IETF Logo Mail Archive

Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04

Ralph Droms <rdroms@cisco.com> Wed, 03 December 2008 11:29 UTC

Return-Path: <secdir-bounces@ietf.org>
X-Original-To: secdir-archive@ietf.org
Delivered-To: ietfarch-secdir-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C24C93A6BD2; Wed, 3 Dec 2008 03:29:23 -0800 (PST)
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B8453A6BC1; Wed, 3 Dec 2008 03:29:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.793
X-Spam-Level:
X-Spam-Status: No, score=-5.793 tagged_above=-999 required=5 tests=[AWL=0.806, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eS5ZK8S1LCZH; Wed, 3 Dec 2008 03:29:21 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 63D363A67D8; Wed, 3 Dec 2008 03:29:21 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.33,708,1220227200"; d="scan'208";a="205713712"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 03 Dec 2008 11:29:17 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id mB3BTGEQ015425; Wed, 3 Dec 2008 03:29:16 -0800
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id mB3BTBWd029869; Wed, 3 Dec 2008 11:29:16 GMT
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 3 Dec 2008 06:29:12 -0500
Received: from bxb-rdroms-8717.cisco.com ([10.98.10.88]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 3 Dec 2008 06:29:11 -0500
Message-Id: <B111CDE5-E8D0-4C96-AD53-B8580274F949@cisco.com>
From: Ralph Droms <rdroms@cisco.com>
To: Jari Arkko <jari.arkko@piuha.net>
In-Reply-To: <493661F5.10705@piuha.net>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Wed, 03 Dec 2008 06:29:05 -0500
References: <alpine.BSF.1.10.0811260255330.4213@fledge.watson.org> <90AC45ED-BF49-46ED-A35A-14E1BF699959@cisco.com> <56DEB14D23377D001B19EFE5@p3.int.jck.com> <493661F5.10705@piuha.net>
X-Mailer: Apple Mail (2.929.2)
X-OriginalArrivalTime: 03 Dec 2008 11:29:12.0240 (UTC) FILETIME=[5D879300:01C9553A]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3059; t=1228303756; x=1229167756; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=rdroms@cisco.com; z=From:=20Ralph=20Droms=20<rdroms@cisco.com> |Subject:=20Re=3A=20secdir=20review=20of=20draft-raj-dhc-tf tp-addr-option-04 |Sender:=20; bh=OJ4Zet+4kFENL0h4JQfQ1pFv2oAmqcZ+1j1YwZgaljw=; b=BLzgguHyperXmjzMYbab8BUNlPoXoSIsdxefC4ITa59pRFqiOwPbKvePIS 0P8L8liTkAz/C+t8yBhwhI4Z8ThfShFJzeFbmUAbltLnSqaRXLWaFaUAozlD Us3IRnWSuZ;
Authentication-Results: sj-dkim-3; header.From=rdroms@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: Richard Johnson <raj@cisco.com>, IETF Discussion <ietf@ietf.org>, secdir@ietf.org, draft-raj-dhc-tftp-addr-option@tools.ietf.org, Ralph Droms <rdroms@cisco.com>, dhc Chairs <dhc-chairs@tools.ietf.org>, Samuel Weiler <weiler@watson.org>, IESG IESG <iesg@ietf.org>, John C Klensin <john-ietf@jck.com>
Subject: Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: secdir-bounces@ietf.org
Errors-To: secdir-bounces@ietf.org

Jari - I agree that mentioning security issues, pointing to the  
Security Considerations in RFC 2131 and citing RFC 3118, is appropriate.

Responding to Richard...

On Dec 2, 2008, at Dec 2, 2008,5:35 PM, Richard Johnson wrote:

> Ok, maybe I'm not understanding what's being suggested or maybe I'm  
> simply reading the existing text in a different way.  Here's the  
> contents of the draft's "Security Considerations" section:
>
>>   A rogue DHCP Server could use this option in order to coerce a  
>> Client
>>   into downloading configuration from an alternate Configuration  
>> Server
>>   and thus gain control of the device's configuration.  This is more
>>   easily done with the VoIP Configuration Server Address option  
>> than it
>>   was with the "TFTP Server Name" option, because in the latter case
>>   the attack would need to control DNS responses as well as inserting
>>   the rogue DHCP option information.  If this is a concern, then  
>> either
>>   DHCP Authentication may be used, or the "TFTP Server Name" option  
>> may
>>   be used instead.
>>
>>   Message authentication in DHCP for intradomain use where the out- 
>> of-
>>   band exchange of a shared secret is feasible is defined in  
>> [RFC3118].
>>   Potential exposures to attack are discussed in section 7 of the  
>> DHCP
>>   protocol specification in [RFC2131].
>>
>>   Other out-of-band methods of verifying the validity of the VoIP
>>   Configuration Server Address, such as certificates of trust,  
>> could be
>>   used to mitigate some security concerns.
>
> So, it only mentions option 66 ("TFTP Server Name" option) by  
> comparison and in order to point out the relative levels of security  
> involved.  It has no "suggestion to use option 66".
>
> The text already has an "explanation about why the use of this  
> option without authentication might be problematic".  As a matter of  
> fact, it seems rather explicit on the matter.

I suggest we elide the first paragraph Richard quoted, and leave the  
remainder unchanged ... except for fixing what appears to be a typo in  
the first sentence of the second paragraph: s/is feasible is/is  
feasible as/

Jeff Hutzelman mentioned other common techniques for mitigating the  
risk from DHCP server spoofing attacks, which have not, to date, been  
mentioned in any other DHCP RFCs.  If there is serious interest in a  
review of DHCP security practices, the dhc WG could return to its work  
on a DHCP threat analysis and BCP for threat mitigation.

On Dec 3, 2008, at Dec 3, 2008,5:39 AM, Jari Arkko wrote:

> I think John's advice is solid. We really need to document the  
> properties of our specifications, including being very clear about  
> the shortcomings and recommended workarounds. Truth in advertising.  
> (However, I'd would avoid making mandatory-to-implement changes that  
> do not match with codebase for a legacy option document such as this  
> is.)
>
> I'm expecting a draft revision.
>
> Jari
>

- Ralph


_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir

v2.23.0 | Report a Bug | By Email