IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04

"Bernie Volz (volz)" <volz@cisco.com> Mon, 07 December 2020 12:31 UTC

Return-Path: <volz@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C84D73A1363; Mon, 7 Dec 2020 04:31:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=UK/eftAb; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=FQosMkUU
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9crsgKaGu1Sf; Mon, 7 Dec 2020 04:31:19 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAD263A1362; Mon, 7 Dec 2020 04:31:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9747; q=dns/txt; s=iport; t=1607344279; x=1608553879; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=UL0f12cBqSl2+9HPDcMVOjRuwtbHjCfb8mV9q8Id8o8=; b=UK/eftAbsVtjWqSCqNeGIN8QXOFqQ3nGQ1H6OYue6Ab8jI66X23/hk4R 09x7taboXUIMNISEs0brd4nvhtRdWlVjL5UW1CXfzLC0S2bbL6CFqD0iX HDC2LgJhxMu122PiL6hEI/QOxfUWnb2Md0a34TzjtMzOF9XUzat1VzTox k=;
X-IPAS-Result: A0AJAAB5H85fkIoNJK1iGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBgX0DAQEBAQsBgVFRgVcvLgqEMoNIA402JYoaigCEcYEuFIERA1QLAQEBDQEBLQIEAQGESgIXgX4CJTYHDgIDAQEBAwIDAQEBAQUBAQECAQYEFAEBAQEBAYY4DIVzAgEDEhEdAQE3AQ8CAQg/AwICAh8RFBECBA4FGweDBIF/VwMuAaEYAoE8iGl2gTKDBAEBBYUrDQuCEAmBOAGCcoN2hA2CSxuCAIE4DBCCVT6CG4FlJoMvM4IsgVmBCEYEDWUCLi8gNQMKIQ4UBY9jCAuCZT6HKIMymVFXCoJ0liMEhRUDH4MhiiSUZ6Fxkx8CBAIEBQIOAQEFgV0KJ4FZcBVlAYI+UBcCDY4hGoNXilh0NwIGAQkBAQMJfIpTATFfAQE
IronPort-PHdr: 9a23:g1i9Yh1KVtTR5VczsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxWGtadtkV7VUIDSrfRJl7mev6PhXDkG5pCM+DAHfYdXXhAIwcMRg0Q7AcGDBEG6SZyibyEzEMlYElMw+Xa9PBtVBcfialjb5Hu/8W1aFhD2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,399,1599523200"; d="scan'208,217";a="610907521"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Dec 2020 12:31:17 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B7CVHlP026633 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 7 Dec 2020 12:31:17 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Dec 2020 06:31:17 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Dec 2020 06:31:16 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 7 Dec 2020 06:31:16 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XnntF2Uq90Lu/DiR2cQTvUXzGPvx2MClp8Pbi+i90/80a4229lf84B9hZ6gTksJ7Ca2BMv0iAgcNqwsv+OJPhSrAciambyYNHZK97U09+Pfp++3dvx/9qWvU/EP3vomzXWj7O10M5Tyy1zctx2Pq4oFtyW8T5qI/Sfl1lAUUf7shGmy4Nsn3goh0nbyVQtArEyq0tHdzOcWoYlknAgRsrUqnVwdtidQ+wSjAIbnz5+RZAdptPbbMcf13SedWZWUAyYb9QiX1m8HvHTQgwnAwfDXv1SJwJ6k9Q+86q35deCwrh2whvvWHQqvr54vGQCjYRy4kolTgjit7U50/CT6D2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UL0f12cBqSl2+9HPDcMVOjRuwtbHjCfb8mV9q8Id8o8=; b=aiayTRJRYOHwcw8al6I9K8055Xc5l297RFtOsAx4G80JXGhfCPZjrb5RCkFe5DH50u4P/AD+srYrla3Lpbqxor6y3Z6JzeR5MsPbtV1lONjbNXOtIxuUt6A3HWW5f2QFL2zXhgs+5o/+CA98s+JoYdrJPzsemSyXAMt0rsy6gZVEz2MBvkpyxJHr8T19gyAMp7zyIDVr3ysyd+kps/qU5hfG3nl5m6UF31DTf6bM6gYZLEnAsPWq9qQqE1Iqsg3bndDqPXgepp18MiNy3ufoTjAcv4BfzFbAahyTcA1N/qfw54sjunpa9ka+hDnaUWJ3lLStK1FQecKBd4pz3xywiw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UL0f12cBqSl2+9HPDcMVOjRuwtbHjCfb8mV9q8Id8o8=; b=FQosMkUUFUCCbJ5F0yQjKmM35Vx9mycpDvhwvHX1qCbTNbESgCayN0PEsWB6KhNekzATd9gnqtBzHn3KiIdzbJWJbR7Anr81ow7oTXxxxvz9g62TfesxYW900DBJmrAiXmX2HVhrK6254Q9ORNsS5gWs1xUDKXw5OvvKNOlojN8=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR1101MB2209.namprd11.prod.outlook.com (2603:10b6:405:50::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.21; Mon, 7 Dec 2020 12:31:15 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711%6]) with mapi id 15.20.3632.023; Mon, 7 Dec 2020 12:31:15 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Naveen Kottapalli <naveen.sarma@gmail.com>
CC: Christian Huitema <huitema@huitema.net>, "secdir@ietf.org" <secdir@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org" <draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
Thread-Index: AQHWzIj6eBYmgkGtQ0undY5o+MeyR6nrkKNO
Date: Mon, 07 Dec 2020 12:31:15 +0000
Message-ID: <F5FE0A09-351E-4ED5-8880-A7EE943B8EA9@cisco.com>
References: <160711219694.2677.7881042583251252532@ietfa.amsl.com>, <CANFmOt=gMjjD0S53+76r2EMH8AzTY29m9jFyupkb_qa0RjK4vQ@mail.gmail.com>
In-Reply-To: <CANFmOt=gMjjD0S53+76r2EMH8AzTY29m9jFyupkb_qa0RjK4vQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huitema.net; dkim=none (message not signed) header.d=none;huitema.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [24.233.121.124]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cf351b78-7932-4b36-b481-08d89aabfd87
x-ms-traffictypediagnostic: BN6PR1101MB2209:
x-microsoft-antispam-prvs: <BN6PR1101MB22097FE151C7A255AC041253CFCE0@BN6PR1101MB2209.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ieJigTFlNFpqHpaIRON44nxk0B0mP5IdRe5NMm9phufR8FoCdRf1CZH6JuXqrEHozWc83pUuxtD1P5RqaLffu1HVm3Ellvun/bGIzr9kyJT1pdA/qMyWBeRLNvWzVlIBDP4R/v7WoLnYltOOefvHyt2Vb7U5P2h4etQNiYkaWQrb55HYkZKdsS71gvFGWNMJkc3LBCXgWgahgHxFA4hoQvTI5YiIBhqDdHKs3cDSJuZAAIT5CQUwflAiYX26d4Wpy3GExLpNHcRPU66tSBRmWSAHOYEEU35R5nShQmYLRsy8dIousKbZZI+i/RPFj/3nfZtkM4KDMA1lJVAvegtk33dEow89MegJUP6pSomo8tJTuPWrO2qavBgfHVslLc7B
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(396003)(39860400002)(346002)(376002)(366004)(6486002)(186003)(4326008)(6506007)(478600001)(66946007)(2616005)(6916009)(86362001)(33656002)(76116006)(64756008)(53546011)(8676002)(36756003)(66556008)(91956017)(71200400001)(66476007)(5660300002)(26005)(316002)(54906003)(8936002)(6512007)(66446008)(83380400001)(2906002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: HyvC3kU2Bg6hoQFtuMm2plMZjcz8lNiniPst4yyo1Z7iZnfGDYFxUziOsVnycmsAsUrdqprd0dVxTTDhJ7+zmthp+IiSfMOtRm8M1qHGPUNlyoAWGWjtX8As7/tGAz1PIFpRdZb6qpQ+UdHocSs0NwWdFaASs/4nQdGVOiLbSwE7iFKg7/6pLlYERlYC/0PgK3gqthwUQJStWJ/wZve5RTJsOIOAlDM8mPXqu8oiNZ7zBGl4C8o5ft8cXXG//VLIiAuIr+JUU4MBHNbtfXgG7ThA/8MtsnPvadTEFP+zYxAqvXJWU5D3aX5qXdtG21hNSm69LDBT5Mfd12mvQbtFn/Q/OyP1amUHyfgazaj2hFZytTm+dKcJblXxPHny4uSY5MP5YdAE7FimVaVQLxconognNBZROkqLmQ001RO8MDQAQXLRtWqri4A2br4lwcawflg0Qd2/lbxsOORA55Y8vSpPyTte6ZOyekaAV7WrhrR/oTWhFB8ySEi6ENBx6UbrekMjWag6bZWN2aPm+u1x3hxo+2ZD7atZU3rQ6IVBQWtTlUot7kWL9ITEi/K6W5duJPih5vaYBCCoSCpO0CK+HrFSbYhYMQ32zhELhniadTmc+WemCl6LnTh/77BbjAv0S2ZhtyxIYO9SRq/WEUaBGhs8hzP/caesKWKnggAtNdr+Ks6IDZGbs6kx9D/L8XVxsZNb3XMUxYvV5iIocZhffvMARt3SVjXkCOVFadoV5c/9Hi80fKRbgg6Do8tcGebQuM/wqb+cZhKp/vY9O3HJL8ziooLNYDNXXYK9WhYjCCJZatz7ZvXrBaVwwGhv90fK0gnwSf4ZHlBjQo/5eYejPafU6RgPNRfej7pWxmzFJyZOvbGbXDBRj65dVAWV9OAk7MB+6p9gooq5yQ8db5aQR6SWUmdsnibtue1bO/+dYgjmLRy3OAckT4bb4C3pI3E/bQXt7oQBP/4poHUlH6HkDZe7/fm2vCxgrsze2Cx5Mha6Do6hSXwr644oMXdNJjp6
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_F5FE0A09351E4ED58880A7EE943B8EA9ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cf351b78-7932-4b36-b481-08d89aabfd87
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2020 12:31:15.6309 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8iWE//IqQTR40pLAq9QV19cfQsJspgVEnkDOm/4b0kyZqbbOFuDCoAnAT6wlQeZ4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2209
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/VD_VledY6CMrScqpIgxvoAcL-dQ>
Subject: Re: [secdir] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 12:31:21 -0000

FYI:

I understand that solutions like RA
Guard will in practice provide some protection, but the use of these solutions are
not discussed in RFC 8213. The DHCP WG might want to address that.

RFC8415’s security considerations is rather extensive and includes reference to many techniques to reduce the issues. 8213 was written while 8415 was under development.

- Bernie

On Dec 7, 2020, at 6:06 AM, Naveen Kottapalli <naveen.sarma@gmail.com> wrote:


Thanks Christian.  Reference is corrected and will be available in next version.

Yours,
Naveen.


On Sat, 5 Dec 2020 at 01:34, Christian Huitema via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
Reviewer: Christian Huitema
Review result: Ready

This document presents a set of requirements for how "Prefix Delegating Relays" should
handle the relaying of IPv6 Prefix delegation requests between DHCP clients and DHCP servers.

This document is Ready. But please fix one tiny nit.

Prefix Delegating Relays are more complex than simple DHCP relays. Instead of
merely passing information back and forth between DHCP clients and DHCP servers,
they also need to install IPv6 routes so the allocated IPv6 prefix is routed towards
the client to which the prefix is allocated via DHCP. The document explains
issues found during past deployments, and presents a set of requirements to
ensure smooth operation of the service.

As written in the security section, stating these requrements does not add
any new security considerations beyond those mentioned in RFC 8213, which requires
using IPSEC between DHCP relay and DHCP server. This is fine and I believe that
the draft is ready, except for one nit. The draft mentions "Section 22 of [RFC8213]",
but RFC 8213 only has 6 sections. Since that RFC is entirely about "Security of
Messages Exchanged between Servers and Relay Agents", I don't understand why the
draft needs to mention this bogus "Section 22". Are the authors trying to trick
this reviewer?

There is a security issue concerning communication between clients and relays. This
draft is not the place to address it, which is why I think it is ready, but I can't
resist using this review to pass a message to the working group. On link attackers
could spoof requests for prefix delegation, or responses, just like
they can spoof any DHCP message. Spoofing prefix delegation requests might be a way
to attack networks, or to cause support issues between clients and providers.
RFC 8213 "suggests" using secure DHCPv6 between client and server, but the "secure
DHCPv6" draft cited in RFC 8213 is now expired. I understand that solutions like RA
Guard will in practice provide some protection, but the use of these solutions are
not discussed in RFC 8213. The DHCP WG might want to address that.

v2.23.0 | Report a Bug | By Email