Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
Jeffrey Hutzelman <jhutz@cmu.edu> Tue, 02 December 2008 23:03 UTC
Return-Path: <secdir-bounces@ietf.org>
X-Original-To: secdir-archive@ietf.org
Delivered-To: ietfarch-secdir-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3426028C21E; Tue, 2 Dec 2008 15:03:47 -0800 (PST)
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1741528C219; Tue, 2 Dec 2008 15:03:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7DNo4FQP2gqZ; Tue, 2 Dec 2008 15:03:45 -0800 (PST)
Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by core3.amsl.com (Postfix) with ESMTP id 188F228C213; Tue, 2 Dec 2008 15:03:44 -0800 (PST)
Received: from 99-205-118-9.pools.spcsdns.net (99-205-118-9.pools.spcsdns.net [99.205.118.9]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id mB2N3Vhg003060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Dec 2008 18:03:34 -0500 (EST)
Date: Tue, 02 Dec 2008 18:03:30 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: John C Klensin <john-ietf@jck.com>, Ralph Droms <rdroms@cisco.com>, Samuel Weiler <weiler@watson.org>
Message-ID: <C474E77702BC43C909166102@atlantis.pc.cs.cmu.edu>
In-Reply-To: <200812022101.mB2L1Ftf002108@raisinbran.srv.cs.cmu.edu>
References: <alpine.BSF.1.10.0811260255330.4213@fledge.watson.org> <90AC45ED-BF49-46ED-A35A-14E1BF699959@cisco.com> <200812022101.mB2L1Ftf002108@raisinbran.srv.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.201.16
Cc: Richard Johnson <raj@cisco.com>, IETF Discussion <ietf@ietf.org>, secdir@ietf.org, dhc Chairs <dhc-chairs@tools.ietf.org>, IESG IESG <iesg@ietf.org>
Subject: Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: secdir-bounces@ietf.org
Errors-To: secdir-bounces@ietf.org
--On Tuesday, December 02, 2008 03:53:58 PM -0500 John C Klensin <john-ietf@jck.com> wrote: > > > --On Tuesday, 02 December, 2008 15:23 -0500 Ralph Droms > <rdroms@cisco.com> wrote: > >> Sam - I think most of the issues in your review of >> draft-raj-dhc-tftp-addr-option-04 can be resolved by reviewing >> the purposes of RFC 3942 and publishing Informational RFCs >> describing DHCP option codes. Fundamentally, the reason to >> publish RFCs under the process described in RFC 3942 is to >> document existing uses of option codes in the range of option >> codes reclaimed for assignment to new DHCP options. The >> concern is to avoid conflicts between new options and those >> grandfathered ("hijacked") option codes. As such, these RFCs >> (usually Informational) simply document the already >> ... >> Responding to some of your specific points: >> >>>> At the very least, I suggest mandating the use of DHCP Auth >>>> and removing the suggestion to use option 66 to enhance >>>> security. And, in the absence of a more data about how >>>> widely used this option is, I suggest not publishing this >>>> document at all. >> >> The consensus of the dhc WG, to which I concur, is to publish >> the document as Informational. The text in the Security >> Considerations section about option 66 might be removed. >> ... >> To reiterate, it's not so much a question of whether a new >> code point is needed; rather, according to the procedures >> described in RFC 3942, this document gives a description of an >> existing use of option code 150. That option code is in use >> ... > > Ralph, > > It seems to me that there is a middle ground here. One can > stick with Informational publication as the WG intends, but > still modify the Security Considerations section, not only to > remove the reference to option 66 (if there is consensus that is > appropriate) but to add some explanation about why the use of > this option without authentication might be problematic. > > Put differently, your objection to Sam's suggestion seems to > hinge on "just describe the existing practice, don't try to > change it in this document". Given RFC 3492, that is entirely > reasonable. But, if there are relatively obvious difficulties > with that practice, it seems to me that documenting them would > be helpful (indeed that not doing so borders on irresponsible). I'm inclined to agree with John here. _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir
- [secdir] secdir review of draft-raj-dhc-tftp-addr… Samuel Weiler
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Ralph Droms
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… John C Klensin
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Samuel Weiler
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jari Arkko
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Ralph Droms
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Ralph Droms
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Cullen Jennings
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Samuel Weiler