Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
Richard Johnson <raj@cisco.com> Wed, 03 December 2008 17:28 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 27B8528C15B; Wed, 3 Dec 2008 09:28:34 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE13E28C207; Tue, 2 Dec 2008 14:52:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rUfshfzueNtV; Tue, 2 Dec 2008 14:52:57 -0800 (PST)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 9013828C1FF; Tue, 2 Dec 2008 14:52:57 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.33,704,1220227200"; d="scan'208";a="112619716"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-1.cisco.com with ESMTP; 02 Dec 2008 22:52:53 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id mB2MqrLl031215; Tue, 2 Dec 2008 14:52:53 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id mB2MqriI005669; Tue, 2 Dec 2008 22:52:53 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 2 Dec 2008 14:52:53 -0800
Received: from stealth-10-32-254-179.cisco.com ([10.32.254.179]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 2 Dec 2008 14:52:52 -0800
References: <200811260758.mAQ7wXhp017242@raisinbran.srv.cs.cmu.edu> <3F83E569A47C23246D97043F@minbar.fac.cs.cmu.edu>
Message-Id: <CA414188-BF37-480C-96A2-76DC6FA2D5B8@cisco.com>
From: Richard Johnson <raj@cisco.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
In-Reply-To: <3F83E569A47C23246D97043F@minbar.fac.cs.cmu.edu>
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
Date: Tue, 02 Dec 2008 14:52:51 -0800
X-Mailer: Apple Mail (2.929.2)
X-OriginalArrivalTime: 02 Dec 2008 22:52:52.0707 (UTC) FILETIME=[B5385B30:01C954D0]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4716; t=1228258373; x=1229122373; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=raj@cisco.com; z=From:=20Richard=20Johnson=20<raj@cisco.com> |Subject:=20Re=3A=20[secdir]=20secdir=20review=20of=20draft -raj-dhc-tftp-addr-option-04 |Sender:=20; bh=4GDZzYvPgjMBLrwF1jeSzGPOJSyFUXyycDuIzfPXaYw=; b=qL4KvJeCu/OdkbNvkShiBhMWAnGY5J1vs6EFK0fZL7DCoitQcIfKyZH4u2 kdhNm00Wh3LFgWcc3igFuxusT3zkwGNiWOK1P4CcP0gyhs3U+xnnjiY7Tb2l e/bRJ4aDNm;
Authentication-Results: sj-dkim-2; header.From=raj@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
X-Mailman-Approved-At: Wed, 03 Dec 2008 09:28:31 -0800
Cc: iesg@ietf.org, dhc-chairs@tools.ietf.org, Samuel Weiler <weiler@watson.org>, ietf@ietf.org, secdir@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
inline... On Dec 2, 2008, at 9:30 AM, Jeffrey Hutzelman wrote: > --On Wednesday, November 26, 2008 02:58:25 AM -0500 Samuel Weiler <weiler@watson.org > > wrote: > >> The security considerations section cites rogue DHCP servers as >> attack >> vectors, but doesn't do enough to encourage the use of DHCP Auth. > > In many deployments, DHCP is used by devices which have no prior > configuration, or at least no prior association with the network > operator. In such scenarios, DHCP auth is frequently impractical. > Instead, network operators take other measures to insure that only > replies from legitimate DHCP servers ever reach clients. For > example, they may configure switches to monitor and filter DHCP > traffic such that responses can only come from a small set of > trusted ports. I'm somewhat surprised that the document does not > mention this approach, as it is fairly common. Yes, in some cases this could be done. Since this applies to ALL DHCP options, it seems a little strange to point it out for this one as though it's a special case. I guess as long as the text makes it clear that this doesn't apply only to this one option, then it would make sense to add it. Do you have suggested text? > > > I believe there may also be some confusion as to the meaning of > option 66. This option has exactly the same semantics as the 'sname' > field in the bootp packet, and is used in the event that field is > overloaded to carry additional options. See RFC2132 sections 9.3, > 9.4, 9.5, and the description of the option overload option starting > at the bottom of page 23 of RFC2131. So, putting a name in option > 66 has exactly the same effect as putting it in the 'sname' field, > which is well-defined for BOOTP requests, but not so well defined > for DHCP replies (in fact, so far as I've been able to tell, neither > BOOTP nor DHCP has anything to say on the semantics of this field > other than that it's a "server host name", and calling option 66 > "TFTP server name" is really misleading, because sname didn't > actually mean that(*). Option 66 is called "TFTP server name" in the document because that's the name of the option. Quoting RFC2132: 9.4 TFTP server name This option is used to identify a TFTP server when the 'sname' field in the DHCP header has been used for DHCP options. The code for this option is 66, and its minimum length is 1. Code Len TFTP server +-----+-----+-----+-----+-----+--- | 66 | n | c1 | c2 | c3 | ... +-----+-----+-----+-----+-----+--- > > > In any case, the comment in the present document's security > considerations that use of a name rather than an address is "more > secure" is flawed in several ways. First, the DHCP server operator > has no control over what options an attacker sends; if an attacker > prefers to send and address, he can do so. Secondly, if a name is > used, the attacker need only send a name in a zone which he > controls; there is no need to subvert any part of the DNS. Yep, valid point. Do you have suggested replacement text? > I share Sam's confusion as to why a code point is needed here at > all. What purpose does this option serve that is not served by the > siaddr field? The document is following the instructions outlined in RFC3942: 2. Vendors that currently use one or more of the reclassified options have 6 months following this RFC's publication date to notify the DHC WG and IANA that they are using particular options numbers and agree to document that usage in an RFC. IANA will move these options from the "Unavailable" to "Tentatively Assigned" state. ... 4. For those options in the "Tentatively Assigned" state, vendors have 18 months following this RFC's publication date to submit an Internet-Draft documenting the option. The documented usage MUST be consistent with the existing usage. When the option usage is published as an RFC, IANA will move the option to the "Assigned" state. Finally, since RFC3942 specifically says the documentation of the usage "MUST be consistent with the existing usage", it would actually be violating RFC3942 if we were to add a mandate that the "DHCP Auth" option be used. /raj > > > -- Jeff > > > > (*) In fact, I've seen at least one widespread client implementation > that assumed that sname was the name of the server identified in the > siaddr field, and updated /etc/hosts so that sname would resolve to > siaddr. _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
- secdir review of draft-raj-dhc-tftp-addr-option-04 Samuel Weiler
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Ralph Droms
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… John C Klensin
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Jari Arkko
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Ralph Droms
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Samuel Weiler
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Ralph Droms
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Cullen Jennings
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman