Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option

tglassey <> Fri, 08 June 2012 14:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7E28821F8803; Fri, 8 Jun 2012 07:23:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xfyrMR9EzgUt; Fri, 8 Jun 2012 07:23:47 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 81FA621F8759; Fri, 8 Jun 2012 07:23:46 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327;; b=g+9RJjk8v1WshDBWR/RmEL7fB0h3k7wKbDSLXkt3k4fMsECeXPtJjpnRGebJ2jxP; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [] (helo=[]) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from <>) id 1Sd06E-0007lj-GJ; Fri, 08 Jun 2012 10:23:38 -0400
Message-ID: <>
Date: Fri, 08 Jun 2012 07:23:33 -0700
From: tglassey <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: "t.p." <>
Subject: Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
References: <> <> <004a01cd4562$b7b338e0$>
In-Reply-To: <004a01cd4562$b7b338e0$>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec790ed8a6a3d1ea84abb910e2a94da62c8d350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
Cc:, ietf <>,
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Jun 2012 14:23:48 -0000

On 6/8/2012 3:37 AM, t.p. wrote:
> Just to make public what I have hinted at privately, I think that steps
> in section 4.1 may be somewhat underspecified.
> They give the logic a client, one which supports both DHCP and DNS,
> should
> follow in order to find a KDC, with DNS information being preferred.
Yes, this is because the DNS auth models are better than DHCP today AFAIK.
> One scenario outlined in section 1 is of a user having entered userid
> and
> passphrase and waiting to be authenticated.  The steps imply a number of
> timeouts in succession without specifying what balance to take of how
> long
> to wait for a server to respond versus how long to keep the user
> waiting.
True but this is likely to be set in the client as a flat config value 
one would think.

And if so this is actually a good thing you bring up Tom. My take is 
that from a policy management standpoint the  timeout period should be a 
"policy level" control IMHO and should have both a default value and a 
method of overriding it to allow people when they need to  to create a 
more "synchronous" expectation from a responder.
> I would find it difficult to know what balance to strike without
> guidance.
> A related issue is that section 4.1 prefers DNS to DHCP for Kerberos
> information but the Security Considerations stress the weakness of
> DHCP and recommend authenticating DHCP.  What if DHCP is secure
> and DNS is not?  Should DNS still be preferred?
DNSSEC is clearly beyond DHCP security models so perhaps for a working 
system this makes sense unless you want to create an autonomous DNS 
client which can exist in a pre-boot model.

Pardon my restating the obvious but "Still the issue is that DNS 
services dont work until they are loaded and DHCP is designed to work 
from a firmware boot (as we all know)".

How does this fit into what NEA is supposed to provide as a baseline?
> Tom Petch
> ----- Original Message -----
> From: "Jeffrey Hutzelman"<>
> To: "Samuel Weiler"<>
> Cc:<>;
> <>;<>;<>
> Sent: Thursday, May 24, 2012 6:50 PM
> Subject: Re: [secdir] secdir review of
> draft-sakane-dhc-dhcpv6-kdc-option
> -----
> No virus found in this message.
> Checked by AVG -
> Version: 2012.0.2178 / Virus Database: 2433/5055 - Release Date: 06/07/12