Re: [saag] time to authenticate dhcp?
Michael Richardson <mcr@sandelman.ottawa.on.ca> Tue, 09 December 2008 02:00 UTC
Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C7BD3A6916; Mon, 8 Dec 2008 18:00:47 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BCECC3A6AD6 for <saag@core3.amsl.com>; Mon, 8 Dec 2008 18:00:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.288
X-Spam-Level:
X-Spam-Status: No, score=-2.288 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HOST_MISMATCH_NET=0.311]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJmTvCk62caC for <saag@core3.amsl.com>; Mon, 8 Dec 2008 18:00:44 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [192.139.46.41]) by core3.amsl.com (Postfix) with ESMTP id 8B1E83A6A83 for <saag@ietf.org>; Mon, 8 Dec 2008 18:00:43 -0800 (PST)
Received: from sandelman.ottawa.on.ca (wlan196.sandelman.ca [209.87.252.196]) by relay.sandelman.ca (Postfix) with ESMTP id 3AB475C08C; Mon, 8 Dec 2008 19:35:49 -0500 (EST)
Received: from marajade.sandelman.ca (unknown [127.0.0.1]) by sandelman.ottawa.on.ca (Postfix) with ESMTP id 185E14E7D7; Mon, 8 Dec 2008 20:27:41 -0500 (EST)
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <20081208173839.0e26afe4@cs.columbia.edu>
References: <20081208173839.0e26afe4@cs.columbia.edu>
X-Mailer: MH-E 7.82; nmh 1.1; XEmacs 21.4 (patch 19)
Date: Mon, 08 Dec 2008 20:27:41 -0500
Message-ID: <7460.1228786061@marajade.sandelman.ca>
Cc: saag@ietf.org
Subject: Re: [saag] time to authenticate dhcp?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Steven" == Steven M Bellovin <smb@cs.columbia.edu> writes: Steven> But how, in a public setting? How can "Steve" (to use the Steven> name from the article) *realistically* tell his laptop the Steven> proper public key to expect? He can't until he is online to look it up. Naming it is easy. Once online, he can confirm it. What key? Why a DHCPKEY(tbd) or perhaps a DNSKEY in the in-addr.arpa for the DHCP server's IP. See www.wavesec.org. Also see http://www.sandelman.ca/SSW/ietf/dhc/draft-richardson-dhc-auth-sig0-00.txt which never got enough enthusiam to bother going forward (nor enough cycles from the freeswan team) Note that given a trusted anchor for in-addr.arpa (whether signed ., or DLV for in-addr.arpa, or whatever), you can confirm key. If your local DNS cache is not empty, you may already be able to authenticate it. If the machine doing a MITM on your DHCP server is doing such a good job of emulating the rest of the Internet that things check out, then I would suggest that you really are on the Internet :-) Note that of course, this completely fails when your DHCP server is 192.168.1.1. Is there some way to use the outer IP of the router in the cafe? But, if you postulate IPv6, you might as well postulate SEND as well. As far as I can tell, this "DNSChanger", "DHCPChanger" attack is completely untouched by using 802.1x/WPA/WPA2 "security", because the layer3 is not bound (as in channel bound) to the layer2 security. - -- ] Y avait une poule jammer dans le muffler!!!!!!!!! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Finger me for keys iQEVAwUBST3Ji4CLcPvd0N1lAQJn/Af/RuJWzBQfJYml9d9wHVs2ur3caJ9K1ISJ ps+zHKKYfFkw0KDDk+a3Km62xNlF7Lf7fPoZ+u4t20u6GobuJeR3NGZTOGYbjHsK UDduBVi/I9vEXZBd9k/tunqw89c4lGqQN7XbORq+vbLLUWmcdsnYwaMAFPI3jhZp ma7hYnX+7Vfg+5zNYtMqkhhFXfF6pbeQeu9HtpHcdEex/lTWlnCUpE3Qjb4BLlG8 ymPNA9cgpwFlWUgi7oZ6KHZ2K1Nro0tuIqLtllstR/e1RQHz6owOsHOLYVjql40i kkcwU4/tgjW8I3hBxckvPzc+29ipsB8UN7NO3qJu1YYKEF4h+qDvrQ== =fPHj -----END PGP SIGNATURE----- _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
- [saag] time to authenticate dhcp? Steven M. Bellovin
- Re: [saag] time to authenticate dhcp? RJ Atkinson
- Re: [saag] time to authenticate dhcp? Hallam-Baker, Phillip
- Re: [saag] time to authenticate dhcp? Mark Baugher
- Re: [saag] time to authenticate dhcp? Jeffrey Hutzelman
- [saag] DNS XID Paul Hoffman
- Re: [saag] time to authenticate dhcp? Jeffrey Hutzelman
- Re: [saag] time to authenticate dhcp? Wes Hardaker
- Re: [saag] time to authenticate dhcp? Hallam-Baker, Phillip
- Re: [saag] time to authenticate dhcp? Michael Richardson
- Re: [saag] time to authenticate dhcp? Hallam-Baker, Phillip
- Re: [saag] time to authenticate dhcp? Olafur Gudmundsson
- Re: [saag] time to authenticate dhcp? Alper Yegin
- Re: [saag] time to authenticate dhcp? Nicolas Williams
- Re: [saag] time to authenticate dhcp? Bernard Aboba
- Re: [saag] time to authenticate dhcp? Nicolas Williams
- Re: [saag] time to authenticate dhcp? Pasi.Eronen
- Re: [saag] time to authenticate dhcp? Michael Richardson
- Re: [saag] time to authenticate dhcp? Michael Richardson
- Re: [saag] time to authenticate dhcp? Bill Sommerfeld
- Re: [saag] time to authenticate dhcp? Bernard Aboba
- Re: [saag] time to authenticate dhcp? Alper Yegin
- Re: [saag] time to authenticate dhcp? Jeffrey Hutzelman
- Re: [saag] DNS XID Nicolas Williams
- Re: [saag] time to authenticate dhcp? Alper Yegin
- Re: [saag] time to authenticate dhcp? Steven M. Bellovin
- Re: [saag] time to authenticate dhcp? Hallam-Baker, Phillip