Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
Jeffrey Hutzelman <jhutz@cmu.edu> Tue, 02 December 2008 17:30 UTC
Return-Path: <secdir-bounces@ietf.org>
X-Original-To: secdir-archive@ietf.org
Delivered-To: ietfarch-secdir-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24BFE28C1AC; Tue, 2 Dec 2008 09:30:24 -0800 (PST)
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C39FA28C199; Tue, 2 Dec 2008 09:30:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9PbizuNnlav; Tue, 2 Dec 2008 09:30:22 -0800 (PST)
Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by core3.amsl.com (Postfix) with ESMTP id CDF763A69F2; Tue, 2 Dec 2008 09:30:21 -0800 (PST)
Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id mB2HUDjG018330 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Dec 2008 12:30:13 -0500 (EST)
Date: Tue, 02 Dec 2008 12:30:13 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Samuel Weiler <weiler@watson.org>, secdir@ietf.org
Message-ID: <3F83E569A47C23246D97043F@minbar.fac.cs.cmu.edu>
In-Reply-To: <200811260758.mAQ7wXhp017242@raisinbran.srv.cs.cmu.edu>
References: <200811260758.mAQ7wXhp017242@raisinbran.srv.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.201.16
Cc: iesg@ietf.org, dhc-chairs@tools.ietf.org, raj@cisco.com, ietf@ietf.org
Subject: Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: secdir-bounces@ietf.org
Errors-To: secdir-bounces@ietf.org
--On Wednesday, November 26, 2008 02:58:25 AM -0500 Samuel Weiler <weiler@watson.org> wrote: > The security considerations section cites rogue DHCP servers as attack > vectors, but doesn't do enough to encourage the use of DHCP Auth. In many deployments, DHCP is used by devices which have no prior configuration, or at least no prior association with the network operator. In such scenarios, DHCP auth is frequently impractical. Instead, network operators take other measures to insure that only replies from legitimate DHCP servers ever reach clients. For example, they may configure switches to monitor and filter DHCP traffic such that responses can only come from a small set of trusted ports. I'm somewhat surprised that the document does not mention this approach, as it is fairly common. I believe there may also be some confusion as to the meaning of option 66. This option has exactly the same semantics as the 'sname' field in the bootp packet, and is used in the event that field is overloaded to carry additional options. See RFC2132 sections 9.3, 9.4, 9.5, and the description of the option overload option starting at the bottom of page 23 of RFC2131. So, putting a name in option 66 has exactly the same effect as putting it in the 'sname' field, which is well-defined for BOOTP requests, but not so well defined for DHCP replies (in fact, so far as I've been able to tell, neither BOOTP nor DHCP has anything to say on the semantics of this field other than that it's a "server host name", and calling option 66 "TFTP server name" is really misleading, because sname didn't actually mean that(*). In any case, the comment in the present document's security considerations that use of a name rather than an address is "more secure" is flawed in several ways. First, the DHCP server operator has no control over what options an attacker sends; if an attacker prefers to send and address, he can do so. Secondly, if a name is used, the attacker need only send a name in a zone which he controls; there is no need to subvert any part of the DNS. I share Sam's confusion as to why a code point is needed here at all. What purpose does this option serve that is not served by the siaddr field? -- Jeff (*) In fact, I've seen at least one widespread client implementation that assumed that sname was the name of the server identified in the siaddr field, and updated /etc/hosts so that sname would resolve to siaddr. _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir
- [secdir] secdir review of draft-raj-dhc-tftp-addr… Samuel Weiler
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Ralph Droms
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… John C Klensin
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Samuel Weiler
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jari Arkko
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Ralph Droms
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Ralph Droms
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Cullen Jennings
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Samuel Weiler