1.203]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/yR6y8yzhGaOwGjvMQjydZZPskWw>
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-relay-server-security-01.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 17:17:31 -0000

Hi:

As stated in Section 3:

   While IPsec is not mandated for relay to relay, relay to server, and
   server to relay communication, it is highly recommended unless some
   other security mechanisms are already in place (such as VPN tunnels)
   that protect this potentially sensitive traffic from pervasive
   monitoring and other attacks.

It doesn't mandate anything but highly recommends it. Yes, this is "weak" and really leaves it for the operator to decide what is necessary in their deployment. (One thought is that if someone is able to get into that part of the network, there is probably a lot more that they can do and monitor ... and just protecting they relay/relay/server communication is only one small piece).

- Bernie

-----Original Message-----
From: Templin, Fred L [mailto:Fred.L.Templin@boeing.com] 
Sent: Monday, October 17, 2016 12:49 PM
To: Bernie Volz (volz) <volz@cisco.com>; dhcwg@ietf.org
Subject: RE: [dhcwg] I-D Action: draft-ietf-dhc-relay-server-security-01.txt

Hi Bernie,

Just so I can understand the intent of this document, if the relay(s) and server already know that some form of encryption is already in use (e.g., if the client and server are using sedhcpv6) then it should be OK to omit encryption between the Relay and Server. Does this draft intend to mandate the use of encryption in all cases?

Thanks - Fred

v2.23.0 | Report a Bug | By Email