IETF Logo Mail Archive

Re: [saag] New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt

Sam Hartman <hartmans-ietf@mit.edu> Mon, 03 August 2015 12:05 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E4B21B2D08 for <saag@ietfa.amsl.com>; Mon, 3 Aug 2015 05:05:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.465
X-Spam-Level: *
X-Spam-Status: No, score=1.465 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7lF77OHhSQh for <saag@ietfa.amsl.com>; Mon, 3 Aug 2015 05:05:43 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6555E1B2D09 for <saag@ietf.org>; Mon, 3 Aug 2015 05:05:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id D7DCB2075B; Mon, 3 Aug 2015 08:04:47 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6c-kxGNZ0-xe; Mon, 3 Aug 2015 08:04:47 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-50-136-30-120.hsd1.ma.comcast.net [50.136.30.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 3 Aug 2015 08:04:47 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id C8528804F7; Mon, 3 Aug 2015 08:05:34 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Alan DeKok <aland@deployingradius.com>
References: <313da830.6be8.14ed8564467.Coremail.lilishan48@126.com> <m2mvyfh1re.wl%randy@psg.com> <55B8A692.8080409@cs.tcd.ie> <m2a8ufgpjn.wl%randy@psg.com> <55B8D49A.1010402@cs.tcd.ie> <m2y4hyg2za.wl%randy@psg.com> <DM2PR0301MB0655D564B5F697E14F5CF371A88B0@DM2PR0301MB0655.namprd03.prod.outlook.com> <4E607681-7B1F-4128-9F24-D98FE23AA958@deployingradius.com> <BLU181-W40A804FB089C688A209AC593880@phx.gbl> <85F31297-B08F-4A86-B9A0-8004FB78DD01@deployingradius.com>
Date: Mon, 03 Aug 2015 08:05:34 -0400
In-Reply-To: <85F31297-B08F-4A86-B9A0-8004FB78DD01@deployingradius.com> (Alan DeKok's message of "Sun, 2 Aug 2015 10:17:27 +0200")
Message-ID: <tslsi808tm9.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/7VPkCcG8Iaq_GT1XMwb8MNmneJY>
Cc: Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2015 12:05:44 -0000

Bernard claims that using the EAP key hierarchy doesn't prove
authorization to act as a DHCP server.

There's a sense in which this is true.
However, there's another sense in which being involved in the EAP keying
proves that the proposed DHCP server is part of the infrastructure.
I think that provides better assurance by far than we have today.
My hope is that we do not let the perfect solution here become the enemy
of incremental improvement.

v2.23.0 | Report a Bug | By Email