Re: [secdir] Review of draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-04

"Gaurav Halwasia (ghalwasi)" <> Wed, 20 February 2013 08:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3148721F85E8; Wed, 20 Feb 2013 00:37:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KAYZIo-jzYFu; Wed, 20 Feb 2013 00:37:06 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 739B321F85C9; Wed, 20 Feb 2013 00:37:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=1745; q=dns/txt; s=iport; t=1361349426; x=1362559026; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ZB9Z/ZYqaQecuInNhfUhFH77gpb3GOCTJSwdlRRMf3A=; b=llYmnvsxF12KJbMLhCfd3UKOLskXWqKl/dpRyrAxIK1lEB5eSfAi5NHQ j+G7sOPUda5A0CT2OMbLI3thUNFK6d28K8Zmj3J19uPp4WPE1RoW4hzcN sfLZYIRWNVikQnR5F9drANfrwLWqYTXP56FS4MfEVXkUqyU4Q86fo5PM1 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.84,699,1355097600"; d="scan'208";a="179108229"
Received: from ([]) by with ESMTP; 20 Feb 2013 08:37:06 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r1K8b5n2006005 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 20 Feb 2013 08:37:05 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Wed, 20 Feb 2013 02:37:05 -0600
From: "Gaurav Halwasia (ghalwasi)" <>
To: Shawn Emery <>, "" <>
Thread-Topic: Review of draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-04
Date: Wed, 20 Feb 2013 08:37:04 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 20 Feb 2013 13:42:53 -0800
Cc: "" <>, The IESG <>
Subject: Re: [secdir] Review of draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-04
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Feb 2013 08:37:07 -0000

Thanks Shawn for review.

We will take care of your Editorial comments in the next revision or at the time of AUTH48 (whichever is earlier.)

-----Original Message-----
From: Shawn Emery [] 
Sent: Wednesday, February 20, 2013 1:30 PM
Cc:; The IESG
Subject: Review of draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-04

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This internet-draft describes a way to provide a client link-layer addresses in DHCPv6 Relay-Forward messages..

The security considerations section does exist and discusses an attack scenario involving rogue relay agents and clients where a DHCPv6 node could spoof the address of a separate DHCPv4 node.  Subsequently if a Dynamic DNS update is made then a dual-stack node could be made to connect to the DHCPv6 client instead of the DHCPv4 client.  To thwart such an attack the draft recommends that administrators configure IPsec between the DHCP server(s) and the relay agents.  Besides the security considerations of DHCP in general, I think that this document adequately covers the feature being introduced.

General comments:


Editorial comments:

s/will help above mentioned scenarios/will help with the scenarios mentioned above/ s/used in wide/used in a wide/