Last Call Review of draft-ietf-dhc-dhcpv6-radius-opt-11

Request Review of draft-ietf-dhc-dhcpv6-radius-opt
Requested rev. no specific revision (document currently at 14)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-05-28
Requested 2013-05-16
Authors Leaf Yeh, Mohamed Boucadair
Draft last updated 2013-05-23
Completed reviews Genart Last Call review of -11 by Martin Thomson (diff)
Genart Last Call review of -12 by Martin Thomson (diff)
Secdir Last Call review of -11 by Tero Kivinen (diff)
Assignment Reviewer Tero Kivinen 
State Completed
Review review-ietf-dhc-dhcpv6-radius-opt-11-secdir-lc-kivinen-2013-05-23
Reviewed rev. 11 (document currently at 14)
Review result Has Issues
Review completed: 2013-05-23


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document specifies a way how the NAS / DHCPv6 relay agent can
take some data it received from the radius server and send it for the
DHCPv6 server. The data includes things like Delegated-IPv6-Prefix,
DNS-Server-IPv6-Address, Delegated-IPv6-Prefix-Pool etc.

In addition to those the IANA registry specifying which options should
forwarded includes Vendor-Specific. 

The connection between the NAS / DHCPv6 relay agent and Radius server
might be protected (encrypted with IPsec), but the connection between
DHCPv6 relay agent and the DHCPv6 server does not have that
possibility (as far as I understand things).

For most of the values forwarded that does not matter, as they are
public to the network anyways, and as
draft-ietf-dhc-dhcpv6-radius-opt-11 says the NAS is trusted network
component. For the Vendor specific that might not be true. It might be
that the vendor specific options returned from the RADIUS server
contains something that might not be public, and as the NAS / DHCPv6
relay agent does not have to select which parts of that to forward (it
will forward all of them), that might leak that vendor specific
information to the network even when the connection between NAS and
the RADIUS server was protected.

I have no idea whether someone might use vendor specific radius
options in such way that this might cause problems, but perhaps adding
note about this to the security considerations section might be

As an (bad) example of that such practice could be that some ISP
somewhere decides to add bithdate of the customer as vendor specific
option to radius, so they can filter out the web sites which are
allowed to be accessed from that client, and as that information has
privacy concerns, they make sure that the connection between NAS and
radius server is encypted. Now when this protocol is deployed those
options gets relayed to the DHCPv6 server in clear, which might not be
what the ISP expected... 
kivinen at