Re: [secdir] Secdir review of draft-ietf-dhc-pd-exclude-04

jouni korhonen <jouni.nospam@gmail.com> Thu, 09 February 2012 15:31 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D60CC21F870A; Thu, 9 Feb 2012 07:31:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEgqF6Tu-yET; Thu, 9 Feb 2012 07:31:22 -0800 (PST)
Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6269021F8593; Thu, 9 Feb 2012 07:31:21 -0800 (PST)
Received: by lahl5 with SMTP id l5so1860817lah.31 for <multiple recipients>; Thu, 09 Feb 2012 07:31:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=0FYmagLy9/0hB2KQhXQAxRyYgLa2ESYUDprCTd2E+E4=; b=r6cOROOQ7k7BrHP4SxXHhG5RpR0xJQrmsE8dqOJxABX2YHqnLTH67z51MvStOfGzUF 8ohsw9YsBao4edleKtfv1WWJEW0L0Rl5CzRjRRcd+8UZE5na5CTDINUO+3h+GrpfiPFT 6LoCMSRfa2lxjoM7P/c3JoznNesB1MRemn0d8=
Received: by 10.112.84.1 with SMTP id u1mr765706lby.35.1328801480346; Thu, 09 Feb 2012 07:31:20 -0800 (PST)
Received: from a88-114-172-138.elisa-laajakaista.fi (a88-114-172-138.elisa-laajakaista.fi. [88.114.172.138]) by mx.google.com with ESMTPS id i9sm2418381lbz.3.2012.02.09.07.31.18 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 09 Feb 2012 07:31:19 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="iso-8859-1"
From: jouni korhonen <jouni.nospam@gmail.com>
In-Reply-To: <CADajj4ZL8KQ0MYnrLYg8tZ1v6AxeZUQVb4eyVp29HbOT1HtCdQ@mail.gmail.com>
Date: Thu, 09 Feb 2012 17:31:16 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <E344EA83-3107-4FB1-8E32-1C7FAD718EA2@gmail.com>
References: <CADajj4Z5RY5B-4Dj7RbYh2SXKTVF=v1W0zii3QoD=BTnX4b3eQ@mail.gmail.com> <CD5E540F-6B65-462D-AF5C-4CC45E402F9F@gmail.com> <CADajj4ZL8KQ0MYnrLYg8tZ1v6AxeZUQVb4eyVp29HbOT1HtCdQ@mail.gmail.com>
To: Magnus Nyström <magnusn@gmail.com>
X-Mailer: Apple Mail (2.1084)
Cc: draft-ietf-dhc-pd-exclude@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-dhc-pd-exclude-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2012 15:31:23 -0000

Hi,

That works for me. I'll do the update in the next revision.

- Jouni

On Feb 9, 2012, at 9:38 AM, Magnus Nyström wrote:

> Thanks Jouni; the text in RFC 3633 looks great. Maybe you could update
> the security considerations section in your draft to say (add after
> current last sentence):
> 
> "In particular, RFC 3633 provides recommendations for protection
> against prefix delegation attacks. This specification does not add any
> new security considerations beyond those provided by RFC 3633."
> 
> 
> ? This way, the reader will immediately know that it is covered by 3633.
> 
> -- Magnus
> 
> On Wed, Feb 8, 2012 at 11:24 PM, jouni korhonen <jouni.nospam@gmail.com> wrote:
>> 
>> Magnus,
>> 
>> Thank you for your review. Regarding the authentication of the excluded
>> prefix. I admit the security considerations text is thin but, for example,
>> RFC3633 security considerations that we refer to already says:
>> 
>>   To guard against attacks through prefix delegation, requesting
>>   routers and delegating routers SHOULD use DHCP authentication as
>>   described in section 21, "Authentication of DHCP messages" of RFC
>>   3315.  For point to point links, where one trusts that there is no
>>   man in the middle, or one trusts layer two authentication, DHCP
>>   authentication or IPsec may not be necessary.  Because a requesting
>> 
>> We did not come up with anything more specific that should be added.
>> Does the above address your concern regarding excluded prefix authentication?
>> 
>> We can add a sentence to the Security considerations saying:
>> 
>> "This specification does not add any new security considerations
>>  in addition to those already discussed in RFC3315 and RFC3633."
>> 
>> 
>> - Jouni
>> 
>> 
>> On Feb 9, 2012, at 8:43 AM, Magnus Nyström wrote:
>> 
>>> I have reviewed this document as part of the security directorate's
>>> ongoing effort to review all IETF documents being processed by the
>>> IESG.  These comments were written primarily for the benefit of the
>>> security area directors. Document editors and WG chairs should treat
>>> these comments just like any other last call comments.
>>> 
>>> This document defines a method for DHCPv6 routers to exclude a prefix
>>> out of a delegated set of prefixes.
>>> 
>>> I have no comments on the document itself but the Security
>>> Considerations section is very terse. If the method in this draft does
>>> not introduce any new security considerations beyond those already
>>> present in RFC 3315 or RFC 3633 then it should at least say so. It
>>> appears to me however that something could be said about
>>> authenticating the request to exclude a particular prefix?
>>> 
>>> -- Magnus
>> 
> 
> 
> 
> -- 
> -- Magnus