IETF Logo Mail Archive

Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04

Jeffrey Hutzelman <jhutz@cmu.edu> Tue, 02 December 2008 17:30 UTC

Return-Path: <secdir-bounces@ietf.org>
X-Original-To: secdir-archive@ietf.org
Delivered-To: ietfarch-secdir-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24BFE28C1AC; Tue, 2 Dec 2008 09:30:24 -0800 (PST)
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C39FA28C199; Tue, 2 Dec 2008 09:30:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9PbizuNnlav; Tue, 2 Dec 2008 09:30:22 -0800 (PST)
Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by core3.amsl.com (Postfix) with ESMTP id CDF763A69F2; Tue, 2 Dec 2008 09:30:21 -0800 (PST)
Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id mB2HUDjG018330 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Dec 2008 12:30:13 -0500 (EST)
Date: Tue, 02 Dec 2008 12:30:13 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Samuel Weiler <weiler@watson.org>, secdir@ietf.org
Message-ID: <3F83E569A47C23246D97043F@minbar.fac.cs.cmu.edu>
In-Reply-To: <200811260758.mAQ7wXhp017242@raisinbran.srv.cs.cmu.edu>
References: <200811260758.mAQ7wXhp017242@raisinbran.srv.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.201.16
Cc: iesg@ietf.org, dhc-chairs@tools.ietf.org, raj@cisco.com, ietf@ietf.org
Subject: Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: secdir-bounces@ietf.org
Errors-To: secdir-bounces@ietf.org

--On Wednesday, November 26, 2008 02:58:25 AM -0500 Samuel Weiler 
<weiler@watson.org> wrote:

> The security considerations section cites rogue DHCP servers as attack
> vectors, but doesn't do enough to encourage the use of DHCP Auth.

In many deployments, DHCP is used by devices which have no prior 
configuration, or at least no prior association with the network operator. 
In such scenarios, DHCP auth is frequently impractical.  Instead, network 
operators take other measures to insure that only replies from legitimate 
DHCP servers ever reach clients.  For example, they may configure switches 
to monitor and filter DHCP traffic such that responses can only come from a 
small set of trusted ports.  I'm somewhat surprised that the document does 
not mention this approach, as it is fairly common.

I believe there may also be some confusion as to the meaning of option 66. 
This option has exactly the same semantics as the 'sname' field in the 
bootp packet, and is used in the event that field is overloaded to carry 
additional options.  See RFC2132 sections 9.3, 9.4, 9.5, and the 
description of the option overload option starting at the bottom of page 23 
of RFC2131.  So, putting a name in option 66 has exactly the same effect as 
putting it in the 'sname' field, which is well-defined for BOOTP requests, 
but not so well defined for DHCP replies (in fact, so far as I've been able 
to tell, neither BOOTP nor DHCP has anything to say on the semantics of 
this field other than that it's a "server host name", and calling option 66 
"TFTP server name" is really misleading, because sname didn't actually mean 
that(*).

In any case, the comment in the present document's security considerations 
that use of a name rather than an address is "more secure" is flawed in 
several ways.  First, the DHCP server operator has no control over what 
options an attacker sends; if an attacker prefers to send and address, he 
can do so.  Secondly, if a name is used, the attacker need only send a name 
in a zone which he controls; there is no need to subvert any part of the 
DNS.


I share Sam's confusion as to why a code point is needed here at all.  What 
purpose does this option serve that is not served by the siaddr field?

-- Jeff



(*) In fact, I've seen at least one widespread client implementation that 
assumed that sname was the name of the server identified in the siaddr 
field, and updated /etc/hosts so that sname would resolve to siaddr.
_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir

v2.23.0 | Report a Bug | By Email