Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option

t.p. <daedulus@btconnect.com> Fri, 08 June 2012 10:41 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2784E21F8517; Fri, 8 Jun 2012 03:41:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.909
X-Spam-Level:
X-Spam-Status: No, score=-4.909 tagged_above=-999 required=5 tests=[AWL=-1.090, BAYES_05=-1.11, MISSING_HEADERS=1.292, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQ74aMi2uo6h; Fri, 8 Jun 2012 03:41:15 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id 7DA4A21F850F; Fri, 8 Jun 2012 03:41:15 -0700 (PDT)
Received: from mail11-tx2-R.bigfish.com (10.9.14.242) by TX2EHSOBE004.bigfish.com (10.9.40.24) with Microsoft SMTP Server id 14.1.225.23; Fri, 8 Jun 2012 10:40:24 +0000
Received: from mail11-tx2 (localhost [127.0.0.1]) by mail11-tx2-R.bigfish.com (Postfix) with ESMTP id 8589532053E; Fri, 8 Jun 2012 10:40:24 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.55.224.141; KIP:(null); UIP:(null); IPV:NLI; H:DB3PRD0702HT011.eurprd07.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -23
X-BigFish: PS-23(zz9371I542M1418Izz1202hzz1033IL8275dhz2dh2a8h5a9h668h839h93fhd24hf0ah304l)
Received: from mail11-tx2 (localhost.localdomain [127.0.0.1]) by mail11-tx2 (MessageSwitch) id 1339152022770248_2063; Fri, 8 Jun 2012 10:40:22 +0000 (UTC)
Received: from TX2EHSMHS009.bigfish.com (unknown [10.9.14.248]) by mail11-tx2.bigfish.com (Postfix) with ESMTP id B5784200046; Fri, 8 Jun 2012 10:40:22 +0000 (UTC)
Received: from DB3PRD0702HT011.eurprd07.prod.outlook.com (157.55.224.141) by TX2EHSMHS009.bigfish.com (10.9.99.109) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 8 Jun 2012 10:40:20 +0000
Received: from DBXPRD0610HT004.eurprd06.prod.outlook.com (157.56.252.181) by pod51017.outlook.com (10.3.48.170) with Microsoft SMTP Server (TLS) id 14.15.74.2; Fri, 8 Jun 2012 10:40:42 +0000
Message-ID: <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net>
From: t.p. <daedulus@btconnect.com>
References: <21762_1337814743_q4NNCMPh008981_alpine.BSF.2.00.1205231837020.9762@fledge.watson.org> <1337881837.3279.45.camel@destiny.pc.cs.cmu.edu>
Date: Fri, 8 Jun 2012 11:37:27 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [157.56.252.181]
X-OriginatorOrg: btconnect.com
X-Mailman-Approved-At: Fri, 08 Jun 2012 05:36:59 -0700
Cc: draft-sakane-dhc-dhcpv6-kdc-option@tools.ietf.org, ietf <ietf@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 10:41:16 -0000

Just to make public what I have hinted at privately, I think that steps
in section 4.1 may be somewhat underspecified.

They give the logic a client, one which supports both DHCP and DNS,
should
follow in order to find a KDC, with DNS information being preferred.
One scenario outlined in section 1 is of a user having entered userid
and
passphrase and waiting to be authenticated.  The steps imply a number of
timeouts in succession without specifying what balance to take of how
long
to wait for a server to respond versus how long to keep the user
waiting.
I would find it difficult to know what balance to strike without
guidance.

A related issue is that section 4.1 prefers DNS to DHCP for Kerberos
information but the Security Considerations stress the weakness of
DHCP and recommend authenticating DHCP.  What if DHCP is secure
and DNS is not?  Should DNS still be preferred?

Tom Petch

----- Original Message -----
From: "Jeffrey Hutzelman" <jhutz@cmu.edu>;
To: "Samuel Weiler" <weiler+secdir@watson.org>;
Cc: <draft-sakane-dhc-dhcpv6-kdc-option@tools.ietf.org>;;
<secdir@ietf.org>;; <ietf@ietf.org>;; <jhutz@cmu.edu>;
Sent: Thursday, May 24, 2012 6:50 PM
Subject: Re: [secdir] secdir review of
draft-sakane-dhc-dhcpv6-kdc-option