Re: [renum] Key management [draft-liu-6renum-gap-analysis-03]
Mark Andrews <marka@isc.org> Wed, 14 December 2011 01:43 UTC
Return-Path: <marka@isc.org>
X-Original-To: renum@ietfa.amsl.com
Delivered-To: renum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8B6F21F8ACE for <renum@ietfa.amsl.com>; Tue, 13 Dec 2011 17:43:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.582
X-Spam-Level:
X-Spam-Status: No, score=-2.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pbw4+yljf0J for <renum@ietfa.amsl.com>; Tue, 13 Dec 2011 17:43:42 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA2021F84C9 for <renum@ietf.org>; Tue, 13 Dec 2011 17:43:41 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id D17AE5F9891; Wed, 14 Dec 2011 01:43:26 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:9dbe:1913:d1c:b98c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id C2D7B216C6A; Wed, 14 Dec 2011 01:43:24 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 722571A078FB; Wed, 14 Dec 2011 12:43:22 +1100 (EST)
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <5C46AA96-3CDA-41AD-8197-E7989DEC2609@gmail.com> <5D36713D8A4E7348A7E10DF7437A4B9218580CF0@SZXEML506-MBX.china.huawei.com> <7D6F6DAB-D8B3-46AA-8339-D9B92E6356F1@gmail.com> <20111209224530.322F11968819@drugs.dv.isc.org> <4EE7B177.6020309@gmail.com>
In-reply-to: Your message of "Wed, 14 Dec 2011 09:11:35 +1300." <4EE7B177.6020309@gmail.com>
Date: Wed, 14 Dec 2011 12:43:22 +1100
Message-Id: <20111214014322.722571A078FB@drugs.dv.isc.org>
Cc: "renum@ietf.org" <renum@ietf.org>
Subject: Re: [renum] Key management [draft-liu-6renum-gap-analysis-03]
X-BeenThere: renum@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Renumbering discussion mailing list." <renum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/renum>, <mailto:renum-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/renum>
List-Post: <mailto:renum@ietf.org>
List-Help: <mailto:renum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/renum>, <mailto:renum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2011 01:43:47 -0000
In message <4EE7B177.6020309@gmail.com>, Brian E Carpenter writes: > On 2011-12-10 11:45, Mark Andrews wrote: > > In message <7D6F6DAB-D8B3-46AA-8339-D9B92E6356F1@gmail.com>, Ran Atkinson write > > s: > > ... > >>>> I think the problems with key management deserve their > >>>> own subsection in Section 10 -- as a category of "gap" > >>>> that ought to be addressed. That new subsection ought > >>>> to note the operational issues with key provisioning > >>>> and key management for Secure Dynamic DNS Update > >>>> (at least for non-MS nodes) and equally or more so > >>>> for Secure DHCPv6 and SEND. One would hope these > >>>> would not fall into the "unsolvable gap" category, > >>>> but in any event these gaps do need to be clearly > >>>> documented. > > >>> The key management is a complicated issue. It is worth > >>> a separated draft. It is relevant. However, we don't > >>> think it is a renumbering specific issue. We will add > >>> some new text for it. But we would like to leave it out of scope. > >> I do not think that ignoring the issue or declaring it > >> out-of-scope is a legitimate position to take for this > >> document. > >> > >> IETF rules require that ALL documents must fully address > >> Security Considerations *within their own document*. > >> > >> Ignoring that topic -- or shunting it off to other > >> documents -- will result in a Last Call objection from me > >> and possibly others on the very solid technical grounds > >> that the Security Considerations are known to be deficient. > > Right, but the question is what can we say about key management > that is specific to enterprise renumbering? We can explain the > problem, but this is presumably not the WG where a solution should > be developed. > > > With Windows you add the machine to the domain. This is a > > one off procedure and the last time I did it this it needed > > a domain administrators password if my memory is correct. > > > > Initial registration doesn't necessarially need to be standardised. > > It can be ad-hoc. Log into a web page and it can return a TSIG > > which is configured into the nameserver and the client machine. > > > > That's done all the time to secure zone transfers. > > > > What need to be standardised is what goes on the wire and that > > was done years ago. The rest really is implementation detail. > > Really? It seems to me that the Windows solution will only work for > a Microsoft shop, not for a heterogeneous enterprise network. If you really want a mechanism to do this then something like this will work: If the machine does not already have a configured TSIG (RFC 2845) it will generate a one time public/private key pair and send the public key along with a request for a TSIG to update the forward zone in a DHCP request. The DHCP server will make a TKEY (RFC 2930) request, on behalf of the client, using its credentials to the DNS server and return the resulting TSIG key to the client encrypting the TSIG option response using the public key in the request. The returned TSIG key should be stored in non-volatile memory. The DHCP server operates as the secure introducer to the DNS server. One would probably want to signal if the TSIG request is for globally or locally unique name and be able to request both. This will allow the host to update multiple namespaces by using the different TSIGs Different DHCP server credentials could be used to signal this or we could specify a TKEY option. ULA/RFC 1918 would be private addresses and would only be addded to the local name space. We can do something similar for PPP. Security considerations: If the DHCP option is responded to by a rogue server the worst is a denial of service attack. The DHCP server can pretend to be the DHCP client as it has seen the TSIG material. > Brian > _______________________________________________ > renum mailing list > renum@ietf.org > https://www.ietf.org/mailman/listinfo/renum -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [renum] draft-liu-6renum-gap-analysis-03 Sheng Jiang
- Re: [renum] draft-liu-6renum-gap-analysis-03 Ran Atkinson
- Re: [renum] draft-liu-6renum-gap-analysis-03 Mark Andrews
- [renum] Key management [draft-liu-6renum-gap-anal… Brian E Carpenter
- Re: [renum] Key management [draft-liu-6renum-gap-… Mark Andrews
- Re: [renum] draft-liu-6renum-gap-analysis-03 Leo Liu(bing)