[secdir] SecDir review of draft-ietf-dhc-relay-server-security-03
Catherine Meadows <catherine.meadows@nrl.navy.mil> Thu, 16 March 2017 20:26 UTC
Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 518CA129A54; Thu, 16 Mar 2017 13:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YKYVuDnht4MO; Thu, 16 Mar 2017 13:26:44 -0700 (PDT)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil [IPv6:2001:480:20:118:118::211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADDC6129A4C; Thu, 16 Mar 2017 13:26:41 -0700 (PDT)
Received: from ashurbanipal.fw5540.net (fw5540.nrl.navy.mil [132.250.196.100]) by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id v2GKQdt8029108 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Thu, 16 Mar 2017 16:26:39 -0400
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary="Apple-Mail=_51BE93A2-523F-48AD-A05C-AA83D00034B9"
Date: Thu, 16 Mar 2017 16:26:39 -0400
Message-Id: <7CDA5C79-8242-43A3-90DE-DBF1872EFC77@nrl.navy.mil>
To: draft-ietf-dhc-relay-server-security.all@ietf.org, iesg@ietf.org, secdir@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/UG0fjFBoV37Pkk0sFHIfxJGlLYA>
Subject: [secdir] SecDir review of draft-ietf-dhc-relay-server-security-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 20:26:47 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This brief draft gives requirements for securing relay to really and relay to server communication for DHCPv6 and relay to server communication for DHCPv4. Previously no such guidance existed. The new guidance is that in both cases the draft REQUIRES that communication be IPSec encrypted. The security considerations section points out the limitations of this document , e.g. it does not address communications between the client and the server or first hop relay agent. This section gives some recommendations for security in this case. It also points out the limitations of some practices that are allowed by the document but not encouraged, e.g. use of manual keys. I believe this is a good use of the Security Considerations section for a document of this kind, which recommends a specific solution to one part of the security problem, but does not attempt to propose a complete security solution. I think this document is Ready. Cathy Meadows Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil <mailto:catherine.meadows@nrl.navy.mil>
- [secdir] SecDir review of draft-ietf-dhc-relay-se… Catherine Meadows