IETF Logo Mail Archive

Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 21 September 2012 12:27 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: renum@ietfa.amsl.com
Delivered-To: renum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7848E21F8815 for <renum@ietfa.amsl.com>; Fri, 21 Sep 2012 05:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.566
X-Spam-Level:
X-Spam-Status: No, score=-103.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3KHUCY7zb8uS for <renum@ietfa.amsl.com>; Fri, 21 Sep 2012 05:27:14 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id C40B321F8810 for <renum@ietf.org>; Fri, 21 Sep 2012 05:27:14 -0700 (PDT)
Received: by iec9 with SMTP id 9so6008857iec.31 for <renum@ietf.org>; Fri, 21 Sep 2012 05:27:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=a02lfJuwEymEPt56F9a6Uo+THJBg+zrPiyBaxYA5Kaw=; b=NYv6dkE1MgKkk4wnA9L6zmbcBmNXN7CCMwy1nX4WMoNGaglPGfEn3cMOmC2nLydFw3 0R9XPmPfUr/otVeu0frOr6DuEGfR6/u26ITRJGaxlhZ2Rl07GUYVr6t2weM/Rvd4EGrd m2Yp/GgUA1VTwzR2i0NfdxLzQshm3byFH9NuK9y6ib63u0qH6tWNM5u/W2x8YvtGGdX9 yaETnmN/TpxrITwbVu2ro6lZkNDeRtWCGxtVBlycPGguD8Kko5kTSVwkq/T/zEuOKl/S R/7QxMwC+Lbuy/kFYttsK67wU/XaaA0OyPg7f/trAhbaX1KqtQrSHERV5hvo3Sa+YM47 xjCw==
Received: by 10.50.7.177 with SMTP id k17mr1495716iga.27.1348230434164; Fri, 21 Sep 2012 05:27:14 -0700 (PDT)
Received: from [10.255.25.102] (50-76-68-140-static.hfc.comcastbusiness.net. [50.76.68.140]) by mx.google.com with ESMTPS id a10sm12468913igd.1.2012.09.21.05.27.12 (version=SSLv3 cipher=OTHER); Fri, 21 Sep 2012 05:27:13 -0700 (PDT)
Message-ID: <505C5D28.5080409@gmail.com>
Date: Fri, 21 Sep 2012 13:27:20 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: RJ Atkinson <rja.lists@gmail.com>
References: <07A9B495-21EA-4DFD-84BC-AF5BB6B62BE2@gmail.com> <8AE0F17B87264D4CAC7DE0AA6C406F452935720A@szxeml509-mbs>, <E2FEB233-3206-4E6C-B54D-BA832B545009@gmail.com> <201209210356573495357@cnnic.cn> <27FE2BC1-E089-4FED-9197-002AE3ABD1FF@gmail.com>
In-Reply-To: <27FE2BC1-E089-4FED-9197-002AE3ABD1FF@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: renum@ietf.org
Subject: Re: [renum] I-D Action: draft-ietf-6renum-gap-analysis-03.txt
X-BeenThere: renum@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Renumbering discussion mailing list." <renum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/renum>, <mailto:renum-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/renum>
List-Post: <mailto:renum@ietf.org>
List-Help: <mailto:renum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/renum>, <mailto:renum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2012 12:27:15 -0000

On 21/09/2012 12:11, RJ Atkinson wrote:
> On 20  Sep 2012, at 15:56 , Di Ma wrote:
>> Since the IPSec is address-oriented...
> 
> We continue to disagree about this.

Put it this way. The community needs to change its bad habit of using IPSec
in an address-oriented way, and renumbering is one of the main reasons
for that. So it is 6renum's job to strongly recommend the change.

It remains true, of course, that even if an SA survives renumbering,
the transport session running over that SA will also have to be renumbered,
but that's a separate problem.

   Brian

> 
>> ...and the DHCP server is responsible for IP address configuration,
>> we might as well integrate IPSec SA parameters configuration into
>> IP address assignment by extending DHCP where the IP address
>> configuration node (DHCP server) plays like an “administrator”
>> using DHCP to configure IPSec SA parameters in a host, after it,
>> in deputy of the host, has negotiated with a CPN server the
>> very host wants to establish IPSec with.  
> 
> This seems very unwise for any IETF standards work,
> from multiple perspectives.  A quick subset of examples,
> each by itself sufficient to illustrate why this would
> be unwise, follow:
> 
> 
> * A very basic one is that one would not want to standardise 
>   the trust model issues that such an approach would create.
> 
>   EXAMPLE:
>   While I might trust the DHCP server at the coffee shop
>   for the limited function of assigning an IP address and
>   conveying minimally essential IP-layer information to my
>   laptop, I definitely DO NOT trust the coffee shop network
>   or its infrastructure components (e.g. DHCP server).  So
>   when I would begin work, I would always want to directly
>   secure the communications channel between my laptop and
>   my workplace -- without ANY intermediaries.
> 
> 
> * Related to that, user security and privacy would be 
>   compromised by such centralisation and the delegation 
>   implied by "in deputy of the host".  
> 
>   EXAMPLE:
>   Basically, the proposal would be to standardise use of any
>   DHCP server as an attacker for an automated "man in the middle" 
>   attack.  I see zero chance of the IETF Security Area
>   approving this.
> 
> 
> * DHCP is not suitable for key management, while the above
>   proposes using DHCP to manage keys (IPsec SAs).
> 
> 
> Given these issues, and previous notes in this thread explaining
> how IPsec-related renumbering works today, it is not obvious that 
> the contents of your note are appropriate for this gap analysis 
> document.  
> 
> Yours,
> 
> Ran
> 
> 
> _______________________________________________
> renum mailing list
> renum@ietf.org
> https://www.ietf.org/mailman/listinfo/renum
>

v2.23.0 | Report a Bug | By Email