RE: [dhcwg] Response to IESG comments on draft-ietf-dhc-isnsoption-08.txt

To: "'Black_David@emc.com'" <Black_David@emc.com>,Charles Monia <cmonia@NishanSystems.com>,ElizabethRodriguez@ieee.org, rdroms@cisco.com, smb@research.att.com
Subject: RE: [dhcwg] Response to IESG comments on draft-ietf-dhc-isnsoption-08.txt
From: Charles Monia <cmonia@NishanSystems.com>
Date: Wed, 10 Sep 2003 11:58:09 -0700
Cc: narten@us.ibm.com, dhcwg@ietf.org, ips@ece.cmu.edu,mankin@isi.edu, Joshua Tseng <jtseng@NishanSystems.com>,Kevin Gibbons <kgibbons@NishanSystems.com>
Content-Type: text/plain
Delivered-To: ips-birlabor@sos.ece.cmu.edu
Delivered-To: ips-birlabor@ece.cmu.edu
Delivered-To: ips@sos.ece.cmu.edu
Delivered-To: ips@ece.cmu.edu
Sender: owner-ips@ece.cmu.edu

Hi All:

Another cut at the security section to address David Black's concerns.

=====================
Security:

DHCP security considerations are addressed in [RFC3118].  Among these is the
potential for a "man-in-the-middle" attack by a hostile entity modifying or
replacing the original iSNS option message. Unless some form of
authentication is implemented, an attacker may trick the iSNS client into
connecting into rogue iSNS servers.

To thwart such attacks, the DHCP response should be verified in some manner.
One approach is direct authentication via [RFC3118], when implemented.
Since this technology is not widely deployed, an alternative is to
authenticate the discovered iSNS server through use of IPSec or the iSNS
authentication block as described in [ISNS]. Of course, use of iSNS Server
authentication implies a site-wide policy requiring use of one of the
authentication methods specified in [ISNS] by all iSNS servers.

If no authentication is used and it is determined that the potential exists
for one of the attacks described in [RFC3118], then the DHCP option message
for iSNS should not be utilized.

======================


> -----Original Message-----
> From: Black_David@emc.com [mailto:Black_David@emc.com]
> Sent: Friday, September 05, 2003 2:25 PM
> To: cmonia@NishanSystems.com; ElizabethRodriguez@ieee.org;
> rdroms@cisco.com; smb@research.att.com
> Cc: narten@us.ibm.com; dhcwg@ietf.org; ips@ece.cmu.edu; 
> Black_David@emc.com; mankin@isi.edu; 
> jtseng@NishanSystems.com; kgibbons@NishanSystems.com
> Subject: RE: [dhcwg] Response to IESG comments on 
> draft-ietf-dhc-isnsoptio n-08.txt
> 
> 
> At the risk of complicating this further, I don't think "RECOMMENDED" 
> is going to be the right solution, as "cannot obtain an 
> implementation" does not strike me as a "valid reason in particular 
> circumstances" (cf. RFC 2119) to ignore a "RECOMMENDED" requirement 
> statement.
> 
> I think the right thing to do here is to address Ralph's concern 
> directly rather than trying to craft language that avoids it.  In 
> other words, discuss the usefulness of DHCP Authentication, but point 
> out that it is not widely implemented, recommend its use  when 
> available (lower case "recommended"), and discuss alternative measures 
> that can prevent contact with a rogue iSNS server (e.g., in addition
> to not using the iSNS DHCP option, IPsec can provide 
> countermeasures based on setting policy for traffic to the 
> TCP port used by iSNS, but one has to have local policy 
> override the IPsec on/off setting in the iSNS DHCP option).
> 
> Thanks,

<stuff Deleted>

Thanks,
-- Charles
-----------------------------------------
Charles Monia
Senior Technology Consultant
Nishan Systems
email: cmonia@nishansystems.com
voice: (408) 519-3986
fax:   (408) 435-8385

Prev by Date: RE: NAT and SendTargets (was Errata to -20)
Next by Date: ASC/ASCQ for implicit termination (was iSCSI - Errata - to 20)
Prev by thread: RE: NAT and SendTargets (was Errata to -20)
Next by thread: ASC/ASCQ for implicit termination (was iSCSI - Errata - to 20)
Index(es):
- Date
- Thread

Home

Last updated: Thu Sep 11 09:19:30 2003
12890 messages in chronological order