IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04

Christian Huitema <huitema@huitema.net> Tue, 08 December 2020 01:14 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC58A3A0D41 for <secdir@ietfa.amsl.com>; Mon, 7 Dec 2020 17:14:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sugg0LXH_r2e for <secdir@ietfa.amsl.com>; Mon, 7 Dec 2020 17:14:05 -0800 (PST)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A13293A0D02 for <secdir@ietf.org>; Mon, 7 Dec 2020 17:14:05 -0800 (PST)
Received: from xse275.mail2web.com ([66.113.197.21] helo=xse.mail2web.com) by mx171.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kmRZn-000Xpn-9g for secdir@ietf.org; Tue, 08 Dec 2020 02:14:04 +0100
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4Cqhw63TQPzPHY for <secdir@ietf.org>; Mon, 7 Dec 2020 17:11:34 -0800 (PST)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kmRXS-0004lE-C5 for secdir@ietf.org; Mon, 07 Dec 2020 17:11:34 -0800
Received: (qmail 21851 invoked from network); 8 Dec 2020 01:11:34 -0000
Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.58.43.42]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dhcwg@ietf.org>; 8 Dec 2020 01:11:33 -0000
To: Ted Lemon <mellon@fugue.com>, "Bernie Volz (volz)" <volz=40cisco.com@dmarc.ietf.org>
Cc: secdir@ietf.org, draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, last-call@ietf.org, Naveen Kottapalli <naveen.sarma@gmail.com>, dhcwg@ietf.org
References: <F5FE0A09-351E-4ED5-8880-A7EE943B8EA9@cisco.com> <1B6C9B2E-A750-44C5-A1AC-703482FB1AF4@fugue.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <45aa2ea2-bc78-25c6-cc66-9f7b61a33a26@huitema.net>
Date: Mon, 07 Dec 2020 17:11:33 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <1B6C9B2E-A750-44C5-A1AC-703482FB1AF4@fugue.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: 66.113.197.21
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.10)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/jvsL0yi2MddWrcgEY1klwPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yACVCDlSNkcmtpadwF3M9U42UuDhyzVYcwl2RB+0AaekGL qB/8gA3tMNaE+zZuzlsh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f699YA0uCAr3G83qh9q+h/6RDIPAgTtUp75uqlx0KezvZHVhR7Kc RgkXOfV6Ul6Hdg1IWQaaSSaRcFTFxaRvADgOuME95bF8tPKjnaWlQ6fjTEeg4CZvTGBeutAohO1y UnDCBSl7YrgCdzbaCwJPCCSougyg4uMaxHP8xQTpohmgJxQ1dHhpUbi1UdTVmV3LL7N9ueszlpij Q8vuNSxljixs9l2PHznFCr1UPjZRtNG50GjfX8TdqEXkwxwMjsp2mNAp23iZ8TJTdK5H0dgUOB1h 85nckpWaLvahyBjmQxBKOzuhP7r/qeCcLfNPkwm2lNnsvr3LBR8rUYXJ4jh62pfHaKqsknzQ1WVE SSlbgJ6e928BIkUL/j1Y48GvmeURQjjEX0A97HxucLVrVBP4JnvMUB5qHXnqVEsVtzedAe9tmriM 2pjfqsoZxQ+A4ohoD4UhHF29j8cA+VxmrdV21v79MMGon863E1HGjZsfM9C+/MIqM56VVlcswDb0 N8Su4voNiwQzKw+6v3CaIMG6s7LqJGmSbOMS+/fdqXUrTrvB1uep0srCGhqQVLm3YuZYsovTnUOW wvlbzeZPkpFRizZSiZwUd61lA2Gf5bjXgiz0l11DPDo3pDJlUlQ25PasjIMIGaT7745xaNsi2wqo q68C6euO5TcDeKjrEmYPn2IVWRvsDFbMyuyrnnpyt5QdgPdM2kAubAmq/PTQO+W2FInivlx21Yi3 rRmhgFI0Buha6+OZ3JKVmi72ocgY5kMQSjs7FeHN9ztUfyhmiivUY2iqA4H7+3hna43Kh3w6qf0n g4eLCrVbm7nC2LbgwAUU/zyk
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/L_KerKNUy11CeQFofwedMCz0ESY>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2020 01:14:07 -0000

On 12/7/2020 5:03 AM, Ted Lemon wrote:
> Also, Christian, RA guard only works in a managed environment. In an 
> unmanaged environment it will break things. It would be wise to be 
> careful about when and where you recommend it or we will wind up with 
> interoperability problems. This is probably outside of the DHC wg’s 
> bailiwick.

But I am being careful -- I am not asking for any change in the draft, 
except for a trivial nit. I am just pointing out that there are attacks 
and that the proposed solution in 8213 did not pan out. It would be nice 
is there was guidance available on how to secure DHCP clients and 
servers "in practice", especially if your attack model includes virus of 
fishing attacks overtaking an authorized client inside the perimeter.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email