[dhcwg] RE: AD review of draft-ietf-dhc-isnsoption-05.txt
Charles Monia <cmonia@NishanSystems.com> Tue, 29 April 2003 00:24 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA20002 for <dhcwg-archive@odin.ietf.org>; Mon, 28 Apr 2003 20:24:37 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h3T0TOk29121 for dhcwg-archive@odin.ietf.org; Mon, 28 Apr 2003 20:29:24 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h3T0TO829118 for <dhcwg-web-archive@optimus.ietf.org>; Mon, 28 Apr 2003 20:29:24 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA19986 for <dhcwg-web-archive@ietf.org>; Mon, 28 Apr 2003 20:24:06 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19AIwt-0006Zg-00 for dhcwg-web-archive@ietf.org; Mon, 28 Apr 2003 20:26:19 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19AIwt-0006ZY-00 for dhcwg-web-archive@ietf.org; Mon, 28 Apr 2003 20:26:19 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h3T0RP829070; Mon, 28 Apr 2003 20:27:25 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h3T0Nx829022 for <dhcwg@optimus.ietf.org>; Mon, 28 Apr 2003 20:23:59 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA19906 for <dhcwg@ietf.org>; Mon, 28 Apr 2003 20:18:40 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19AIre-0006YX-00 for dhcwg@ietf.org; Mon, 28 Apr 2003 20:20:54 -0400
Received: from ultrex.nishansystems.com ([12.36.127.195] helo=ariel.nishansystems.com) by ietf-mx with esmtp (Exim 4.12) id 19AIrd-0006YU-00 for dhcwg@ietf.org; Mon, 28 Apr 2003 20:20:53 -0400
Received: by ariel.nishansystems.com with Internet Mail Service (5.5.2653.19) id <JZ4QTRGV>; Mon, 28 Apr 2003 17:20:46 -0700
Message-ID: <B300BD9620BCD411A366009027C21D9BE86E25@ariel.nishansystems.com>
From: Charles Monia <cmonia@NishanSystems.com>
To: "Thomas Narten (E-mail)" <narten@us.ibm.com>
Cc: Charles Monia <cmonia@NishanSystems.com>, Joshua Tseng <jtseng@NishanSystems.com>, Kevin Gibbons <kgibbons@NishanSystems.com>, "'dhcwg@ietf.org'" <dhcwg@ietf.org>, "Ips (E-mail)" <ips@ece.cmu.edu>, "David Black (E-mail)" <Black_David@emc.com>, "Elizabeth Rodriguez (E-mail)" <ElizabethRodriguez@ieee.org>
Date: Mon, 28 Apr 2003 17:20:44 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Subject: [dhcwg] RE: AD review of draft-ietf-dhc-isnsoption-05.txt
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Hi Thomas: The following are changes proposed in response to your review comments raising non-editorial issues for the iSNS DHCP option. > -----Original Message----- > From: Thomas Narten [mailto:narten@us.ibm.com] > Sent: Tuesday, April 22, 2003 10:30 AM > To: cmonia@nishansystems.com; jtseng@nishansystems.com; > kgibbons@nishansystems.com > Cc: dhcwg@ietf.org > Subject: AD review of draft-ietf-dhc-isnsoption-05.txt > > General issues: > > I'd like to see a justification for the vendor specific fields. I'd > like to understand how these can be safely used without leading to > interoperability issues. Besides, there are other ways in DHC to do > vendor-specific things. Can we just remove them from this > option/document? > The vendor-specific fields will be redefined as "reserved" fields. <Material deleted> > > 3. Security Considerations > > > > DHCP currently provides no authentication or > security mechanisms. > > Potential exposures to attack are discussed in > section 7 of the DHCP > > protocol specification [DHCP]. > > What about RFC 3118? > > > > iSNS security considerations are discussed in > [iSNS] and [SEC-IPS]. > > With regard to security considerations specific to > the use of this > > DHCP option to discover the location of the iSNS > server, exposure to > > a "man-in-the-middle" attack by an hostile entity > modifying or > > replacing the original iSNS option message should > be considered a > > potential security exposure. To prevent an > attacker from weakening > > the required security and potentially tricking the > iSNS client into > > connecting into rogue iSNS servers, reliance on > local security > > policy configuration is an appropriate countermeasure. > > This says almost nothing. What can happen if there is a man-in-the > middle? Really bad things? or just DOS? And what "local security > policy configuration" helps mitigate the threats? > We propose the following replacement text. Section 3.0 -- Security "[RFC3118] should be consulted to determine the requirements for additional security measures to verify the authenticity of the iSNS option message received by the DHCP client. If necessary, the authentication option described in [RFC3118] should be utilized. With regard to security considerations specific to the use of this DHCP option to discover the location of the iSNS server, exposure to a "man-in-the-middle" attack by a hostile entity modifying or replacing the original iSNS option message should be considered a potential security exposure. If the authentication option in [RFC3118] is not implemented, then an attacker may trick the iSNS client into connecting into rogue iSNS servers. If the authentication option for DHCP is not implemented and it is determined that the potential exists for a "man-in-the-middle" attack, then the DHCP option message for iSNS SHOULD NOT be utilized. iSNS security considerations are discussed in [iSNS] and [SEC-IPS]." -- Charles ----------------------------------------- Charles Monia Senior Technology Consultant Nishan Systems email: cmonia@nishansystems.com voice: (408) 519-3986 fax: (408) 435-8385 _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] AD review of draft-ietf-dhc-isnsoption-05… Thomas Narten
- [dhcwg] RE: AD review of draft-ietf-dhc-isnsoptio… Charles Monia
- [dhcwg] RE: AD review of draft-ietf-dhc-isnsoptio… Charles Monia