Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04

From: Jeffrey Hutzelman <jhutz at cmu.edu>
To: Cullen Jennings <fluffy at cisco.com>, Ralph Droms <rdroms at cisco.com>
Cc: "Richard Johnson \(raj\)" <raj at cisco.com>, IETF Discussion <ietf at ietf.org>, secdir at ietf.org, draft-raj-dhc-tftp-addr-option at tools.ietf.org, dhc Chairs <dhc-chairs at tools.ietf.org>, Samuel Weiler <weiler at watson.org>, IESG IESG <iesg at ietf.org>, John C Klensin <john-ietf at jck.com>
Date: Sun, 07 Dec 2008 15:51:10 -0500
In-reply-to: <200812071918.mB7JIkwI004440 at grapenut.srv.cs.cmu.edu>
References: <alpine.BSF.1.10.0811260255330.4213 at fledge.watson.org> <90AC45ED-BF49-46ED-A35A-14E1BF699959 at cisco.com> <56DEB14D23377D001B19EFE5 at p3.int.jck.com><493661F5.10705 at piuha.net> <B111CDE5-E8D0-4C96-AD53-B8580274F949 at cisco.com> <200812071918.mB7JIkwI004440 at grapenut.srv.cs.cmu.edu>

--On Sunday, December 07, 2008 12:18:37 PM -0700 Cullen Jennings<fluffy at cisco.com> wrote:


I find the claim that attacks are easier to do with "VoIP Configuration
Server Address" than the "TFTP Server Name" to be pretty dubious.


Me too.

That said, I think this security discussion is going the wrong direction.
What is common practice, and what I think this should suggest, is that
DHCP can be spoofed in some cases. The correct thing to do is to secure
the object that is retrieved via tftp.


I'm inclined to agree with this, in principle.

In practice, that requires either preconfiguration, which sort of defeatsthe point of using DHCP, or a closed system like firmware updates signed bya device manufacturer, where not only the network but also the user andDHCP server operator are untrusted.

If we're talking about an option which will only ever be used to tellphones where to download new firmware, then this is fine. If we're talkingabout an option which will be used by network operators to provideconfiguration to phones (in order to avoid manual configuration), or ingeneral to provide a TFTP server address for whatever is the next step inthe boot process, then "secure the object" sounds like good advice but IMHOis less practical than "configure your network to prevent DHCP spoofing".

There are ways to mitigate DHCP spoofing but
discussion of those is outside scope of this draft.

I agree that discussion of how to mitigate DHCP spoofing is out of scope.However, I think recommending that operators do so is appropriate.



_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www.ietf.org/mailman/listinfo/ietf

References:
- secdir review of draft-raj-dhc-tftp-addr-option-04
  - From: Samuel Weiler
- Re: secdir review of draft-raj-dhc-tftp-addr-option-04
  - From: Ralph Droms
- Re: secdir review of draft-raj-dhc-tftp-addr-option-04
  - From: John C Klensin
- Re: secdir review of draft-raj-dhc-tftp-addr-option-04
  - From: Jari Arkko
- Re: secdir review of draft-raj-dhc-tftp-addr-option-04
  - From: Ralph Droms

Prev by Date: Re: secdir review of draft-raj-dhc-tftp-addr-option-04
Next by Date: Re: Review of draft-ietf-nfsv4-pnfs-block-10
Previous by thread: Re: secdir review of draft-raj-dhc-tftp-addr-option-04
Next by thread: Re: secdir review of draft-raj-dhc-tftp-addr-option-04
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.