Re: [secdir] Security review of draft-ietf-dhc-dhcpv6-prefix-length-hint-issue-05
tianxiang li <peter416733@gmail.com> Fri, 10 February 2017 12:54 UTC
Return-Path: <peter416733@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92B11295B2; Fri, 10 Feb 2017 04:54:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6degDeecsNx0; Fri, 10 Feb 2017 04:54:28 -0800 (PST)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C94F128E19; Fri, 10 Feb 2017 04:54:28 -0800 (PST)
Received: by mail-oi0-x229.google.com with SMTP id u143so20021014oif.3; Fri, 10 Feb 2017 04:54:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2aE0LWbmVSUdiF7Y19fFS3A1wXWf7VlNn0B/EGdOJ64=; b=FRWbZhUj/oWRZ+61BvY3dPjIsiy1owH7B8gb7WyfqlUWEGt8g2oL9L1g9A2nioG9MR dRHEhEOto3e2Rwcdb7C7NOwHiEWEribbK1bk9bwSnJbpXJXDsixGndYeG2jZqJP568Xp 3Nk+L7t+vDUXom6Hq7dqDN+rWmyPYXR3ALQTt2y+C5YiJM1RqvmJ4C55jb+UvCTm5zAJ ARnDW6icM6SBCf+tCriytbAzi/maxAQKcb8ZGL/uFTiwFLwGEW84o0aHfhU1grEqAldr I0uzqw5SFcXoVUYOhqrki6Jw1yTFtlDtPzMoHXx3KbtVYon0/1EOVY4MMlE6BqRLFpTt SgOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2aE0LWbmVSUdiF7Y19fFS3A1wXWf7VlNn0B/EGdOJ64=; b=JiYznS+i9kKdFS4K7t6yeht0F5ubPmhz2OfjsHtabvg+uOBFg8dbZ281u6jWh85c1h XNG4ZPHzi80XgmTo1+vD4otCVaCJbbUylJXHyCf15dHny2yD/TETBih61gMpYxbdcTYy CxYgmmw/+98U3GFEJM20DrsSbzN14oSuxf6ghfoOnRpo9Q7J+ag3gq0Uh1si0bjnBewL B15h3o7RAstihhVvnI3B0r3jT+Rd6GkTrc0xsnSn4oFpmZVMoDy6+HopDDKC2VvSzYtm neFWuNReoEJx3Zmc2eO5DuLMYGVelvPIml9ykIk7jZwJzBsnfD09WCxfmXMQkSpB+l72 2TYQ==
X-Gm-Message-State: AMke39k90J9AzoIhFBqZrCaD3SSdwFdXDNoFC+japRtcsy3akufyXw/PAJ6wmucoR/bUYpRVZ4PKF45lBmPEkw==
X-Received: by 10.202.219.9 with SMTP id s9mr4772561oig.88.1486731267824; Fri, 10 Feb 2017 04:54:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.202.1.202 with HTTP; Fri, 10 Feb 2017 04:53:47 -0800 (PST)
In-Reply-To: <201702092050.v19Ko9mi018578@rumpleteazer.rhmr.com>
References: <201702092050.v19Ko9mi018578@rumpleteazer.rhmr.com>
From: tianxiang li <peter416733@gmail.com>
Date: Fri, 10 Feb 2017 20:53:47 +0800
Message-ID: <CAFx+hEPkdm51X0=nWurkgzfoZE++320-0HEz8okr8_49C44_pA@mail.gmail.com>
To: Hilarie Orman <hilarie@purplestreak.com>
Content-Type: multipart/alternative; boundary="001a113d3d2e1861ae05482c9917"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wY1z3Z_gosUO222R4ote2GC_O2w>
Cc: draft-ietf-dhc-dhcpv6-prefix-length-hint-issue.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Security review of draft-ietf-dhc-dhcpv6-prefix-length-hint-issue-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 12:54:30 -0000
Hi Hilarie, Thank you for the review, please see inline. Cheers, Tianxiang 2017-02-10 4:50 GMT+08:00 Hilarie Orman <hilarie@purplestreak.com>: > Security review of DHCPv6 Prefix Length Hint Issues > draft-ietf-dhc-dhcpv6-prefix-length-hint-issue-05 > > Do not be alarmed. I have reviewed this document as part of the > security directorate's ongoing effort to review all IETF documents > being processed by the IESG. These comments were written primarily > for the benefit of the security area directors. Document editors and > WG chairs should treat these comments just like any other last call > comments. > > The document gives advice on how servers and clients can handle DHCP cases > in which the client requests a particular prefix length and the server > cannot exactly match it. > > This statement is very difficult to interpret: > "the server SHOULD provide the prefix with the shortest length > possible which is closest to the prefix-length hint value." > This alternative in section 3.6 makes more sense: > "assign a prefix of at least the hint length (or shorter) if one is > available." > > [Tianxiang]Thanks for pointing that out, the sentence in section 3.2 is a bit confusing, we could change it as follow: OLD: ... the server SHOULD try to provide a prefix matching the prefix-length value, or the prefix with the shortest length possible which is closest to the prefix-length hint value." NEW: ...the server SHOULD provide a prefix matching the prefix-length hint, or a prefix which is length is shorter and as close as possible to the prefix-length hint. > I do not see any obvious security flaws, but my opinion is tempered by > the lack of prior discussion. The security considerations refer to > RFC3633 "IPv6 Prefix Options for DHCPv6", and that refers to ongoing > development of IPsec for DHCPv6. As nearly as I can tell, that work > was never done. That makes it difficult to have confidence in the "no > new security considerations" claim. > > [Tianxiang] Do you have some suggestions as to how we should address this issue? I think one solution would be to change the Security Considerations section as follow: OLD: This document introduces no new security considerations over those already discussed in section 15 of RFC3633, as this document provides guidance on how the clients and servers interact with regard to the prefix-length hint mechanism introduced in RFC3633. NEW: This document provides guidance on how the clients and servers interact with regard to the prefix-length hint mechanism introduced in RFC3633, security considerations regarding DHCPv6 prefix delegation are described in section 15 of RFC 3633. > Some nits: > > Remove the comma in the first sentence of the introduction. > > "prefix which length" should be "prefix with length" or possibly > "prefix whose length". > > "The servers usually has a record" should be "The server usually has a > record". > > No comma in "When the client wants the same prefix back from the > server, and would prefer ...". > > [Tianxiang] Thank you, we will change this accordingly. > Hilarie >
- [secdir] Security review of draft-ietf-dhc-dhcpv6… Hilarie Orman
- Re: [secdir] Security review of draft-ietf-dhc-dh… tianxiang li