[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] SLAAC and DDNS

To: <dhcwg at ietf.org>
Subject: Re: [dhcwg] SLAAC and DDNS
From: <Greg.Rabil at ins.com>
Date: Fri, 27 Feb 2009 13:15:22 -0600
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: dhcwg at core3.amsl.com
In-reply-to: <8E296595B6471A4689555D5D725EBB210B7493CB at xmb-rtp-20a.amer.cisco.com>
List-archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: <dhcwg.ietf.org>
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <1E4636828B4AD841900A31378A9FE3CD01132116C7 at usemp11.ins.com> <20090227174153.GA3954 at isc.org> <8E296595B6471A4689555D5D725EBB210B7493CB at xmb-rtp-20a.amer.cisco.com>
Thread-index: AcmZArTxQQm6QuyPR0aclMxFtX9IMQAB03LwAADzObA=
Thread-topic: [dhcwg] SLAAC and DDNS

Bernie,
> No protocol or client changes (provided the
client already supports DHCPv6 based address assignment - if it doesn't
having it do the Information-Request requires new code anyway). No new
draft to write.

I was more concerned about the case where the client and server support the "lightweight", stateless DHCPv6 protocol only.

David,

> The IPv6 source address of an Info-Request message is more likely a link-local address, and using this field presumes the client has only one address.  So you would have to specify that the client MUST select a source address specifically not in keeping with the usual guidelines for source address selection.  This isn't impossible, a client can bind the socket.

I suppose that's true, so the client would have to include an option telling the server about its IP address(es) in the Info-Request message.

> You'd also have to specify the client MUST include a client identifier option so that the server can manufacture a DHCID.  RFC 3315 states this is a SHOULD for information-request, only a MUST if authentication is in use.

Yes, I agree that it would need to be MUST to include client id.

> But, this method raises a security concern.
> The client does not have a TSIG key, but by using only the source
IPv6 address field and an FQDN option, it can ask a DHCPv6 server to perform an update on its behalf.  This mechanism simply extends DHCP to tunnel through DNS security, to bypass it.  Anyone can send that packet, and they can ask the DHCP server to update the zone with whatever contents they might have updated themselves - just limited to AAAA and DHCID RRs.

If the client-id is required, then the risk would be the same as with stateful DHCPv6 and the FQDN option, right?
 
Greg

Follow-Ups:
- Re: [dhcwg] SLAAC and DDNS
  - From: David W. Hankins

References:
- [dhcwg] SLAAC and DDNS
  - From: Greg.Rabil
- Re: [dhcwg] SLAAC and DDNS
  - From: David W. Hankins
- Re: [dhcwg] SLAAC and DDNS
  - From: Bernie Volz (volz)

Prev by Date: Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpinform-clarify-02.txt
Next by Date: Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpinform-clarify-02.txt
Previous by thread: Re: [dhcwg] SLAAC and DDNS
Next by thread: Re: [dhcwg] SLAAC and DDNS
Index(es):
- Date
- Thread