[secdir] SecDir review of draft-ietf-dhc-relay-server-security-03

Catherine Meadows <catherine.meadows@nrl.navy.mil> Thu, 16 March 2017 20:26 UTC

Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 518CA129A54; Thu, 16 Mar 2017 13:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YKYVuDnht4MO; Thu, 16 Mar 2017 13:26:44 -0700 (PDT)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil [IPv6:2001:480:20:118:118::211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADDC6129A4C; Thu, 16 Mar 2017 13:26:41 -0700 (PDT)
Received: from ashurbanipal.fw5540.net (fw5540.nrl.navy.mil [132.250.196.100]) by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id v2GKQdt8029108 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Thu, 16 Mar 2017 16:26:39 -0400
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary="Apple-Mail=_51BE93A2-523F-48AD-A05C-AA83D00034B9"
Date: Thu, 16 Mar 2017 16:26:39 -0400
Message-Id: <7CDA5C79-8242-43A3-90DE-DBF1872EFC77@nrl.navy.mil>
To: draft-ietf-dhc-relay-server-security.all@ietf.org, iesg@ietf.org, secdir@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/UG0fjFBoV37Pkk0sFHIfxJGlLYA>
Subject: [secdir] SecDir review of draft-ietf-dhc-relay-server-security-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 20:26:47 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.


This brief draft gives requirements for securing relay to really and relay to server communication for DHCPv6 and relay to server communication for DHCPv4.
Previously no  such guidance existed.  The new guidance is that in both cases the draft REQUIRES that communication be IPSec encrypted.

The security considerations section points out the limitations of this document , e.g. it does not address communications between the client and the server or first hop
relay agent.  This section gives some recommendations for security in this case.  It also points out the limitations of some practices that are allowed by the document
but not encouraged, e.g. use of manual keys.  I believe this is a good use of the Security Considerations section for a document of this kind, which recommends a specific
solution to one part of the security problem, but does not attempt to propose a complete security solution. 

I think this document is Ready.

Cathy Meadows


Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil <mailto:catherine.meadows@nrl.navy.mil>