Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option

Sam Hartman <hartmans-ietf@mit.edu> Wed, 27 June 2012 19:00 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8C1511E8171; Wed, 27 Jun 2012 12:00:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.038
X-Spam-Level:
X-Spam-Status: No, score=-104.038 tagged_above=-999 required=5 tests=[AWL=-1.773, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJ3U5sLdRJ3s; Wed, 27 Jun 2012 12:00:51 -0700 (PDT)
Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id A23A211E8172; Wed, 27 Jun 2012 12:00:48 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id DE31A201CC; Wed, 27 Jun 2012 15:00:10 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 9A05A41EF; Wed, 27 Jun 2012 15:00:29 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: "t.p." <daedulus@btconnect.com>
References: <21762_1337814743_q4NNCMPh008981_alpine.BSF.2.00.1205231837020.9762@fledge.watson.org> <1337881837.3279.45.camel@destiny.pc.cs.cmu.edu> <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net>
Date: Wed, 27 Jun 2012 15:00:29 -0400
In-Reply-To: <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net> (t. p.'s message of "Fri, 8 Jun 2012 11:37:27 +0100")
Message-ID: <tsl7gus37hu.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: draft-sakane-dhc-dhcpv6-kdc-option@tools.ietf.org, ietf <ietf@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2012 19:00:52 -0000

>>>>> "t" == t p <daedulus@btconnect.com> writes:

    t> Just to make public what I have hinted at privately, I think that steps
    t> in section 4.1 may be somewhat underspecified.

    t> A related issue is that section 4.1 prefers DNS to DHCP for Kerberos
    t> information but the Security Considerations stress the weakness of
    t> DHCP and recommend authenticating DHCP.  What if DHCP is secure
    t> and DNS is not?  Should DNS still be preferred?

Yes probably.
DNS has been and will continue to be the dominant way to discover KDCs.
I see this as a specialized DHCP option for certain deployments, not
something you'll see in the enterprise for desktops or laptops as an
example.
I mean some people may deploy it, but I suspect that you won't see it in
most situations where DNS works well today.
So, basically in all cases, including preconfigured DNS servers, I'd
expect DNS to be preferred.

Note that choosing the right KDC does impact availability--if you have
the wrong KDC it won't work.
In general though, choosing the wrong KDC does not compromise
authentication. It's a bit more complex than that, but KDC location has
not generally been considered  security sensitive.