The Authentication Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Option
RFC 4030
Yes
No Objection
Note: This ballot was opened for revision 05 and is now closed.
(Margaret Cullen; former steering group member) Yes
(Alex Zinin; former steering group member) No Objection
(Allison Mankin; former steering group member) (was Discuss) No Objection
Is there still a difference between DHCP, and say SIP, in whether a vendor must implement security mechanisms such as these sub-options?
(Bert Wijnen; former steering group member) No Objection
(Bill Fenner; former steering group member) No Objection
(David Kessens; former steering group member) No Objection
(Harald Alvestrand; former steering group member) No Objection
(Jon Peterson; former steering group member) No Objection
(Ned Freed; former steering group member) No Objection
(Russ Housley; former steering group member) (was Discuss) No Objection
This document uses 'signature' improperly. See the definition of 'digital signature' in RFC 2828. The discussion under "$ message authentication code vs. Message Authentication Code (MAC)" may help the authors select a better word. I am willing to let the current usage stand for compatibility with previously published documents. I would really like to see a paragraph added to the terminology discussion that makes it clear what 'signature' means in this document. The 'DISCUSSION' paragraph in section 7.1 ought to be in the Security Considerations. Please change 'IPSEC' to 'IPsec' (the title of the referenced document will be changed to reflect this convention prior to publication).
(Scott Hollenbeck; former steering group member) No Objection
(Steven Bellovin; former steering group member) No Objection
(Ted Hardie; former steering group member) No Objection
The draft contains the following text in Section 11: DHCP servers may interact with multiple relay agents. Server implementations MAY support configuration that associates the same algorithm and key with all relay agents. Servers MAY support configuration which specifies the algorithm and key to use with each relay agent individually. This key management choices are not then discussed in the Security Considerations section. Since that section does discuss the choice between using the IPSec mechanism for authentication (with its related key management implications), it seems like it would be useful to mention it there. This is particularly true because of the Security considerations text here: If IPsec is not available or there are multiple relay agents for which multiple keys must be managed, the protocol described in this document may be appropriate.
(Thomas Narten; former steering group member) (was Discuss) No Objection