[secdir] secdir review of draft-ietf-dhc-leasequery-by-remote-id-07

Samuel Weiler <weiler@watson.org> Thu, 02 December 2010 03:28 UTC

Return-Path: <weiler@watson.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id A86033A6843; Wed, 1 Dec 2010 19:28:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[AWL=0.114, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id yD6UFoMgW1IP; Wed, 1 Dec 2010 19:28:47 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org []) by core3.amsl.com (Postfix) with ESMTP id ED7403A67AE; Wed, 1 Dec 2010 19:28:44 -0800 (PST)
Received: from fledge.watson.org (localhost.watson.org []) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id oB23TvjY070033; Wed, 1 Dec 2010 22:29:57 -0500 (EST) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id oB23Tv3n070030; Wed, 1 Dec 2010 22:29:57 -0500 (EST) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Wed, 1 Dec 2010 22:29:56 -0500 (EST)
From: Samuel Weiler <weiler@watson.org>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-dhc-leasequery-by-remote-id.all@tools.ietf.org
Message-ID: <alpine.BSF.2.00.1012012218180.54384@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org []); Wed, 01 Dec 2010 22:29:57 -0500 (EST)
Subject: [secdir] secdir review of draft-ietf-dhc-leasequery-by-remote-id-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2010 03:28:50 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

Sorry for getting this out so late.

I'm a bit confused by this doc -- in particular, I'm not understanding 
how the Remote ID field is being set so that querying based on it 
gives a complete set of relevant leases.

I'm also wondering if the use case envisioned (filtering spoofed 
source addresses based on the assumption that you can collect a 
complete list of leases using this method) is dangerous -- at the very 
least, it suggests that authentication of the queries here is every 
more important than in 4388.  Furthermore, what risks are there if 
answers to these queries are spoofed away?  In this model, could a 
relay agent be induced to filter out a legitimate client for want of 
an answer to a DHCPLEASEQUERY?

Also, I'm not a fan of referral Security Considerations sections -- 
I'd rather see a repeat of the text than a reference.

-- Sam