IETF Logo Mail Archive

RE: [OPS-AREA] FW: DHC recharter

"David Harrington" <ietfdbh@comcast.net> Tue, 02 October 2007 19:42 UTC

Return-path: <ops-area-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcndY-0007rQ-Fo; Tue, 02 Oct 2007 15:42:32 -0400
Received: from ops-area by megatron.ietf.org with local (Exim 4.43) id 1IcndX-0007qz-Ua for ops-area-confirm+ok@megatron.ietf.org; Tue, 02 Oct 2007 15:42:31 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcndX-0007qr-Ig for ops-area@ietf.org; Tue, 02 Oct 2007 15:42:31 -0400
Received: from sccrmhc13.comcast.net ([204.127.200.83]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IcndW-00079m-Ne for ops-area@ietf.org; Tue, 02 Oct 2007 15:42:31 -0400
Received: from harrington73653 (c-24-128-104-207.hsd1.nh.comcast.net[24.128.104.207]) by comcast.net (sccrmhc13) with SMTP id <2007100219423001300hc2c5e>; Tue, 2 Oct 2007 19:42:30 +0000
From: David Harrington <ietfdbh@comcast.net>
To: "'Romascanu, Dan (Dan)'" <dromasca@avaya.com>, ops-area@ietf.org
References: <EDC652A26FB23C4EB6384A4584434A0446F48C@307622ANEX5.global.avaya.com>
Subject: RE: [OPS-AREA] FW: DHC recharter
Date: Tue, 02 Oct 2007 15:42:28 -0400
Message-ID: <014801c8052c$5d884250$6502a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
thread-index: Acf+GG1GMP7raXYVSFOxtE/U+5MkHQAaNc4wAapj/oA=
In-Reply-To: <EDC652A26FB23C4EB6384A4584434A0446F48C@307622ANEX5.global.avaya.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ff0adf256e4dd459cc25215cfa732ac1
Cc:
X-BeenThere: ops-area@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: OPS Area e-mail list <ops-area.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ops-area>, <mailto:ops-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ops-area>
List-Post: <mailto:ops-area@ietf.org>
List-Help: <mailto:ops-area-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ops-area>, <mailto:ops-area-request@ietf.org?subject=subscribe>
Errors-To: ops-area-bounces@ietf.org

Hi,

DHCP is used for configuration.
As with all NM protocols, there is a cascading vulnerability issue.
If a man in the middle can alter the DHCP configuration, they could
create a vulnerability in the configured target. This vulnerability
could potentially open security holes through which an attacker could
attack other parts of the system.

All protocol standards that are used to configure or provision devices
should be required to support secure transport, including
authentication and replay protection and integrity checking and
encryption, and possibly access controls for the data being
configured. Operators should be allowed to turn these security
features off for their networks if desired.

This requirement is consistent with BCP61 "Strong Security
Requirements for Internet Engineering Task Force Standard Protocols".

David Harrington
dbharrington@comcast.net
ietfdbh@comcast.net


> -----Original Message-----
> From: Romascanu, Dan (Dan) [mailto:dromasca@avaya.com] 
> Sent: Monday, September 24, 2007 4:03 AM
> To: ops-area@ietf.org
> Subject: [OPS-AREA] FW: DHC recharter
> 
>  
> Comments from the OPS area would be welcome. 
> 
> Dan
> 
> 
>  
> 
> -----Original Message-----
> From: Jari Arkko [mailto:jari.arkko@piuha.net] 
> Sent: Sunday, September 23, 2007 9:31 PM
> To: IESG; IAB
> Cc: Dhc Chairs
> Subject: DHC recharter
> 
> 
> Secretary (Bcced),
> 
> Please put DHC WG rechartering to the next IESG telechat 
> agenda. (Under
> category "consideration for IETF review".)
> 
> IESG, IAB: this is a fairly major update of the DHC charter.
> The new charter has more specific rules about what the group can and
> cannot do with regards to DHC option development. And there's 
> an updated
> specification of how DHC WG and other WGs work together when a new
> option is needed.
> 
> Work that has been completed has been taken out of the charter. Work
> that has not generated enough energy has been taken out.
> 
> I see no evidence of interest in DHCP security, other than 
> the DSL Forum
> demands, but I think we should take those separately. (I.e., decide
> whether those make sense and if they do, recharter again.) As a
result
> we have taken out the authentication work entirely.
> 
> Comments appreciated. The charter has been discussed in the 
> WG list and
> in one of the previous meetings; the version below is a changed one
> based on discussions between the chairs and the AD. It has also been
> posted for WG comment; I expect that to conclude before our next
> telechat.
> 
> Jari
> 
> ----
> 
> The dhc working group (DHC WG) has developed DHCP for automated
> allocation, configuration and management of IP addresses and TCP/IP
> protocol stack parameters. DHCPv4 is currently a "Draft 
> Standard" and is
> documented in RFC 2131 and RFC 2132.  DHCPv6 is currently a
"Proposed
> Standard" and is documented in RFC 3315.  Subsequent RFCs document
> additional options and other enhancements to the specifications.
> 
> The DHC WG is responsible for reviewing DHCP options or other 
> extensions
> (for both IPv4 and IPv6). The DHC WG is expected to review 
> all proposed
> extensions to DHCP to ensure that they are consistent with the DHCP
> specification and other option formats, that they do not duplicate
> existing mechanisms, etc.  Generally speaking, the DHC WG will not
be
> responsible for evaluating the semantic content of proposed options.
> Similarly, the ownership of specifications typically belongs the
> relevant working group that needs more functionality from 
> DHCP, not the
> DHC WG. The DHC WG coordinates reviews of the proposed 
> options together
> with those working groups. It is required that those working 
> groups have
> consensus to take on the work and that the work is within 
> their charter.
> Exceptionally, with AD agreement, this same process can also 
> be used for
> Individual Submissions originating outside WGs.
> 
> However, the DHC WG can in some cases develop its own options that
> relate to either maintenance of existing specifications or 
> improvements
> in the operation of the DHCP infrastructure itself.
> 
> The DHC WG has the following main objectives:
> 
> * Develop extensions to the DHCP infrastructure as required to meet
>   new applications and deployments of DHCP. The topics currently
>   in development are:
> 
>     - Subnet allocation mechanisms
>     - Virtual subnet identification option
>     - Option for passing DNS domain information in DHCPv6
>     - DHCP relay agent assignment notification in DHCPv6
>     - Option for DHCPv6 server reply sequence numbers
>     - Rebinding capability for DHCPv6 Reconfigure messages
> 
>   The adoption of new items requires explicit agreement from
>   the AD or rechartering.
> 
> * Write analyses of the DHCPv4 and DHCPv6 specifications,
>   including RFC 2131, RFC 2132, RFC 3315 and other RFCs defining
>   additional options, which identifies ambiguities, contradictory
>   specifications and other obstacles to development of interoperable
>   implementations. Recommend a process for resolving identified
>   problems and incorporating the resolutions into the DHCP
>   specification.
> 
>   Secondly, advance DHCPv4 (RFC 2131 and RFC 2132) and DHCPv6 (RFC
>   3315) in IETF Standards Track.
> 
>   Thirdly, specify guidelines for creating new DHCP options.
> 
> * Assess the requirements for a dual-stack host to use DHCP to
obtain
>   configuration settings for both IPv4 and IPv6.  Hosts that include
>   implementations of both IPv4 and IPv6 ("dual-stack hosts") may use
>   DHCP to obtain configuration settings (including assigned
addresses)
>   for both IPv4 and IPv6.  The DHCPv4 and DHCPv6 specifications (RFC
>   2131, RFC 2132, RFC 3315 and subsequent RFCs) do not explicitly
>   explain how a dual-stack host uses DHCP to obtain configuration
>   settings for both IP stacks.  The DHC WG will evaluate solutions
for
>   configuration of dual-stack hosts through DHCP and select a
solution
>   that will be developed and published by the WG.
> 
> Milestones:
> 
> Done   WG last call for "Subnet Allocation Option"
>        <draft-ietf-dhc-subnet-alloc-04>
> Done   WG last call on "Virtual Subnet Selection Option",
>        <draft-ietf-dhc-vpn-option>
> Oct 07 Submit "Subnet Allocation Option"
>        <draft-ietf-dhc-subnet-alloc-04> to IESG
>        for Proposed Standard
> Nov 07 WG last call on "Guidelines for Creating New DHCP Options"
>        <draft-ietf-dhc-option-guidelines>
> Nov 07 Submit "Virtual Subnet Selection Option",
>        <draft-ietf-dhc-vpn-option> and <draft-ietf-dhc-agent-vpn-id>
>        to IESG for Proposed Standard
> Dec 07 WG last call for "Domain Suffix Option for DHCPv6"
>        <draft-ietf-dhc-dhcpv6-opt-dnsdomain>
> Jan 08 Submit "Domain Suffix Option for DHCPv6"
>        <draft-ietf-dhc-dhcpv6-opt-dnsdomain> to IESG
>        for Proposed Standard
> Jan 08 Submit "Guidelines for Creating New DHCP Options"
>        <draft-ietf-dhc-option-guidelines> to IESG for Best Current
>        Practice
> Jan 08 Develop plan for advancing DHCPv4 and DHCPv6; plan to include
>        completion of DHCPv4 specification review report,
>        "Implementation Issues with RFC 2131"
>        <draft-ietf-dhc-implementation-02> for Informational Feb 08
WG
> last call for "Dual-stack clients and merging of data from
>        DHCPv4 and DHCPv6" <draft-ietf-dhc-dual-stack-merge-01.txt>;
>        waiting for more experience with IPv6 deployment Feb 08 WG
last
> call for "Rebind Capability in DHCPv6 Reconfigure
>        Messages" <draft-ietf-dhc-dhcpv6-reconfigure-rebind-00>
> Apr 08 2nd WG last call for "DHCP Relay Agent Assignment
Notification
>        Option" <draft-ietf-dhc-dhcpv6-agentopt-delegate-01> and
>        "DHCPv6 Server Reply Sequence Number Option"
>        <draft-ietf-dhc-dhcpv6-srsn-option-00>
> May 08 Submit "Rebind Capability in DHCPv6 Reconfigure Messages"
>        <draft-ietf-dhc-dhcpv6-reconfigure-rebind-00> to IESG for
>        Proposed Standard
> Jul 08 Submit "DHCP Relay Agent Assignment Notification Option"
>        <draft-ietf-dhc-dhcpv6-agentopt-delegate-01> and "DHCPv6
Server
>        Reply Sequence Number Option"
>        <draft-ietf-dhc-dhcpv6-srsn-option-00> to IESG for
>        Proposed Standard
> Jul 08 Recharter for more work
> 
> 
> 
> _______________________________________________
> OPS-AREA mailing list
> OPS-AREA@ietf.org
> https://www1.ietf.org/mailman/listinfo/ops-area
> 




_______________________________________________
OPS-AREA mailing list
OPS-AREA@ietf.org
https://www1.ietf.org/mailman/listinfo/ops-area

v2.23.0 | Report a Bug | By Email