Re: [saag] Whether TOFU should be considered in secure DHCPv6?
Lishan Li <lilishan48@gmail.com> Thu, 01 September 2016 03:37 UTC
Return-Path: <lilishan48@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B971412B02E for <saag@ietfa.amsl.com>; Wed, 31 Aug 2016 20:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxM72mXtOatc for <saag@ietfa.amsl.com>; Wed, 31 Aug 2016 20:37:55 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2870128B44 for <saag@ietf.org>; Wed, 31 Aug 2016 20:37:54 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id l2so72553649qkf.3 for <saag@ietf.org>; Wed, 31 Aug 2016 20:37:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=i0GidrPz/7z542dmptiyqsVHw5g9iWzOSM+grIRa2IY=; b=QwXH3St8NdkJ+g9oZ0vFayPrWEp1Ed/G6NWrEUSPZod+DpYqOzYt8VTYA7VuA8tDu2 i76Zvjad+HXHcbnteKbpsLZLtAyH/4+WGjtC2pf6OvLenzneAqg4ZVfIqkORLSufKseF ljZgNg/r2Y4UFTRh+mPmajWI7v/SJUR82J9r0K1R2uY1DRjFwvKiYDV252iIfot5UPux ylhtU1lJiG3LyBT86/AL3w9rl9YXuTZrY0YmFCZtVVRuUSCA+TG/RHyERHWWCfXYmaoP ZSvgVbBZ1/qcGPqTJMIdVRSExDfN1cE9J1yh4MrDutiTdop1vicE3P6tUVAtQFZQfrSS XggQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=i0GidrPz/7z542dmptiyqsVHw5g9iWzOSM+grIRa2IY=; b=jvVt5iF4Qv4VlZzScLYLAkqhvmF9D9/D5CGxtrC9lCBFKl1p9smivDUIDyW7I7rbQA sHwRQ5G57Akij64SSFspICJEvz6KYrOhjIOyjU0eNkwPDjhBUL/AzWjKSuLnZdD4ZP/o yCB4AcaHTyofmNzlf+yegXWzTozzwxKZsAoKAuT92RrtX1++dTZzwth+ILYzuqpvfnqs 6WVFTaFgadf3lR3gmi88/Ay2TyUJ/KMNYYaAosGu0oaQOpFXl6M0fUCknupY89Ic9BZA umikCwm20kEwjYaWtz+Swe9hCwDNuonP3om2aoFkcLaSdafQqhrJ6dkPvjI2XpENvkt0 YVOw==
X-Gm-Message-State: AE9vXwPaY5Q9EaC+CQCBdL5KPCO22DTz5nzY2tuyLBbYA7QqdT3U+Bq72vP/M9jhy/oXB18jYarjeng3QC6PDw==
X-Received: by 10.55.19.39 with SMTP id d39mr14952114qkh.240.1472701073994; Wed, 31 Aug 2016 20:37:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.44.111 with HTTP; Wed, 31 Aug 2016 20:37:53 -0700 (PDT)
In-Reply-To: <1D3A13C7-F744-4279-A0EF-EB71ABFECABB@vpnc.org>
References: <CAJ3w4NcbueARjfCH4kUkj8Znt2fLOHc4jxPN5GFrYiWsHF=wXg@mail.gmail.com> <09c0e199-07e7-81b2-e414-3920672950b7@cs.tcd.ie> <CAJ3w4Ndo6HVpLotpj426fbzj90rQZvNLsttDUocfFOarSWNFAQ@mail.gmail.com> <m2a8fssc7i.wl-randy@psg.com> <1D3A13C7-F744-4279-A0EF-EB71ABFECABB@vpnc.org>
From: Lishan Li <lilishan48@gmail.com>
Date: Thu, 01 Sep 2016 11:37:53 +0800
Message-ID: <CAJ3w4NeZFpCSOqOLezWKLDM1gYF+d3H4EpQT97x5-PV6yys-jA@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="001a114016306042cb053b69f0d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/zXaz78-ACNxBdDLgQ6eiCJQ8vP8>
Cc: saag@ietf.org
Subject: Re: [saag] Whether TOFU should be considered in secure DHCPv6?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 03:37:56 -0000
Dear Paul, Thanks a lot for your nice reply and guidance. We just want to apply opportunistic security into secure DHCPv6 deployment. So, how about the following policy for secure DHCPv6 deployment? 1. If the client/server is pre-configured with authorized certificates, then it can achieve the authentication. 2. If the certificate cannot be validated and require validation, then it is blocked from the Internet. 3. If the certificate cannot be validated and don't want to blocked from the Internet, then it may want either TOFU or a warning each time an un-validated connection is made. Looking forward to your further guidance. Best Regards, Lishan 2016-09-01 10:43 GMT+08:00 Paul Hoffman <paul.hoffman@vpnc.org>: > On 31 Aug 2016, at 17:20, Randy Bush wrote: > > used for authentication based ... using trust-on-first-use. >>> >> >> uh, what is wrong with this picture? >> > > Uh, the fact that you removed relevant parts of the quotation? > > For those of you who want to follow more completely, the Abstract of > draft-ietf-dhc-sedhcpv6-13 says: > > The mechanism provides encryption in all cases, and > can be used for authentication based either on pre-sharing of > authorized certificates, or else using trust-on-first-use. > > So, we're back to the same problem described in glorious detail in RFC > 7435. In this case, if a DHCPv6 client wants to only use > fully-authenticated security, and the DHCPv6 server has a certificate that > the client can't validate, the client fails to communicate with the server. > Some people will want that result and thus want to be able to configure to > always require validation; others won't want to be blocked from the > Internet and therefore will want either TOFU or (more likely) a warning > each time an unvalidated connection is made. > > --Paul Hoffman > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >
- [saag] Whether TOFU should be considered in secur… Lishan Li
- Re: [saag] Whether TOFU should be considered in s… Stephen Farrell
- Re: [saag] Whether TOFU should be considered in s… Randy Bush
- Re: [saag] Whether TOFU should be considered in s… Lishan Li
- Re: [saag] Whether TOFU should be considered in s… Randy Bush
- Re: [saag] Whether TOFU should be considered in s… Lishan Li
- Re: [saag] Whether TOFU should be considered in s… Randy Bush
- Re: [saag] Whether TOFU should be considered in s… Lishan Li
- Re: [saag] Whether TOFU should be considered in s… Randy Bush
- Re: [saag] Whether TOFU should be considered in s… Salz, Rich
- Re: [saag] Whether TOFU should be considered in s… Paul Hoffman
- Re: [saag] Whether TOFU should be considered in s… Lishan Li
- Re: [saag] Whether TOFU should be considered in s… Randy Bush
- Re: [saag] Whether TOFU should be considered in s… Feng Hao
- Re: [saag] Whether TOFU should be considered in s… Viktor Dukhovni
- Re: [saag] Whether TOFU should be considered in s… Lishan Li
- Re: [saag] Whether TOFU should be considered in s… joel jaeggli
- Re: [saag] Whether TOFU should be considered in s… Ted Lemon
- Re: [saag] Whether TOFU should be considered in s… Viktor Dukhovni
- Re: [saag] Whether TOFU should be considered in s… Salz, Rich
- Re: [saag] Whether TOFU should be considered in s… Randy Bush
- Re: [saag] Whether TOFU should be considered in s… Randy Bush
- Re: [saag] Whether TOFU should be considered in s… Randy Bush
- Re: [saag] Whether TOFU should be considered in s… Ted Lemon
- Re: [saag] Whether TOFU should be considered in s… Randy Bush