Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
tglassey <tglassey@earthlink.net> Fri, 08 June 2012 14:23 UTC
Return-Path: <tglassey@earthlink.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E28821F8803; Fri, 8 Jun 2012 07:23:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xfyrMR9EzgUt; Fri, 8 Jun 2012 07:23:47 -0700 (PDT)
Received: from elasmtp-dupuy.atl.sa.earthlink.net (elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by ietfa.amsl.com (Postfix) with ESMTP id 81FA621F8759; Fri, 8 Jun 2012 07:23:46 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=g+9RJjk8v1WshDBWR/RmEL7fB0h3k7wKbDSLXkt3k4fMsECeXPtJjpnRGebJ2jxP; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [67.180.133.21] (helo=[192.168.15.2]) by elasmtp-dupuy.atl.sa.earthlink.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from <tglassey@earthlink.net>) id 1Sd06E-0007lj-GJ; Fri, 08 Jun 2012 10:23:38 -0400
Message-ID: <4FD20AE5.5060503@earthlink.net>
Date: Fri, 08 Jun 2012 07:23:33 -0700
From: tglassey <tglassey@earthlink.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: "t.p." <daedulus@btconnect.com>
References: <21762_1337814743_q4NNCMPh008981_alpine.BSF.2.00.1205231837020.9762@fledge.watson.org> <1337881837.3279.45.camel@destiny.pc.cs.cmu.edu> <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net>
In-Reply-To: <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec790ed8a6a3d1ea84abb910e2a94da62c8d350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 67.180.133.21
X-Mailman-Approved-At: Fri, 08 Jun 2012 08:15:52 -0700
Cc: draft-sakane-dhc-dhcpv6-kdc-option@tools.ietf.org, ietf <ietf@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 14:23:48 -0000
On 6/8/2012 3:37 AM, t.p. wrote: > Just to make public what I have hinted at privately, I think that steps > in section 4.1 may be somewhat underspecified. > > They give the logic a client, one which supports both DHCP and DNS, > should > follow in order to find a KDC, with DNS information being preferred. Yes, this is because the DNS auth models are better than DHCP today AFAIK. > One scenario outlined in section 1 is of a user having entered userid > and > passphrase and waiting to be authenticated. The steps imply a number of > timeouts in succession without specifying what balance to take of how > long > to wait for a server to respond versus how long to keep the user > waiting. True but this is likely to be set in the client as a flat config value one would think. And if so this is actually a good thing you bring up Tom. My take is that from a policy management standpoint the timeout period should be a "policy level" control IMHO and should have both a default value and a method of overriding it to allow people when they need to to create a more "synchronous" expectation from a responder. > I would find it difficult to know what balance to strike without > guidance. > > A related issue is that section 4.1 prefers DNS to DHCP for Kerberos > information but the Security Considerations stress the weakness of > DHCP and recommend authenticating DHCP. What if DHCP is secure > and DNS is not? Should DNS still be preferred? DNSSEC is clearly beyond DHCP security models so perhaps for a working system this makes sense unless you want to create an autonomous DNS client which can exist in a pre-boot model. Pardon my restating the obvious but "Still the issue is that DNS services dont work until they are loaded and DHCP is designed to work from a firmware boot (as we all know)". How does this fit into what NEA is supposed to provide as a baseline? > > Tom Petch > > ----- Original Message ----- > From: "Jeffrey Hutzelman"<jhutz@cmu.edu> > To: "Samuel Weiler"<weiler+secdir@watson.org> > Cc:<draft-sakane-dhc-dhcpv6-kdc-option@tools.ietf.org>; > <secdir@ietf.org>;<ietf@ietf.org>;<jhutz@cmu.edu> > Sent: Thursday, May 24, 2012 6:50 PM > Subject: Re: [secdir] secdir review of > draft-sakane-dhc-dhcpv6-kdc-option > > > > > > ----- > No virus found in this message. > Checked by AVG - www.avg.com > Version: 2012.0.2178 / Virus Database: 2433/5055 - Release Date: 06/07/12 > >
- [secdir] secdir review of draft-sakane-dhc-dhcpv6… Samuel Weiler
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-sakane-dhc-dh… t.p.
- Re: [secdir] secdir review of draft-sakane-dhc-dh… tglassey
- Re: [secdir] secdir review of draft-sakane-dhc-dh… t.p.
- Re: [secdir] secdir review of draft-sakane-dhc-dh… t.p.
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Sam Hartman
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Masahiro =Rhythm Drive= Ishiyama
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Masahiro =Rhythm Drive= Ishiyama