[secdir] secdir review of draft-ietf-dhc-dhcp-privacy-03

<Steve.Hanna@infineon.com> Mon, 25 January 2016 19:56 UTC

Return-Path: <steve.hanna@infineon.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 787BF1A00A8; Mon, 25 Jan 2016 11:56:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.002
X-Spam-Status: No, score=-5.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id F-RIzdRAW6Nb; Mon, 25 Jan 2016 11:55:58 -0800 (PST)
Received: from smtp2.infineon.com (smtp2.infineon.com []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53CCA1A00B0; Mon, 25 Jan 2016 11:55:57 -0800 (PST)
X-SBRS: None
Received: from unknown (HELO mucxv003.muc.infineon.com) ([]) by smtp2.infineon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 25 Jan 2016 20:55:55 +0100
Received: from MUCSE607.infineon.com (unknown []) by mucxv003.muc.infineon.com (Postfix) with ESMTPS; Mon, 25 Jan 2016 20:55:55 +0100 (CET)
Received: from KLUSE612.infineon.com ( by MUCSE607.infineon.com ( with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 25 Jan 2016 20:55:54 +0100
Received: from KLUSE610.infineon.com ( by KLUSE612.infineon.com ( with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 25 Jan 2016 20:55:54 +0100
Received: from KLUSE610.infineon.com ([]) by KLUSE610.infineon.com ([]) with mapi id 15.00.1104.000; Mon, 25 Jan 2016 20:55:54 +0100
From: <Steve.Hanna@infineon.com>
To: <draft-ietf-dhc-dhcp-privacy.all@tools.ietf.org>
Thread-Topic: secdir review of draft-ietf-dhc-dhcp-privacy-03
Thread-Index: AdFXqEqgm+cNWUlLQ0Gb8Ueekql7fw==
Date: Mon, 25 Jan 2016 19:55:53 +0000
Message-ID: <d13d613b5e994c5eb1ba402a3d6aec07@KLUSE610.infineon.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
x-tm-as-product-ver: SMEX-
x-tm-as-result: No--39.262200-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_d13d613b5e994c5eb1ba402a3d6aec07KLUSE610infineoncom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/mECt1BNxDZ20W26wgba_hZKIiOA>
Cc: iesg@ietf.org, secdir@ietf.org
Subject: [secdir] secdir review of draft-ietf-dhc-dhcp-privacy-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 19:56:00 -0000

I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the Security Area Directors.  Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments.

Summary: Ready with issues

I applaud the creation of this document. In today's environment, having a privacy analysis of DHCPv4 is quite valuable.

I am not a DHCP expert so I can't comment on any privacy issues that might have been missed but the document seems to be quite thorough in this respect.

I especially like the way that section 5 describes briefly how the privacy vulnerabilities listed in section 4 could be exploited. The attack methods listed here should motivate administrators and implementers to consider plugging them and even help folks convince their management that these issues should be addressed.

My only concern is that the Security Considerations section is not complete.

I would recommend adding a few more sentences to the Security Considerations section to point out that privacy flaws can substantially ease security attacks. For example, a targeted attack can use information leaked through DHCPv4 to determine the IP address of the targeted user or device. Then device type discovery or operating system discovery to identify the device type and OS version, enabling attacks tailored to known vulnerabilities of this device type and OS.

Further, the last sentence in the Security Considerations section would benefit from becoming a separate paragraph with a bit more elaboration. What are the security implications of client privacy and perhaps anonymity? Does this mean that client privacy has a downside? Or would clever attackers avoid disclosing anything about their identity through DHCP and only innocent users be the likely victims of DHCPv4 privacy problems?