IETF Logo Mail Archive

Re: [saag] New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt

Alan DeKok <aland@deployingradius.com> Sat, 01 August 2015 07:29 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E4B71B2B22 for <saag@ietfa.amsl.com>; Sat, 1 Aug 2015 00:29:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qDEIaANzZunb for <saag@ietfa.amsl.com>; Sat, 1 Aug 2015 00:29:02 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9D6261B2B1F for <saag@ietf.org>; Sat, 1 Aug 2015 00:29:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 2D8C2224083E; Sat, 1 Aug 2015 09:28:31 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4f6bIdpiqh7w; Sat, 1 Aug 2015 09:28:30 +0200 (CEST)
Received: from [10.192.1.135] (LStLambert-656-1-53-31.w80-13.abo.wanadoo.fr [80.13.34.31]) by power.freeradius.org (Postfix) with ESMTPSA id 1787F2240126; Sat, 1 Aug 2015 09:28:29 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <m2y4hyg2za.wl%randy@psg.com>
Date: Sat, 01 Aug 2015 09:28:28 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A719E0C6-2EF3-4B38-AA67-9030FA925239@deployingradius.com>
References: <313da830.6be8.14ed8564467.Coremail.lilishan48@126.com> <m2mvyfh1re.wl%randy@psg.com> <55B8A692.8080409@cs.tcd.ie> <m2a8ufgpjn.wl%randy@psg.com> <55B8D49A.1010402@cs.tcd.ie> <m2y4hyg2za.wl%randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/ae5WFY5mz5LKoZ-tB8XqYXylEfw>
Cc: Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Aug 2015 07:29:04 -0000

On Jul 29, 2015, at 9:47 PM, Randy Bush <randy@psg.com> wrote:
> within an enterprise, one is tempted to suggest enterprise-controlled
> credential distribution; i get a cert (or whatever) oob to let my laptop
> authenticate the dhcp service and vice versa.  but enterprises are
> seeing a lot of byod, and i am not sure how they are dealing with that.
> do they really want to authenticate all mobiles?

  Yes.  Enterprises are moving to ubiquitous 802.1X, both for wired and wireless.  All end-user devices will be authenticated.

  In those situations, it should be trivial to sign the DHCP packets with a key derived from the 802.1X session.  That signals the end device that the DHCP server is run under the same organization as the 802.1X authenticator.  The main reason this doesn't happen (so far as I can tell) is that the DHCP and 802.1X groups don't talk much.  Either at the IETF, or inside of corporations developing operating systems.

> in the coffee shop, one would like the mobile device to be given the
> dhcp server's credentials out of band; i suggested a QR code on the wall
> as one (i.e. there could be others) example.  and, unlike the
> enterprise, i think the mobile device should reveal as little as
> possible about itself.

  Or, just move to 802.1X, and then sign the DHCP packets as above.  The Hotspot 2.0 standard from the WiFi alliance uses 802.1X for all hotspots.

> bottom line: i do not think there are easy solutions in the introduction
> space.  but it is our responsibility.  and i am trying to think about
> it and others should too.

  The main barrier to adoption is deploying the solutions.  The technologies described above are ubiquitous in isolation... the only new thing required is for them to communicate.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email