IETF Logo Mail Archive

Re: [saag] time to authenticate dhcp?

Michael Richardson <mcr@sandelman.ottawa.on.ca> Tue, 09 December 2008 02:00 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C7BD3A6916; Mon, 8 Dec 2008 18:00:47 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BCECC3A6AD6 for <saag@core3.amsl.com>; Mon, 8 Dec 2008 18:00:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.288
X-Spam-Level:
X-Spam-Status: No, score=-2.288 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HOST_MISMATCH_NET=0.311]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJmTvCk62caC for <saag@core3.amsl.com>; Mon, 8 Dec 2008 18:00:44 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [192.139.46.41]) by core3.amsl.com (Postfix) with ESMTP id 8B1E83A6A83 for <saag@ietf.org>; Mon, 8 Dec 2008 18:00:43 -0800 (PST)
Received: from sandelman.ottawa.on.ca (wlan196.sandelman.ca [209.87.252.196]) by relay.sandelman.ca (Postfix) with ESMTP id 3AB475C08C; Mon, 8 Dec 2008 19:35:49 -0500 (EST)
Received: from marajade.sandelman.ca (unknown [127.0.0.1]) by sandelman.ottawa.on.ca (Postfix) with ESMTP id 185E14E7D7; Mon, 8 Dec 2008 20:27:41 -0500 (EST)
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <20081208173839.0e26afe4@cs.columbia.edu>
References: <20081208173839.0e26afe4@cs.columbia.edu>
X-Mailer: MH-E 7.82; nmh 1.1; XEmacs 21.4 (patch 19)
Date: Mon, 08 Dec 2008 20:27:41 -0500
Message-ID: <7460.1228786061@marajade.sandelman.ca>
Cc: saag@ietf.org
Subject: Re: [saag] time to authenticate dhcp?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Steven" == Steven M Bellovin <smb@cs.columbia.edu> writes:
    Steven> But how, in a public setting?  How can "Steve" (to use the
    Steven> name from the article) *realistically* tell his laptop the
    Steven> proper public key to expect?

  He can't until he is online to look it up.  Naming it is easy.

  Once online, he can confirm it.  What key?  Why a DHCPKEY(tbd) or
perhaps a DNSKEY in the in-addr.arpa for the DHCP server's IP. 
  See www.wavesec.org.
  
  Also see
     http://www.sandelman.ca/SSW/ietf/dhc/draft-richardson-dhc-auth-sig0-00.txt

  which never got enough enthusiam to bother going forward (nor enough
cycles from the freeswan team)

  Note that given a trusted anchor for in-addr.arpa (whether signed .,
or DLV for in-addr.arpa, or whatever), you can confirm key.  If your
local DNS cache is not empty, you may already be able to authenticate
it.
  If the machine doing a MITM on your DHCP server is doing such a good
job of emulating the rest of the Internet that things check out, then I
would suggest that you really are on the Internet :-)

  Note that of course, this completely fails when your DHCP server is
192.168.1.1.   Is there some way to use the outer IP of the router in
the cafe?  

  But, if you postulate IPv6, you might as well postulate SEND as well.

  As far as I can tell, this "DNSChanger", "DHCPChanger" attack is
completely untouched by using 802.1x/WPA/WPA2 "security", because the
layer3 is not bound (as in channel bound) to the layer2 security.

- -- 
]      Y avait une poule jammer dans le muffler!!!!!!!!!        |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBST3Ji4CLcPvd0N1lAQJn/Af/RuJWzBQfJYml9d9wHVs2ur3caJ9K1ISJ
ps+zHKKYfFkw0KDDk+a3Km62xNlF7Lf7fPoZ+u4t20u6GobuJeR3NGZTOGYbjHsK
UDduBVi/I9vEXZBd9k/tunqw89c4lGqQN7XbORq+vbLLUWmcdsnYwaMAFPI3jhZp
ma7hYnX+7Vfg+5zNYtMqkhhFXfF6pbeQeu9HtpHcdEex/lTWlnCUpE3Qjb4BLlG8
ymPNA9cgpwFlWUgi7oZ6KHZ2K1Nro0tuIqLtllstR/e1RQHz6owOsHOLYVjql40i
kkcwU4/tgjW8I3hBxckvPzc+29ipsB8UN7NO3qJu1YYKEF4h+qDvrQ==
=fPHj
-----END PGP SIGNATURE-----
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email