[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] draft-miles-dhc-forcerenew-key-00

To: "MILES DAVID" <David.Miles at alcatel-lucent.com.au>, <dhcwg at ietf.org>
Subject: Re: [dhcwg] draft-miles-dhc-forcerenew-key-00
From: "Bernie Volz (volz)" <volz at cisco.com>
Date: Wed, 4 Mar 2009 16:46:50 -0500
Authentication-results: rtp-dkim-1; header.From=volz at cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: James.Bristow at swisscom.com
Delivered-to: dhcwg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=3043; t=1236203211; x=1237067211; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=volz at cisco.com; z=From:=20=22Bernie=20Volz=20(volz)=22=20<volz at cisco.com> |Subject:=20RE=3A=20[dhcwg]=20draft-miles-dhc-forcerenew-ke y-00 |Sender:=20 |To:=20=22MILES=20DAVID=22=20<David.Miles at alcatel-lucent.co m.au>,=20<dhcwg at ietf.org>; bh=7QUgwt8Y21dX8Kh8lR+fsZbxHHPp9DMxe8IIEZt6PK4=; b=q7i87Tvk7WknUw7i4WdISb5eTUH3xSjykVritFDZE+NwSxO4jSK+Gp3QrI 0FpQ8pHRCc8NDB4RRUkRrXWWI6aH45q15dDodNCF5MhJ7JrdjHMOmBzaw6H5 8gs6qLzAw5;
In-reply-to: <986DCE2E44129444B6435ABE8C9E424D02D05FF1 at SGSINSMBS02.ad4.ad.alcatel.com>
List-archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: <dhcwg.ietf.org>
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <986DCE2E44129444B6435ABE8C9E424D02D05FF1 at SGSINSMBS02.ad4.ad.alcatel.com>
Thread-index: Acmc4VQNbGWUrFavTSWJ3wo97EHuSAAMGBIQ
Thread-topic: [dhcwg] draft-miles-dhc-forcerenew-key-00

I took a quick look at this and have a few questions/issues:

1. We already have 0-length data options in DHCPv4 (see
http://www.ietf.org/rfc/rfc4039.txt), so not sure what the value of
using a 1-byte data option is for the Forcerenew Key Protocol Capability
Option.

2. Why not use the same techniques as used for DHCPv6 ...

DISCOVER includes Forcerenew Key Protocol Capability Option.
OFFER includes Forcerenew Key Protocol Capability Option.
REQUEST includes Forcerenew Key Protocol Capability Option.
ACK includes Forcerenew Key Protocol Capability Option & Auth Option
(with key).

This avoids the need to send back the AUTH option in the OFFER (and the
need for Type of 0).

3. I don't understand why the following is needed:

   The client would indicate that it supports the functionality by
   inserting an Parameter Request List option (option 55, [RFC2131])
   containing option <TBD> in the DHCP Discover message.

The client has provided the option and if the server supports it, it
MUST send it back (if adopt #2 above). This is a "core" protocol option
so I see little value to also include it in the PRL.

4. While perhaps it doesn't matter much because it is easy to snoop
packets via promiscous mode anyway, but I wonder whether something needs
to be said about the BROADCAST ACK which contains the key (in DHCPv6,
messages to the client are always unicast)? Certainly something should
be said about it in the Security Considerations?


Otherwise, I see this as a good start on this and a good way to address
this capability.

- Bernie

-----Original Message-----
From: dhcwg-bounces at ietf.org [mailto:dhcwg-bounces at ietf.org] On Behalf
Of MILES DAVID
Sent: Wednesday, March 04, 2009 10:53 AM
To: dhcwg at ietf.org
Cc: James.Bristow at swisscom.com
Subject: [dhcwg] draft-miles-dhc-forcerenew-key-00

We have submitted a new draft for adding a new authentication protocol
to RFC 3118 for the DHCPv4 Forcerenew message. This new submission is
based on comments received on draft-vinokour-dhcp-reconfigure-option-00
that was presented at IETF 72 in Dublin. The mechanism in this draft is
re-using the DHCPv6 Reconfigure Key Authentication method per comments
received on the DHC WG mailing list.
This will be presented at IETF74 in San Francisco.

http://tools.ietf.org/html/draft-miles-dhc-forcerenew-key 

Filename:	 draft-miles-dhc-forcerenew-key
Revision:	 00
Title:		 Forcerenew Key Authentication
Creation_date:	 2009-03-03
WG ID:		 Independent Submission
Number_of_pages: 9

Abstract:
DHCP Forcerenew allows for the reconfiguration of a single host by
forcing the DHCP client into a Renew state on a trigger from the DHCP
server.  In Forcerenew Key Authentication the server exchanges a key
with the client on the initial DHCP ACK that is used for subsequent
validation of a Forcerenew message.


Cheers,

-David Miles
_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

Follow-Ups:
- [dhcwg] draft-miles-dhc-forcerenew-key-01
  - From: MILES DAVID
- Re: [dhcwg] draft-miles-dhc-forcerenew-key-00
  - From: MILES DAVID

References:
- [dhcwg] draft-miles-dhc-forcerenew-key-00
  - From: MILES DAVID

Prev by Date: [dhcwg] I-D Action:draft-ietf-dhc-vpn-option-11.txt
Next by Date: Re: [dhcwg] draft-miles-dhc-forcerenew-key-00
Previous by thread: [dhcwg] draft-miles-dhc-forcerenew-key-00
Next by thread: Re: [dhcwg] draft-miles-dhc-forcerenew-key-00
Index(es):
- Date
- Thread