Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option

tglassey <tglassey@earthlink.net> Fri, 08 June 2012 14:23 UTC

Return-Path: <tglassey@earthlink.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E28821F8803; Fri, 8 Jun 2012 07:23:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xfyrMR9EzgUt; Fri, 8 Jun 2012 07:23:47 -0700 (PDT)
Received: from elasmtp-dupuy.atl.sa.earthlink.net (elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by ietfa.amsl.com (Postfix) with ESMTP id 81FA621F8759; Fri, 8 Jun 2012 07:23:46 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=g+9RJjk8v1WshDBWR/RmEL7fB0h3k7wKbDSLXkt3k4fMsECeXPtJjpnRGebJ2jxP; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [67.180.133.21] (helo=[192.168.15.2]) by elasmtp-dupuy.atl.sa.earthlink.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from <tglassey@earthlink.net>) id 1Sd06E-0007lj-GJ; Fri, 08 Jun 2012 10:23:38 -0400
Message-ID: <4FD20AE5.5060503@earthlink.net>
Date: Fri, 08 Jun 2012 07:23:33 -0700
From: tglassey <tglassey@earthlink.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: "t.p." <daedulus@btconnect.com>
References: <21762_1337814743_q4NNCMPh008981_alpine.BSF.2.00.1205231837020.9762@fledge.watson.org> <1337881837.3279.45.camel@destiny.pc.cs.cmu.edu> <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net>
In-Reply-To: <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec790ed8a6a3d1ea84abb910e2a94da62c8d350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 67.180.133.21
X-Mailman-Approved-At: Fri, 08 Jun 2012 08:15:52 -0700
Cc: draft-sakane-dhc-dhcpv6-kdc-option@tools.ietf.org, ietf <ietf@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 14:23:48 -0000

On 6/8/2012 3:37 AM, t.p. wrote:
> Just to make public what I have hinted at privately, I think that steps
> in section 4.1 may be somewhat underspecified.
>
> They give the logic a client, one which supports both DHCP and DNS,
> should
> follow in order to find a KDC, with DNS information being preferred.
Yes, this is because the DNS auth models are better than DHCP today AFAIK.
> One scenario outlined in section 1 is of a user having entered userid
> and
> passphrase and waiting to be authenticated.  The steps imply a number of
> timeouts in succession without specifying what balance to take of how
> long
> to wait for a server to respond versus how long to keep the user
> waiting.
True but this is likely to be set in the client as a flat config value 
one would think.

And if so this is actually a good thing you bring up Tom. My take is 
that from a policy management standpoint the  timeout period should be a 
"policy level" control IMHO and should have both a default value and a 
method of overriding it to allow people when they need to  to create a 
more "synchronous" expectation from a responder.
> I would find it difficult to know what balance to strike without
> guidance.
>
> A related issue is that section 4.1 prefers DNS to DHCP for Kerberos
> information but the Security Considerations stress the weakness of
> DHCP and recommend authenticating DHCP.  What if DHCP is secure
> and DNS is not?  Should DNS still be preferred?
DNSSEC is clearly beyond DHCP security models so perhaps for a working 
system this makes sense unless you want to create an autonomous DNS 
client which can exist in a pre-boot model.

Pardon my restating the obvious but "Still the issue is that DNS 
services dont work until they are loaded and DHCP is designed to work 
from a firmware boot (as we all know)".

How does this fit into what NEA is supposed to provide as a baseline?
>
> Tom Petch
>
> ----- Original Message -----
> From: "Jeffrey Hutzelman"<jhutz@cmu.edu>;
> To: "Samuel Weiler"<weiler+secdir@watson.org>;
> Cc:<draft-sakane-dhc-dhcpv6-kdc-option@tools.ietf.org>;
> <secdir@ietf.org>;<ietf@ietf.org>;<jhutz@cmu.edu>
> Sent: Thursday, May 24, 2012 6:50 PM
> Subject: Re: [secdir] secdir review of
> draft-sakane-dhc-dhcpv6-kdc-option
>
>
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2012.0.2178 / Virus Database: 2433/5055 - Release Date: 06/07/12
>
>