Re: [dhcwg] Accepting the following draft as WG work item (pendingdiscussion)

["MILES DAVID" <David.Miles at alcatel-lucent.com.au>]

Ted,

>However, this draft contains  
>no security precautions at all, meaning that it would be trivial for  
>an attacker to trigger a renew on a client that implemented it.   So  
>I'd be against adopting this draft as it stands as a WG item.

The intention was to use this in networks using Broadband Forum TR-101
architectures or similar (per the introduction). These networks are
usually configured to prevent forwarding of traffic between user ports.
I think this would mitigate the attack vector you suggest. An attacker
would need to be in-line (between DHCP client and access node) to issue
this renew and if a MITM approach was exploited the use of a nonce would
be similarly vulnerable.

Right now there are deployed routed gateways and DHCP servers that are
violating the current RFC3203 by not implementing DHCP-AUTH. The hope
was to do something very minor (adding a new DHCP option) to these
gateways vs. implementing a HMAC/MD5 function that would be needed for a
nonce/Reconfigure Key. This argument may be quite weak, but it is what
motivated the creation of this draft.  It would seem that either
restricted forwarding topology or Reconfigure Key would provide
comparable security, so we preferred the easier option. That said, would
you be willing to alter your view if a requirement was explicitly stated
described a restricted L2 topology?

Cheers,

David 
_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg