[Top] [All Lists]

Re: DHCID and the use of MD5 [Re: Last Call: 'Resolution of FQDN Conflicts among DHCP Clients' to Proposed Standard]

2005-11-28 09:53:40
In message <200511261243(_dot_)21694(_dot_)mellon(_at_)fugue(_dot_)com>, Ted 
Lemon writes:
Making a hash function interchangeable in DHCID makes the conflict detection 
algorithm hugely more complicated, and possibly not workable at all.   Think 
about how that would work.

I confess that I don't see the problem.  The updater would do a DNS 
query for DHCID RRs; it would be given all of the stored records.  The 
updater would then use local policy -- that is, an ordered list of 
preferred hash functions -- until it found one that was in the 
response.  That one would be used.  If no locally-known hash functions 
are in the list, it should behave as if there were no DHCID records 
present for that name.  DNSSEC could protect against downgrade attacks.
(Speaking of which -- were I still AD, I'd ding this document for an
inadequate Security Considerations section -- apart from the 
lack of discussion of brute force attacks, you should cite 3833 for DNS 
attacks and explain what the risks are if someone can crack the hash 
function by any means, including brute force or eavesdropping on the 
wire or (perhaps) a misbehaving updater.)

If you don't agree, I'd strongly suggest using SHA-256 instead of MD5.  
Yes, it's more expensive, but I doubt that that's a major hit on 
overall system performance here.  It would also be useful to include in 
the document some discussion of upgrade strategy -- how would we ever 
switch to a new hash function?  That's non-trivial even for protocols 
designed for agility, as Eric Rescorla and I have shown.  No matter how 
it's done, this one is among the very hardest, since DNS servers would 
have to supply DHCID records for several hashes for a number of years.

                --Steven M. Bellovin,

Ietf mailing list