Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv6-opt-prefix-delegation-03.txt
Ralph Droms <rdroms@cisco.com> Thu, 24 July 2003 19:37 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA26548; Thu, 24 Jul 2003 15:37:16 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19flsf-0008R0-Kh; Thu, 24 Jul 2003 15:36:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19flru-0008QT-HI for dhcwg@optimus.ietf.org; Thu, 24 Jul 2003 15:35:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA26489 for <dhcwg@ietf.org>; Thu, 24 Jul 2003 15:35:10 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19flrt-0001Rl-00 for dhcwg@ietf.org; Thu, 24 Jul 2003 15:35:13 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx with esmtp (Exim 4.12) id 19flri-0001QO-00 for dhcwg@ietf.org; Thu, 24 Jul 2003 15:35:02 -0400
Received: from cisco.com (171.71.177.237) by sj-iport-2.cisco.com with ESMTP; 24 Jul 2003 12:32:59 -0700
Received: from flask.cisco.com (IDENT:mirapoint@flask.cisco.com [161.44.122.62]) by sj-core-1.cisco.com (8.12.9/8.12.6) with ESMTP id h6OJVXQk009777; Thu, 24 Jul 2003 12:31:33 -0700 (PDT)
Received: from rdroms-w2k01.cisco.com ([161.44.65.215]) by flask.cisco.com (Mirapoint Messaging Server MOS 3.3.3-GR) with ESMTP id AAY60014; Thu, 24 Jul 2003 15:31:31 -0400 (EDT)
Message-Id: <4.3.2.7.2.20030724151120.01c11030@funnel.cisco.com>
X-Sender: rdroms@funnel.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Thu, 24 Jul 2003 15:31:25 -0400
To: Thomas Narten <narten@us.ibm.com>
From: Ralph Droms <rdroms@cisco.com>
Subject: Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv6-opt-prefix-delegation-03.txt
Cc: ot@cisco.com, dhcwg@ietf.org
In-Reply-To: <200307232010.h6NKAZF11987@cichlid.adsl.duke.edu>
References: <Message from rdroms@cisco.com of "Tue, 20 May 2003 18:39:04 EDT." <4.3.2.7.2.20030520115234.0420e008@funnel.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
At 04:10 PM 7/23/2003 -0400, Thomas Narten wrote:
>Hi Ralph.
>
>I'm going through this thread again in anticipation of putting the
>document before the IESG...
OK and it's great to hear that the doc will be going to the IESG...
>I'm OK with most of your responses.
>
> > >> An intruder requesting router may be able to mount a denial of
> > >
> > > What is "intruder requesting router"?
>
>
> > How about "malicious requesting router"?
>
>I misread the above because "requesting router" is almost a proper
>name for a type of router as used in this document. But when I just
>read "intruder requesting router", it parses differently... That is
>what prompted my comment.
So, is "malicious requesting router" OK?
> > >> Because a requesting router and delegating routers must each have at
> > >> least one assigned IPv6 address, the routers may be able to use IPsec
> > >> for authentication of DHCPv6 messages. The details of using IPsec
> > >> for DHCPv6 are under development.
> > >
> > > Where in the spec is this made a requirement? The mention in the
> > > security considerations is the first reference to this I recall
> > > seeing.
>
> > The sentence you quoted is part of a paragraph in
> > the "Security Considerations" section:
>
> > To guard against attacks through prefix delegation, requesting
> > routers and delegating routers SHOULD use DHCP authentication as
> > described in section "Authentication of DHCP messages" in the DHCP
> > specification [6]. For point to point links, where one trusts that
> > there is no man in the middle, or one trusts layer two
> > authentication, DHCP authentication or IPsec may not be
> > necessary. Because a requesting router and delegating routers must
> > each have at least one assigned IPv6 address, the routers may be
> > able to use IPsec for authentication of DHCPv6 messages. The
> > details of using IPsec for DHCPv6 are under development.
>
> > We don't understand your question. Why would this security
> > consideration be mentioned in an earlier section of the draft?
> > What is the "this" in "...the first reference to this..."
> > referring to?
>
>My question was about the requirement that a Requesting Router already
>have "at least one assigned IPv6 address", which I read as meaning a
>global address (e.g., one previously assigned via, say, DHC). Is this
>really a requirement? I don't recall seeing that in the spec.
Ah ... the word "assigned" is probably misleading. "Configured"
might be a better word.
We can probably replace the next sentence ("The details...") with:
The requesting and delegating routers use IPsec for authentication
in the same way DHCPv6 servers and relay agents use IPsec as
described in section 21.1 of the DHCPv6 specification.
>Here are some more nits I found while looking at -07:
>
> > IPv6 Prefix Options for DHCPv6
>
>RFC editor will want acronym in title expanded.
OK.
>Ditto for abstract
>
> [7] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6", RFC 3162,
> August 2001.
>
>is informational, I believe.
OK.
> > it selects an available prefi or prefixes for delegation to the
>
>s/prefi /prefix/
>
>Thomas
Thanks for the response and careful review...
- Ralph
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Thomas Narten
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Ralph Droms
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Thomas Narten
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Ralph Droms
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Thomas Narten
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Ralph Droms
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Thomas Narten
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Ralph Droms
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Ole Troan
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Thomas Narten
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Ole Troan
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Thomas Narten
- Re: [dhcwg] Re: AD review of draft-ietf-dhc-dhcpv… Ole Troan