Re: [secdir] Secdir review of draft-ietf-dhc-pd-exclude-04
jouni korhonen <jouni.nospam@gmail.com> Thu, 09 February 2012 07:25 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00EDC21F8565; Wed, 8 Feb 2012 23:25:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcuVF4Z-6LUq; Wed, 8 Feb 2012 23:25:06 -0800 (PST)
Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id DD9AB21F854D; Wed, 8 Feb 2012 23:25:05 -0800 (PST)
Received: by lahl5 with SMTP id l5so1427480lah.31 for <multiple recipients>; Wed, 08 Feb 2012 23:25:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=6A+g9ziMK8gmVcBrzxA4+M4SmnG//Lc4/cG1fttbo4g=; b=g3sZxw1zvpGLc/z1Ap6xMQJTQnCKrdbh36DeqrCNephI9F1b002tyHXQYJj97I2ZgA aMKerVBbpRhFNq/x3ss1WDN/8RwzRBejBJBkk4nDBG0Uy7C4YJkyqCg/OKoC598CYZ6U ZIqRNDiwVHeaZGQwTsjnFELXuUzy1Ep5WFbEs=
Received: by 10.152.145.165 with SMTP id sv5mr395257lab.29.1328772304720; Wed, 08 Feb 2012 23:25:04 -0800 (PST)
Received: from a88-114-172-138.elisa-laajakaista.fi (a88-114-172-138.elisa-laajakaista.fi. [88.114.172.138]) by mx.google.com with ESMTPS id mj2sm1455364lab.2.2012.02.08.23.25.01 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 08 Feb 2012 23:25:02 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="iso-8859-1"
From: jouni korhonen <jouni.nospam@gmail.com>
In-Reply-To: <CADajj4Z5RY5B-4Dj7RbYh2SXKTVF=v1W0zii3QoD=BTnX4b3eQ@mail.gmail.com>
Date: Thu, 09 Feb 2012 09:24:56 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CD5E540F-6B65-462D-AF5C-4CC45E402F9F@gmail.com>
References: <CADajj4Z5RY5B-4Dj7RbYh2SXKTVF=v1W0zii3QoD=BTnX4b3eQ@mail.gmail.com>
To: Magnus Nyström <magnusn@gmail.com>
X-Mailer: Apple Mail (2.1084)
Cc: draft-ietf-dhc-pd-exclude@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-dhc-pd-exclude-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2012 07:25:07 -0000
Magnus, Thank you for your review. Regarding the authentication of the excluded prefix. I admit the security considerations text is thin but, for example, RFC3633 security considerations that we refer to already says: To guard against attacks through prefix delegation, requesting routers and delegating routers SHOULD use DHCP authentication as described in section 21, "Authentication of DHCP messages" of RFC 3315. For point to point links, where one trusts that there is no man in the middle, or one trusts layer two authentication, DHCP authentication or IPsec may not be necessary. Because a requesting We did not come up with anything more specific that should be added. Does the above address your concern regarding excluded prefix authentication? We can add a sentence to the Security considerations saying: "This specification does not add any new security considerations in addition to those already discussed in RFC3315 and RFC3633." - Jouni On Feb 9, 2012, at 8:43 AM, Magnus Nyström wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This document defines a method for DHCPv6 routers to exclude a prefix > out of a delegated set of prefixes. > > I have no comments on the document itself but the Security > Considerations section is very terse. If the method in this draft does > not introduce any new security considerations beyond those already > present in RFC 3315 or RFC 3633 then it should at least say so. It > appears to me however that something could be said about > authenticating the request to exclude a particular prefix? > > -- Magnus
- [secdir] Secdir review of draft-ietf-dhc-pd-exclu… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-dhc-pd-e… jouni korhonen
- Re: [secdir] Secdir review of draft-ietf-dhc-pd-e… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-dhc-pd-e… jouni korhonen