Re: [secdir] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
Naveen Kottapalli <naveen.sarma@gmail.com> Mon, 07 December 2020 11:05 UTC
Return-Path: <naveen.sarma@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E443A130F; Mon, 7 Dec 2020 03:05:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DhRVSy4VPmma; Mon, 7 Dec 2020 03:05:51 -0800 (PST)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCBBC3A1313; Mon, 7 Dec 2020 03:05:47 -0800 (PST)
Received: by mail-il1-x135.google.com with SMTP id k8so11771771ilr.4; Mon, 07 Dec 2020 03:05:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6ZplBsP+d3r4B9yVpkDNMPT8a9H1aeedorL/E7MCHEI=; b=S9WQNyt8gQoyyCPPnNBwm9Tjvq0UN6o1367bLUz8imHEsGUb07aqNHdzBJ/GizuPXC DqCPxHdLg6FnEA8ByUStYjiIFKMHL+yrKl6pKK+S2U8KMIO0/uCLZ90Va+c78yeNlq8F 7SSg3WWWXngRkicCHNss8PG1i100eGlHBMj3m0Z+fRqHqGy3Q/WmL10B8GjBDm3378z6 0HOXYHaCMacAj822Hs7tJfBHFtLLvFT9pGgPAFYpDEqhicTwsIJjxcNj3mM54Xc84i+x 0wXcfQeMXgFfQFxgotXFbUvnTZj8gffwG+AcsfHvploxAwRDeEVy7uwAanQUAV9FdPB0 zvuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6ZplBsP+d3r4B9yVpkDNMPT8a9H1aeedorL/E7MCHEI=; b=G6ZTluYPzNR89EON/6nQ5dyV4+y5H7a/1akcjhxITzOM6XnciiVFnNCOH7gahVD83s juHlF6y+z+2WYI3gai8BY9p51N2q9jQT33mcpZgaUtAQHmlFMDsgJlxQGbL7Tr78MAZp Yt/AFVgoHiccGfJDYS9M/8DF2f7+YnFsjv4f1WnVjaCwrEklLymZqO+PhhEGzBVRH5Eb eSpPWKe7GZQcazCpaJA/xiG/H2nG6Kn6B2naUtW5DlAEbNn1OJ08onlvtuPihHwxSYO4 cVL0sDujuJNYsUqBzkb4zebVTiUH2j86QssyLsu3HAfIiagopgb8H7i5iJ7Av5h2TMlM O04Q==
X-Gm-Message-State: AOAM5331altdtlV0K0L7CnFsE41S7qBeQnDNI6Dkr8elFLBBxbGKLUXj bqZQxLSQCVmq/tnav2ofrCc0pWoHejBrkEG/qeihgBU6vfM=
X-Google-Smtp-Source: ABdhPJyJp0EXebDr6DKsj2fMmGGkDfJdyQKNrIZNUAXM4SOkZjnifjU/VtSE/R1WWB8HtYfu0KvUX+//VH7rP57aKfA=
X-Received: by 2002:a92:874c:: with SMTP id d12mr22887405ilm.244.1607339146826; Mon, 07 Dec 2020 03:05:46 -0800 (PST)
MIME-Version: 1.0
References: <160711219694.2677.7881042583251252532@ietfa.amsl.com>
In-Reply-To: <160711219694.2677.7881042583251252532@ietfa.amsl.com>
From: Naveen Kottapalli <naveen.sarma@gmail.com>
Date: Mon, 07 Dec 2020 16:35:37 +0530
Message-ID: <CANFmOt=gMjjD0S53+76r2EMH8AzTY29m9jFyupkb_qa0RjK4vQ@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: secdir@ietf.org, last-call@ietf.org, draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, dhcwg@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e1590405b5ddce23"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/V-dg9gA8aHjNh23PWuWDd-xtV10>
Subject: Re: [secdir] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 11:05:53 -0000
Thanks Christian. Reference is corrected and will be available in next version. Yours, Naveen. On Sat, 5 Dec 2020 at 01:34, Christian Huitema via Datatracker < noreply@ietf.org> wrote: > Reviewer: Christian Huitema > Review result: Ready > > This document presents a set of requirements for how "Prefix Delegating > Relays" should > handle the relaying of IPv6 Prefix delegation requests between DHCP > clients and DHCP servers. > > This document is Ready. But please fix one tiny nit. > > Prefix Delegating Relays are more complex than simple DHCP relays. Instead > of > merely passing information back and forth between DHCP clients and DHCP > servers, > they also need to install IPv6 routes so the allocated IPv6 prefix is > routed towards > the client to which the prefix is allocated via DHCP. The document explains > issues found during past deployments, and presents a set of requirements to > ensure smooth operation of the service. > > As written in the security section, stating these requrements does not add > any new security considerations beyond those mentioned in RFC 8213, which > requires > using IPSEC between DHCP relay and DHCP server. This is fine and I believe > that > the draft is ready, except for one nit. The draft mentions "Section 22 of > [RFC8213]", > but RFC 8213 only has 6 sections. Since that RFC is entirely about > "Security of > Messages Exchanged between Servers and Relay Agents", I don't understand > why the > draft needs to mention this bogus "Section 22". Are the authors trying to > trick > this reviewer? > > There is a security issue concerning communication between clients and > relays. This > draft is not the place to address it, which is why I think it is ready, > but I can't > resist using this review to pass a message to the working group. On link > attackers > could spoof requests for prefix delegation, or responses, just like > they can spoof any DHCP message. Spoofing prefix delegation requests might > be a way > to attack networks, or to cause support issues between clients and > providers. > RFC 8213 "suggests" using secure DHCPv6 between client and server, but the > "secure > DHCPv6" draft cited in RFC 8213 is now expired. I understand that > solutions like RA > Guard will in practice provide some protection, but the use of these > solutions are > not discussed in RFC 8213. The DHCP WG might want to address that. > > > > >
- [secdir] Secdir last call review of draft-ietf-dh… Christian Huitema via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Naveen Kottapalli
- Re: [secdir] Secdir last call review of draft-iet… Bernie Volz (volz)
- Re: [secdir] [Last-Call] Secdir last call review … Ted Lemon
- Re: [secdir] [Last-Call] Secdir last call review … Christian Huitema
- Re: [secdir] [Last-Call] Secdir last call review … Christian Huitema
- Re: [secdir] [Last-Call] Secdir last call review … Bernie Volz (volz)
- Re: [secdir] [Last-Call] Secdir last call review … Christian Huitema