[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WG Last Call: draft-ietf-v6ops-unmaneval-01.txt
On Fri, 19 Mar 2004, Ralph Droms wrote:
> In section 4.1.2, while the statement "The basic use of DHCP is insecure."
> is technically true, it does not apply to the discussion of DHCPv6 prefix
> delegation. Section 15 of RFC3396 gives specific guidelines for the use of
> DHCPv6 authentication for DHCPv6 PD. DHCPv6 authentication is defined as
> part of the base DHCPv6 specification, in section 21 of RFC3315.
Right.
> The statement "To be useful in such environment in practice, the practical
> details of managing the DHCP authentication need to be analyzed." needs to
> be explained. How is the authentication specified in RFC3315 and
> recommended for DHCPv6 PD in RFC3396 not adequate?
(Operational) key management seems problematic, even though DHCP
provides support for that.
Maybe reword:
The basic use of DHCP is insecure. This may be a problem if the link
between gateway and ISP is shared by multiple subscribers. DHCP
specification includes authentication options, but does not describe
the task of managing the keys, and how the information would be
shared between the customer and the ISP. To be useful in such
environment in practice, the practical details of managing the DHCP
authentication need to be analyzed.
to:
DHCP is insecure unless authentication is used. This may be a
particular problem if the link between gateway and ISP is shared by
multiple subscribers. DHCP specification includes authentication
options, but the operational procedures for managing the keys and
methods for sharing the required information between the customer
and the ISP are unclear. To be secure in such environment in
practice, the practical details of managing the DHCP authentication
need to be analyzed.
Perhaps that is a bit more fair statement of the issue(s) involved.
> What are the security implications of ND proxy?
Roughly equal or slightly worse, but then again, it would probably not
be applicable in this specific ("multiple subscribers in one big LAN")
environment in any case.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings