[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DHCP auth in unmanaged [Re: WG Last Call: draft-ietf-v6ops-unmaneval-01.txt]

To: <pekkas@netcore.fi>, <v6ops@ops.ietf.org>, "'Ralph Droms'" <rdroms@cisco.com>
Subject: RE: DHCP auth in unmanaged [Re: WG Last Call: draft-ietf-v6ops-unmaneval-01.txt]
From: "Bernie Volz" <volz@cisco.com>
Date: Tue, 6 Apr 2004 09:14:41 -0400
Organization: Cisco

On Fri, 2 Apr 2004, Pekka Savola wrote:
>I'd maybe add here:
>
>      In a typical scenario, the link between the user and the ISP is 
>      point-to-point, set up using some (semi-)trusted mechanism, and 
>      DHCP authentication is not deemed necessary.  In some other 
>      cases, the link is shared between the users, but the customers
>      are isolated from each other using special techniques such as 
>      proxy ARP; in these scenarios, DHCP authentication may not be 
>      required either.  However, there are a few rather rare cases 
>      where the customers really share a network, and in such a 
>      network DHCP authentication is required; key management, 
>      however, may prove a challenge.

In these "few rather rare cases" aren't there bigger problems than just
DHCPv6? Many other protocols are subject to attacks if this link isn't
secure, so securing DHCPv6 doesn't really buy you much.

Key distribution / management is a challenge. That's one reason why the
DHCPv6 authentication mechanism is extensible - if and when better
mechanisms can be developed, they can be added. For example, perhaps
when SEND is adopted we can look at using some of its techniques to
either secure DHCPv6 multicast traffic OR add a new authentication
protocol for DHCPv6. But, this may not be that critical if there are few
rare cases where it would add much value (and those cases would likely
only marginally benefit by a secure DHCPv6 protocol)?

>
>>     Security issues associated with DHCP and prefix delegation are
>>     addressed in the "Security Considerations" section of RFC 3315
>>     and RFC 3633, respectively.
>
>I don't think the security issues have been sufficiently addressed in 
>those documents.

Can you be a bit more specific about what is missing from these
documents? The DHC WG would certainly like this input for future
revisions of these standards track documents. Sorry if you've posted
these previously, but I just recently started subscribing to this
mailing list. Thanks!

- Bernie Volz

Prev by Date: Re: I-D ACTION:draft-durand-v6ops-assisted-tunneling-requirements-00.txt
Next by Date: Re: [tcpm] TCP, multiple addresses and soft errors when connecting
Previous by thread: Re: I-D ACTION:draft-durand-v6ops-assisted-tunneling-requirements-00.txt
Next by thread: draft-durand-v6ops-assisted-tunneling-requirements-00.txt
Index(es):
- Date
- Thread