[secdir] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
Christian Huitema via Datatracker <noreply@ietf.org> Fri, 04 December 2020 20:03 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1])
by ietfa.amsl.com (Postfix) with ESMTP id F3AB33A0FF8;
Fri, 4 Dec 2020 12:03:16 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Christian Huitema via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: last-call@ietf.org,
draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, dhcwg@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.23.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <160711219694.2677.7881042583251252532@ietfa.amsl.com>
Reply-To: Christian Huitema <huitema@huitema.net>
Date: Fri, 04 Dec 2020 12:03:16 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/flvSYfjzQxzJH-um0-4bOs0hlwE>
Subject: [secdir] Secdir last call review of
draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>,
<mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 20:03:17 -0000
Reviewer: Christian Huitema Review result: Ready This document presents a set of requirements for how "Prefix Delegating Relays" should handle the relaying of IPv6 Prefix delegation requests between DHCP clients and DHCP servers. This document is Ready. But please fix one tiny nit. Prefix Delegating Relays are more complex than simple DHCP relays. Instead of merely passing information back and forth between DHCP clients and DHCP servers, they also need to install IPv6 routes so the allocated IPv6 prefix is routed towards the client to which the prefix is allocated via DHCP. The document explains issues found during past deployments, and presents a set of requirements to ensure smooth operation of the service. As written in the security section, stating these requrements does not add any new security considerations beyond those mentioned in RFC 8213, which requires using IPSEC between DHCP relay and DHCP server. This is fine and I believe that the draft is ready, except for one nit. The draft mentions "Section 22 of [RFC8213]", but RFC 8213 only has 6 sections. Since that RFC is entirely about "Security of Messages Exchanged between Servers and Relay Agents", I don't understand why the draft needs to mention this bogus "Section 22". Are the authors trying to trick this reviewer? There is a security issue concerning communication between clients and relays. This draft is not the place to address it, which is why I think it is ready, but I can't resist using this review to pass a message to the working group. On link attackers could spoof requests for prefix delegation, or responses, just like they can spoof any DHCP message. Spoofing prefix delegation requests might be a way to attack networks, or to cause support issues between clients and providers. RFC 8213 "suggests" using secure DHCPv6 between client and server, but the "secure DHCPv6" draft cited in RFC 8213 is now expired. I understand that solutions like RA Guard will in practice provide some protection, but the use of these solutions are not discussed in RFC 8213. The DHCP WG might want to address that.
- [secdir] Secdir last call review of draft-ietf-dh… Christian Huitema via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Naveen Kottapalli
- Re: [secdir] Secdir last call review of draft-iet… Bernie Volz (volz)
- Re: [secdir] [Last-Call] Secdir last call review … Ted Lemon
- Re: [secdir] [Last-Call] Secdir last call review … Christian Huitema
- Re: [secdir] [Last-Call] Secdir last call review … Christian Huitema
- Re: [secdir] [Last-Call] Secdir last call review … Bernie Volz (volz)
- Re: [secdir] [Last-Call] Secdir last call review … Christian Huitema