Re: [saag] Fw:Fw:New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt
Nico Williams <nico@cryptonector.com> Mon, 03 August 2015 16:17 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 234ED1ACE39 for <saag@ietfa.amsl.com>; Mon, 3 Aug 2015 09:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.334
X-Spam-Level:
X-Spam-Status: No, score=0.334 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KSnkCzY7dQtT for <saag@ietfa.amsl.com>; Mon, 3 Aug 2015 09:17:53 -0700 (PDT)
Received: from homiemail-a89.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 03EFD1ACE3A for <saag@ietf.org>; Mon, 3 Aug 2015 09:17:53 -0700 (PDT)
Received: from homiemail-a89.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTP id 8E70D3180A7; Mon, 3 Aug 2015 09:17:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=U3dfkNZZeGsq/k fK7wW2loMHt5g=; b=agbzoW6Uw6OZRO7NT6aW0EZBBKhwxlqs7MWoRDTHswSc1h cvEZ//Z6XTaZ/b1vGgaJVrEeWmZRGHejrX5izC2IKOJhlI7WTinqW2+jr6eypoNy jWvlC835S8Xk1G0HCtyjNZll0Fr3DJvgO/iKKhGF3LJmD5N3OK6wPUTkxT9MQ=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTPA id 1DE7631809D; Mon, 3 Aug 2015 09:17:52 -0700 (PDT)
Date: Mon, 03 Aug 2015 11:17:50 -0500
From: Nico Williams <nico@cryptonector.com>
To: Randy Bush <randy@psg.com>
Message-ID: <20150803161750.GN2957@localhost>
References: <313da830.6be8.14ed8564467.Coremail.lilishan48@126.com> <m2mvyfh1re.wl%randy@psg.com> <55B8A692.8080409@cs.tcd.ie> <m2a8ufgpjn.wl%randy@psg.com> <55B8D49A.1010402@cs.tcd.ie> <m2y4hyg2za.wl%randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m2y4hyg2za.wl%randy@psg.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/rrlkwMcbHMTGNtwuq1bfU7oVHOk>
Cc: Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] Fw:Fw:New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2015 16:17:54 -0000
On Thu, Jul 30, 2015 at 04:47:53AM +0900, Randy Bush wrote: > within an enterprise, one is tempted to suggest enterprise-controlled > credential distribution; i get a cert (or whatever) oob to let my laptop > authenticate the dhcp service and vice versa. but enterprises are > seeing a lot of byod, and i am not sure how they are dealing with that. > do they really want to authenticate all mobiles? Authenticating the enterprise and DHCP servers to the mobiles is one thing. Authenticating the latter to the former is another. I've no idea if enterprises want to do this, but my experience is that many enterprises that offer wifi want to force users to then VPN and/or else to accept MITM trust anchors ("you want to use our network, you pay a privacy price" is de rigeur). > in the coffee shop, one would like the mobile device to be given the > dhcp server's credentials out of band; i suggested a QR code on the wall > as one (i.e. there could be others) example. and, unlike the > enterprise, i think the mobile device should reveal as little as > possible about itself. The QR code thing works for enterprises that allows BYOD. There's also "install this app from the store using 3G/4G then you can get on our wifi". There are plenty of options; none perfect. > bottom line: i do not think there are easy solutions in the introduction > space. but it is our responsibility. and i am trying to think about > it and others should too. Yes. > [0] - i am remonded of the plethora of documents with insecure > transports where the sec cons says "use ipsec" with no hint about > keying, how the upper layer can even tell if ipsec is being used, > ... Yes, that approach is a disaster [because of a lack of standard, useful set of IPsec APIs]. But I'm like a broken record as to this.
- [saag] Fw:Fw:New Version Notification for draft-c… Lishan Li
- Re: [saag] Fw:Fw:New Version Notification for dra… Randy Bush
- Re: [saag] Fw:Fw:New Version Notification for dra… Stephen Farrell
- Re: [saag] Fw:Fw:New Version Notification for dra… Randy Bush
- Re: [saag] Fw:Fw:New Version Notification for dra… Lishan Li
- Re: [saag] Fw:Fw:New Version Notification for dra… Stephen Farrell
- Re: [saag] Fw:Fw:New Version Notification for dra… Stephen Farrell
- Re: [saag] Fw:Fw:New Version Notification for dra… Lishan Li
- Re: [saag] Fw:Fw:New Version Notification for dra… Stephen Farrell
- Re: [saag] Fw:Fw:New Version Notification for dra… Randy Bush
- Re: [saag] Fw:Fw:New Version Notification for dra… Christian Huitema
- Re: [saag] Fw:Fw:New Version Notification for dra… Lishan Li
- Re: [saag] [dhcwg] Fw:Fw:New Version Notification… Erik Kline
- Re: [saag] Fw:Fw:New Version Notification for dra… ianG
- Re: [saag] Fw:Fw:New Version Notification for dra… Randy Bush
- Re: [saag] New Version Notification for draft-cui… Alan DeKok
- Re: [saag] New Version Notification for draft-cui… Alan DeKok
- Re: [saag] New Version Notification for draft-cui… Bernard Aboba
- Re: [saag] New Version Notification for draft-cui… Alan DeKok
- Re: [saag] New Version Notification for draft-cui… Randy Bush
- Re: [saag] New Version Notification for draft-cui… Sam Hartman
- Re: [saag] Fw:Fw:New Version Notification for dra… Nico Williams
- Re: [saag] Fw:Fw:New Version Notification for dra… Nico Williams
- Re: [saag] New Version Notification for draft-cui… Alan DeKok
- Re: [saag] [dhcwg] Fw:Fw:New Version Notification… 李丽姗