The Authentication Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Option
draft-ietf-dhc-auth-suboption-05
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
05 | (System) | post-migration administrative database adjustment to the No Objection position for Thomas Narten |
2012-08-22
|
05 | (System) | post-migration administrative database adjustment to the No Objection position for Allison Mankin |
2012-08-22
|
05 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
2004-09-21
|
05 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2004-09-20
|
05 | Amy Vezza | IESG state changed to Approved-announcement sent |
2004-09-20
|
05 | Amy Vezza | IESG has approved the document |
2004-09-20
|
05 | Amy Vezza | Closed "Approve" ballot |
2004-09-20
|
05 | Amy Vezza | [Ballot Position Update] Position for Allison Mankin has been changed to No Objection from Discuss by Amy Vezza |
2004-09-17
|
05 | (System) | Removed from agenda for telechat - 2004-09-16 |
2004-09-16
|
05 | Amy Vezza | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Amy Vezza |
2004-09-16
|
05 | Scott Hollenbeck | [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
2004-09-15
|
05 | Margaret Cullen | Placed on agenda for telechat - 2004-09-16 by Margaret Wasserman |
2004-09-09
|
05 | Margaret Cullen | [Note]: 'On agenda to determine if response from authors (in comment) have satisfied Allison''s discuss.' added by Margaret Wasserman |
2004-09-09
|
05 | Margaret Cullen | Allison, here is the answer that Ted Lemon sent regarding your discuss. Retransmission is properly covered in the DHCP draft, and it is not up … Allison, here is the answer that Ted Lemon sent regarding your discuss. Retransmission is properly covered in the DHCP draft, and it is not up to a subagent to decide how/when retransmission will happen. Does this resolve your issue, or do you think we need changes to this document? >Cc: Mark Stapp , Allison Mankin , > Ralph Droms >From: Ted Lemon >Subject: Re: New version of draft-ietf-dhc-auth-suboption-05.txt >Date: Thu, 26 Aug 2004 12:16:32 -0500 >To: Margaret Wasserman , > Thomas Narten [...] >Anyway, the handling of exponential backoff is orthogonal to this draft - this just describes the format of a DHCP option and the way it's used. The DHCP draft (RFC2131) does specify the use of exponential backoff, so a correct implementation will not have the problem Alison asked about, although tragically there is no shortage of incorrect implementations that retransmit much too frequently. > >How would you like this dealt with? Do you think we need additional verbiage in the draft because implementors of RFC2131 aren't unanimous in their current support of exponential backoff? We could, for example, remind readers that RFC2131 requires exponential backoff, and explain why it's important in this case. > >However, since relay agents don't drive the protocol (they don't choose when to retry) there is still the problem that a reader of this draft is probably not in a position to do anything about the retry frequency problem. Requiring that the relay agent drop too-frequent retries would address this problem, but historically we've tried to avoid requiring relay agents to maintain state about clients. > |
2004-08-30
|
05 | Thomas Narten | [Ballot Position Update] Position for Thomas Narten has been changed to No Objection from Discuss by Thomas Narten |
2004-08-26
|
05 | Margaret Cullen | Latest draft seems to address Thomas' discuss, but not Allison's. Sent note to Thomas requesting review and to authors requesting status of changes to address … Latest draft seems to address Thomas' discuss, but not Allison's. Sent note to Thomas requesting review and to authors requesting status of changes to address Allison's issue (exponential back off for UDP retries). |
2004-08-11
|
05 | (System) | New version available: draft-ietf-dhc-auth-suboption-05.txt |
2004-08-08
|
05 | Margaret Cullen | Sent message to authors requesting clarification on how/if discuss issues have been addressed: To: Ted Lemon , Mark Stapp From: Margaret Wasserman Subject: draft-ietf-dhc-auth-suboption-04.txt Cc: … Sent message to authors requesting clarification on how/if discuss issues have been addressed: To: Ted Lemon , Mark Stapp From: Margaret Wasserman Subject: draft-ietf-dhc-auth-suboption-04.txt Cc: Allison Mankin Hi Ted and Mark, There has been an update to draft-ietf-dhc-auth-suboption-04.txt, but I couldn't find how/where it addresses the remaining discuss comments from Allison and Thomas (included below). If you intended for the new version to address Allison's and Thomas' comments, could you please explain how they have been addressed? If you have not addressed them yet, when should we expect a new version that does address them? Thanks, Margaret Allison Mankin: Discuss: [2004-02-19] Â My earlier issues about stating the applicability of this suboption versus the IPsec suboption have been handled (though see non-blocking comment). Below is a Transport Discuss. 13.1 Protocol Vulnerabilities Because DHCP is a UDP protocol, messages between relays and servers may be delivered in a different order than the order in which they were generated. The replay-detection mechanism will cause receivers to drop packets which are delivered 'late', leading to client retries. The retry mechanisms which most clients implement should not cause this to be an enormous issue, but it will cause senders to do computational work which will be wasted if their messages are re-ordered. In addition, are client retries exponentially backed off? Otherwise use of this suboption by many clients in any bursty event has the potential to cause a congestion problem. Surge of sends, a significant number experience the relay misordering and get dropped, and the retries kick in from many clients. If retransmissions are backed-off, little problem. If not, besides congestion, there are also likely to be more replay drops. So when clients implement this sub-option, it's suggested they update their retransmission. Comment: [2004-02-19] Is there still a difference between DHCP, and say SIP, in whether a vendor must implement security mechanisms such as these sub-options? Thomas Narten: Discuss: [2004-02-19] > All implementations MUST support Algorithm 1, the HMAC-MD5 > algorithm. Additional algorithms may be defined in the future, > following the process described in Section 12. Note: HMAC-SHA1 is considered to be superior to HMAC-MD5, so is preferred. Is there a reason to support HMAC-MD5 at all? If there is no installed base to interoperate with, it would be preferable to just use HMAC-SHA1. There are a couple of places early on where the document suggests that the authentication check only covers the relay agent options (as opposed to all including those supplied by the client). Later, it is clear that the entire packet (excluding the fields that change). Would be good to fix the earlier wording. E.g.,: > The Authentication suboption is included by relay agents that wish > to ensure the integrity of the data they include in the Relay Agent > option. > The goal of this specification is to define methods that a relay > agent can use to: > 1. protect the integrity of the data that the relay adds |
2004-07-14
|
05 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
2004-07-14
|
05 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2004-07-14
|
04 | (System) | New version available: draft-ietf-dhc-auth-suboption-04.txt |
2004-02-19
|
05 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2004-02-19
|
05 | Amy Vezza | [Ballot Position Update] New position, No Objection, has been recorded for Harald Alvestrand by Amy Vezza |
2004-02-19
|
05 | Thomas Narten | [Ballot discuss] > All implementations MUST support Algorithm 1, the HMAC-MD5 > algorithm. Additional algorithms may be defined in the future, > … [Ballot discuss] > All implementations MUST support Algorithm 1, the HMAC-MD5 > algorithm. Additional algorithms may be defined in the future, > following the process described in Section 12. Note: HMAC-SHA1 is considered to be superior to HMAC-MD5, so is preferred. Is there a reason to support HMAC-MD5 at all? If there is no installed base to interoperate with, it would be preferable to just use HMAC-SHA1. There are a couple of places early on where the document suggests that the authentication check only covers the relay agent options (as opposed to all including those supplied by the client). Later, it is clear that the entire packet (excluding the fields that change). Would be good to fix the earlier wording. E.g.,: > The Authentication suboption is included by relay agents that wish > to ensure the integrity of the data they include in the Relay Agent > option. > The goal of this specification is to define methods that a relay > agent can use to: > 1. protect the integrity of the data that the relay adds |
2004-02-19
|
05 | Thomas Narten | [Ballot Position Update] New position, Discuss, has been recorded for Thomas Narten by Thomas Narten |
2004-02-19
|
05 | Bert Wijnen | [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Bert Wijnen |
2004-02-19
|
05 | Allison Mankin | [Ballot discuss] My earlier issues about stating the applicability of this suboption versus the IPsec suboption have been handled (though see non-blocking comment). Below is … [Ballot discuss] My earlier issues about stating the applicability of this suboption versus the IPsec suboption have been handled (though see non-blocking comment). Below is a Transport Discuss. 13.1 Protocol Vulnerabilities Because DHCP is a UDP protocol, messages between relays and servers may be delivered in a different order than the order in which they were generated. The replay-detection mechanism will cause receivers to drop packets which are delivered 'late', leading to client retries. The retry mechanisms which most clients implement should not cause this to be an enormous issue, but it will cause senders to do computational work which will be wasted if their messages are re-ordered. In addition, are client retries exponentially backed off? Otherwise use of this suboption by many clients in any bursty event has the potential to cause a congestion problem. Surge of sends, a significant number experience the relay misordering and get dropped, and the retries kick in from many clients. If retransmissions are backed-off, little problem. If not, besides congestion, there are also likely to be more replay drops. So when clients implement this sub-option, it's suggested they update their retransmission. |
2004-02-19
|
05 | Allison Mankin | [Ballot discuss] My earlier issues about stating the applicability of this suboption versus the IPsec suboption have been handled (though see non-blocking comment). Below is … [Ballot discuss] My earlier issues about stating the applicability of this suboption versus the IPsec suboption have been handled (though see non-blocking comment). Below is a Transport Discuss. 13.1 Protocol Vulnerabilities Because DHCP is a UDP protocol, messages between relays and servers may be delivered in a different order than the order in which they were generated. The replay-detection mechanism will cause receivers to drop packets which are delivered 'late', leading to client retries. The retry mechanisms which most clients implement should not cause this to be an enormous issue, but it will cause senders to do computational work which will be wasted if their messages are re-ordered. In addition, are client retries exponentially backed off? Otherwise use of this suboption by many clients in any bursty event has the potential to cause a congestion problem. Surge of sends, a significant number experience the relay misordering and get dropped, and the retries kick in from many clients. If retransmissions are backed-off, little problem. If not, besides congestion, there are also likely to be more replay drops. So when clients modify to implement this sub-option, can they check their retransmission? |
2004-02-19
|
05 | Allison Mankin | [Ballot discuss] Because relay agents are involved when clients reboot, periods of very high reboot activity will result in the largest number of … [Ballot discuss] Because relay agents are involved when clients reboot, periods of very high reboot activity will result in the largest number of messages which have to be signed and verified. During a cable MSO head-end reboot event, for example, the time required for all clients to be served may increase. My earlier issues about stating the applicability of this suboption versus the IPsec suboption have been handled (though see non-blocking comment). Below is a Transport Discuss. 13.1 Protocol Vulnerabilities Because DHCP is a UDP protocol, messages between relays and servers may be delivered in a different order than the order in which they were generated. The replay-detection mechanism will cause receivers to drop packets which are delivered 'late', leading to client retries. The retry mechanisms which most clients implement should not cause this to be an enormous issue, but it will cause senders to do computational work which will be wasted if their messages are re-ordered. In addition, are DHCP retries exponentially backed off? Otherwise use of this suboption by many clients when a server first comes up has the potential to cause a congestion problem. Surge of sends, a number delayed in processing and dropped, synchronized, quick retries lead to another round of congestion and more drops. May be useful here: a small random +/- on the time of "late" delivery at which the replay drop is performed. (If the security experts don't raise a concern). |
2004-02-19
|
05 | Allison Mankin | [Ballot comment] Is there still a difference between DHCP, and say SIP, in whether a vendor must implement security mechanisms such as these sub-options? |
2004-02-19
|
05 | Allison Mankin | [Ballot discuss] Because relay agents are involved when clients reboot, periods of very high reboot activity will result in the largest number of … [Ballot discuss] Because relay agents are involved when clients reboot, periods of very high reboot activity will result in the largest number of messages which have to be signed and verified. During a cable MSO head-end reboot event, for example, the time required for all clients to be served may increase. My earlier issues about stating the applicability of this suboption versus the IPsec suboption have been handled (though see non-blocking comment). Below is a Transport Discuss. 13.1 Protocol Vulnerabilities Because DHCP is a UDP protocol, messages between relays and servers may be delivered in a different order than the order in which they were generated. The replay-detection mechanism will cause receivers to drop packets which are delivered 'late', leading to client retries. The retry mechanisms which most clients implement should not cause this to be an enormous issue, but it will cause senders to do computational work which will be wasted if their messages are re-ordered. There could be a liveness problem if the both first tries and retries often have misorderings. In addition, are the retries exponentially backed off? Otherwise use of this suboption by many clients when a server first comes up has the potential to cause a congestion problem. Possible remedy: a small random factor on how "late" delivery is OK before the replay drop is performed. (If the security people would say yes). |
2004-02-19
|
05 | Allison Mankin | [Ballot comment] Is there still a difference between DHCP, and say SIP, in the question of whether a vendor must implement security mechanisms such as … [Ballot comment] Is there still a difference between DHCP, and say SIP, in the question of whether a vendor must implement security mechanisms such as these sub-options? |
2004-02-19
|
05 | Allison Mankin | [Ballot discuss] Because relay agents are involved when clients reboot, periods of very high reboot activity will result in the largest number of … [Ballot discuss] Because relay agents are involved when clients reboot, periods of very high reboot activity will result in the largest number of messages which have to be signed and verified. During a cable MSO head-end reboot event, for example, the time required for all clients to be served may increase. My earlier issues about stating the applicability of this suboption versus the IPsec suboption have been handled (though see non-blocking comment). Below is a Transport Discuss. 13.1 Protocol Vulnerabilities Because DHCP is a UDP protocol, messages between relays and servers may be delivered in a different order than the order in which they were generated. The replay-detection mechanism will cause receivers to drop packets which are delivered 'late', leading to client retries. The retry mechanisms which most clients implement should not cause this to be an enormous issue, but it will cause senders to do computational work which will be wasted if their messages are re-ordered. There could be a liveness problem if the both first tries and retries often have misorderings. In addition, are the retries exponentially backed off? Otherwise use of this suboption by many clients when a server first comes up has the potential to cause a congestion problem. Possible remedy: a small random factor on how "late" delivery is OK before the replay drop is performed. (If the security people would say yes). |
2004-02-19
|
05 | Allison Mankin | [Ballot Position Update] New position, Discuss, has been recorded for Allison Mankin by Allison Mankin |
2004-02-19
|
05 | Jon Peterson | [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by Jon Peterson |
2004-02-19
|
05 | Ned Freed | [Ballot Position Update] New position, No Objection, has been recorded for Ned Freed by Ned Freed |
2004-02-18
|
05 | Bill Fenner | [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner |
2004-02-18
|
05 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
2004-02-18
|
05 | Steven Bellovin | [Ballot Position Update] New position, No Objection, has been recorded for Steve Bellovin by Steve Bellovin |
2004-02-18
|
05 | Alex Zinin | [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin |
2004-02-17
|
05 | Ted Hardie | [Ballot comment] The draft contains the following text in Section 11: DHCP servers may interact with multiple relay agents. Server implementations MAY support … [Ballot comment] The draft contains the following text in Section 11: DHCP servers may interact with multiple relay agents. Server implementations MAY support configuration that associates the same algorithm and key with all relay agents. Servers MAY support configuration which specifies the algorithm and key to use with each relay agent individually. This key management choices are not then discussed in the Security Considerations section. Since that section does discuss the choice between using the IPSec mechanism for authentication (with its related key management implications), it seems like it would be useful to mention it there. This is particularly true because of the Security considerations text here: If IPsec is not available or there are multiple relay agents for which multiple keys must be managed, the protocol described in this document may be appropriate. |
2004-02-17
|
05 | Ted Hardie | [Ballot Position Update] New position, No Objection, has been recorded for Ted Hardie by Ted Hardie |
2004-02-17
|
05 | Russ Housley | [Ballot discuss] The Introduction says that the goal of the document is integrity protection and replay protection, while leveraging existing mechanisms. The Abstract … [Ballot discuss] The Introduction says that the goal of the document is integrity protection and replay protection, while leveraging existing mechanisms. The Abstract talks about authentication and integrity protection. These need to be harmonized. |
2004-02-17
|
05 | Russ Housley | [Ballot comment] This document uses 'signature' improperly. See the definition of 'digital signature' in RFC 2828. The discussion under "$ message authentication … [Ballot comment] This document uses 'signature' improperly. See the definition of 'digital signature' in RFC 2828. The discussion under "$ message authentication code vs. Message Authentication Code (MAC)" may help the authors select a better word. I am willing to let the current usage stand for compatibility with previously published documents. I would really like to see a paragraph added to the terminology discussion that makes it clear what 'signature' means in this document. The 'DISCUSSION' paragraph in section 7.1 ought to be in the Security Considerations. Please change 'IPSEC' to 'IPsec' (the title of the referenced document will be changed to reflect this convention prior to publication). |
2004-02-17
|
05 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley |
2004-02-13
|
05 | Margaret Cullen | [Note]: 'This document will need to have wording added (similar to what we are planning to add to draft-ietf-dhc-relay-agent-ipsec) to explain the relationship between … [Note]: 'This document will need to have wording added (similar to what we are planning to add to draft-ietf-dhc-relay-agent-ipsec) to explain the relationship between the two relay agent authentication choices. In the meantime, I would like to get this document reviewed so that we can determine if there are any technical (or other) issues that need to be resolved before publication.' has been cleared by Margaret Wasserman |
2004-02-12
|
05 | Margaret Cullen | [Ballot Position Update] New position, Yes, has been recorded for Margaret Wasserman |
2004-02-12
|
05 | Margaret Cullen | Ballot has been issued by Margaret Wasserman |
2004-02-12
|
05 | Margaret Cullen | Created "Approve" ballot |
2004-02-12
|
05 | Margaret Cullen | [Note]: 'This document will need to have wording added (similar to what we are planning to add to draft-ietf-dhc-relay-agent-ipsec) to explain the relationship between … [Note]: 'This document will need to have wording added (similar to what we are planning to add to draft-ietf-dhc-relay-agent-ipsec) to explain the relationship between the two relay agent authentication choices. In the meantime, I would like to get this document reviewed so that we can determine if there are any technical (or other) issues that need to be resolved before publication.' added by Margaret Wasserman |
2004-02-12
|
05 | Margaret Cullen | State Changes to IESG Evaluation from Waiting for Writeup by Margaret Wasserman |
2004-02-12
|
05 | Margaret Cullen | [Note]: 'This document will need to have wording added (similar to what we are planning to add to draft-ietf-dhc-relay-agent-ipsec) to explain the relationship between … [Note]: 'This document will need to have wording added (similar to what we are planning to add to draft-ietf-dhc-relay-agent-ipsec) to explain the relationship between the two relay agent authentication choices.' added by Margaret Wasserman |
2004-02-06
|
03 | (System) | New version available: draft-ietf-dhc-auth-suboption-03.txt |
2004-02-02
|
05 | (System) | State has been changed to Waiting for Writeup from In Last Call by system |
2004-02-02
|
05 | Margaret Cullen | Placed on agenda for telechat - 2004-02-19 by Margaret Wasserman |
2004-01-19
|
05 | Amy Vezza | Last call sent |
2004-01-19
|
05 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2004-01-19
|
05 | Margaret Cullen | Last Call was requested by Margaret Wasserman |
2004-01-19
|
05 | (System) | Ballot writeup text was added |
2004-01-19
|
05 | (System) | Last call text was added |
2004-01-19
|
05 | (System) | Ballot approval text was added |
2004-01-19
|
05 | Margaret Cullen | State Changes to Last Call Requested from Publication Requested by Margaret Wasserman |
2003-10-24
|
02 | (System) | New version available: draft-ietf-dhc-auth-suboption-02.txt |
2002-11-05
|
01 | (System) | New version available: draft-ietf-dhc-auth-suboption-01.txt |
2002-06-25
|
00 | (System) | New version available: draft-ietf-dhc-auth-suboption-00.txt |