On Saturday 26 November 2005 09:56, Steven M. Bellovin wrote:
In fact, the Security Considerations section should analyze the
(non-trivial) probability of a brute-force attack.
It doesn't matter. The point of the DHCID is to allow two servers to avoid
accidentally stepping on each other. If you break the DHCID, what you get
is the ability to pretend that you are another DHCP client. If you succeed
in doing this, you can take over that DHCP client's name, but you don't get
to keep it, because you are using the same identification as the other
client, and so it's going to take it back. The information that you would
use to pretend to be the other client is routinely being sent over the
network in the clear, so you don't need to break the DHCID to get it - you
just need to listen on the wire for a packet from that client. You can't do
the attack I've described unless you are on a network managed by a DHCP
server that manages the same namespace as the server that put in the
legitimate DHCID.
It's true that we could exhaustively go over all possible exploits, no matter
how trivial, no matter how useless, in the security considerations section.
Do you honestly believe that this is necessary?
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf