Re: secdir review of draft-raj-dhc-tftp-addr-option-04
Richard Johnson <raj@cisco.com> Wed, 03 December 2008 17:28 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6103B28C13A; Wed, 3 Dec 2008 09:28:33 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 548403A69CD; Tue, 2 Dec 2008 14:35:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mv7XvT3oVxc5; Tue, 2 Dec 2008 14:35:32 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 5E2EA3A69AD; Tue, 2 Dec 2008 14:35:32 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.33,704,1220227200"; d="scan'208";a="205304672"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 02 Dec 2008 22:35:09 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id mB2MZ639006374; Tue, 2 Dec 2008 14:35:06 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id mB2MZ65s020602; Tue, 2 Dec 2008 22:35:06 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 2 Dec 2008 14:35:06 -0800
Received: from stealth-10-32-254-179.cisco.com ([10.32.254.179]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 2 Dec 2008 14:35:05 -0800
References: <alpine.BSF.1.10.0811260255330.4213@fledge.watson.org> <90AC45ED-BF49-46ED-A35A-14E1BF699959@cisco.com> <56DEB14D23377D001B19EFE5@p3.int.jck.com>
Message-Id: <F0269B96-BC56-4607-BE24-896973060A79@cisco.com>
From: Richard Johnson <raj@cisco.com>
To: John C Klensin <john-ietf@jck.com>
In-Reply-To: <56DEB14D23377D001B19EFE5@p3.int.jck.com>
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: secdir review of draft-raj-dhc-tftp-addr-option-04
Date: Tue, 02 Dec 2008 14:35:04 -0800
X-Mailer: Apple Mail (2.929.2)
X-OriginalArrivalTime: 02 Dec 2008 22:35:05.0309 (UTC) FILETIME=[390058D0:01C954CE]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4548; t=1228257306; x=1229121306; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=raj@cisco.com; z=From:=20Richard=20Johnson=20<raj@cisco.com> |Subject:=20Re=3A=20secdir=20review=20of=20draft-raj-dhc-tf tp-addr-option-04 |Sender:=20; bh=EKO5EpYMqD3gYX+ZT0XGWWkc0eE2rU+WJ6rFnqGvdG0=; b=awECls7GdYGqWUjQ7gHCUg8zmwWstunJymY2tHWVU4OpY1FnrFT0c8/Uwl 7W7iTWAHxoDcRCe+Wq32cI9Z9R+GKlvdmGySwi4Z21uQN0Qpwx7uiIYjSn5P M8Aao+zbcoavd9jTRgcYNQqq7O9H8eNxdXu/D9Ik7W6j0nlHl+fN4=;
Authentication-Results: sj-dkim-1; header.From=raj@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
X-Mailman-Approved-At: Wed, 03 Dec 2008 09:28:31 -0800
Cc: IETF Discussion <ietf@ietf.org>, secdir@ietf.org, dhc Chairs <dhc-chairs@tools.ietf.org>, Samuel Weiler <weiler@watson.org>, IESG IESG <iesg@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
Ok, maybe I'm not understanding what's being suggested or maybe I'm
simply reading the existing text in a different way. Here's the
contents of the draft's "Security Considerations" section:
> A rogue DHCP Server could use this option in order to coerce a
> Client
> into downloading configuration from an alternate Configuration
> Server
> and thus gain control of the device's configuration. This is more
> easily done with the VoIP Configuration Server Address option
> than it
> was with the "TFTP Server Name" option, because in the latter case
> the attack would need to control DNS responses as well as inserting
> the rogue DHCP option information. If this is a concern, then
> either
> DHCP Authentication may be used, or the "TFTP Server Name" option
> may
> be used instead.
>
> Message authentication in DHCP for intradomain use where the out-
> of-
> band exchange of a shared secret is feasible is defined in
> [RFC3118].
> Potential exposures to attack are discussed in section 7 of the
> DHCP
> protocol specification in [RFC2131].
>
> Other out-of-band methods of verifying the validity of the VoIP
> Configuration Server Address, such as certificates of trust,
> could be
> used to mitigate some security concerns.
So, it only mentions option 66 ("TFTP Server Name" option) by
comparison and in order to point out the relative levels of security
involved. It has no "suggestion to use option 66".
The text already has an "explanation about why the use of this option
without authentication might be problematic". As a matter of fact, it
seems rather explicit on the matter.
I don't see why we would want to add "mandating the use of DHCP Auth",
since that would go far beyond "describe the existing practice, don't
try to change it in this document".
In short, I the current text seems to already address all of the
points made except for mandating DHCP Auth, which is not in agreement
with the spirit of RFC3942, since it would change the way in which the
option is used.
/raj
On Dec 2, 2008, at 12:53 PM, John C Klensin wrote:
>
>
> --On Tuesday, 02 December, 2008 15:23 -0500 Ralph Droms
> <rdroms@cisco.com> wrote:
>
>> Sam - I think most of the issues in your review of
>> draft-raj-dhc-tftp-addr-option-04 can be resolved by reviewing
>> the purposes of RFC 3942 and publishing Informational RFCs
>> describing DHCP option codes. Fundamentally, the reason to
>> publish RFCs under the process described in RFC 3942 is to
>> document existing uses of option codes in the range of option
>> codes reclaimed for assignment to new DHCP options. The
>> concern is to avoid conflicts between new options and those
>> grandfathered ("hijacked") option codes. As such, these RFCs
>> (usually Informational) simply document the already
>> ...
>> Responding to some of your specific points:
>>
>>>> At the very least, I suggest mandating the use of DHCP Auth
>>>> and removing the suggestion to use option 66 to enhance
>>>> security. And, in the absence of a more data about how
>>>> widely used this option is, I suggest not publishing this
>>>> document at all.
>>
>> The consensus of the dhc WG, to which I concur, is to publish
>> the document as Informational. The text in the Security
>> Considerations section about option 66 might be removed.
>> ...
>> To reiterate, it's not so much a question of whether a new
>> code point is needed; rather, according to the procedures
>> described in RFC 3942, this document gives a description of an
>> existing use of option code 150. That option code is in use
>> ...
>
> Ralph,
>
> It seems to me that there is a middle ground here. One can
> stick with Informational publication as the WG intends, but
> still modify the Security Considerations section, not only to
> remove the reference to option 66 (if there is consensus that is
> appropriate) but to add some explanation about why the use of
> this option without authentication might be problematic.
>
> Put differently, your objection to Sam's suggestion seems to
> hinge on "just describe the existing practice, don't try to
> change it in this document". Given RFC 3492, that is entirely
> reasonable. But, if there are relatively obvious difficulties
> with that practice, it seems to me that documenting them would
> be helpful (indeed that not doing so borders on irresponsible).
>
> john
>
>
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf
- secdir review of draft-raj-dhc-tftp-addr-option-04 Samuel Weiler
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Ralph Droms
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… John C Klensin
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Jari Arkko
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Ralph Droms
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Samuel Weiler
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Ralph Droms
- Re: secdir review of draft-raj-dhc-tftp-addr-opti… Cullen Jennings
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman