IETF Logo Mail Archive

Re: [saag] New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt

Alan DeKok <aland@deployingradius.com> Sat, 01 August 2015 07:32 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0D841B2B25 for <saag@ietfa.amsl.com>; Sat, 1 Aug 2015 00:32:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7Qgavn_wNAz for <saag@ietfa.amsl.com>; Sat, 1 Aug 2015 00:32:04 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id 82EAE1B2B22 for <saag@ietf.org>; Sat, 1 Aug 2015 00:32:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id E7E86224083E; Sat, 1 Aug 2015 09:31:33 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EzJ-e6oswVKP; Sat, 1 Aug 2015 09:31:33 +0200 (CEST)
Received: from [10.192.1.135] (LStLambert-656-1-53-31.w80-13.abo.wanadoo.fr [80.13.34.31]) by power.freeradius.org (Postfix) with ESMTPSA id 40E582240126; Sat, 1 Aug 2015 09:31:33 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <DM2PR0301MB0655D564B5F697E14F5CF371A88B0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Date: Sat, 01 Aug 2015 09:31:33 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <4E607681-7B1F-4128-9F24-D98FE23AA958@deployingradius.com>
References: <313da830.6be8.14ed8564467.Coremail.lilishan48@126.com> <m2mvyfh1re.wl%randy@psg.com> <55B8A692.8080409@cs.tcd.ie> <m2a8ufgpjn.wl%randy@psg.com> <55B8D49A.1010402@cs.tcd.ie> <m2y4hyg2za.wl%randy@psg.com> <DM2PR0301MB0655D564B5F697E14F5CF371A88B0@DM2PR0301MB0655.namprd03.prod.outlook.com>
To: Christian Huitema <huitema@microsoft.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/Xm43YDNUnYO8WSFoJrvkcU6C0HU>
Cc: Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Aug 2015 07:32:05 -0000

On Jul 30, 2015, at 2:17 AM, Christian Huitema <huitema@microsoft.com> wrote:
> Even in the "trusted network" scenario, the gain is only apparent in the absence of link-layer protection. For example, enterprise Wi-Fi networks typically use 802.1x and EAP to negotiate a link-layer encryption key specific to the client. This goes a long way towards protecting all the link traffic, including DHCP.

  That protects the traffic from third party observers, at least at the radio layer.  It doesn't authenticate the DHCP traffic as coming from a trusted source.  The rest of the wired network may still be penetrated and broken.

> Clearly there is a residual risk of on-line attackers, such as a local computer owned by a virus. That risk is generally mitigated by filters in the switches, restricting the sending of DHCP and RA packets. DHCP encryption would be useful if it was easier to deploy than those filters, and more secure.

  Or just sign the DHCP packets with a key derived from the 802.1X keys.  That requires no interaction with the switches.  Only the DHCP client and server need to be updated.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email