--On Sunday, December 07, 2008 12:18:37 PM -0700 Cullen Jennings
<fluffy(_at_)cisco(_dot_)com> wrote:
I find the claim that attacks are easier to do with "VoIP Configuration
Server Address" than the "TFTP Server Name" to be pretty dubious.
Me too.
That said, I think this security discussion is going the wrong direction.
What is common practice, and what I think this should suggest, is that
DHCP can be spoofed in some cases. The correct thing to do is to secure
the object that is retrieved via tftp.
I'm inclined to agree with this, in principle.
In practice, that requires either preconfiguration, which sort of defeats
the point of using DHCP, or a closed system like firmware updates signed by
a device manufacturer, where not only the network but also the user and
DHCP server operator are untrusted.
If we're talking about an option which will only ever be used to tell
phones where to download new firmware, then this is fine. If we're talking
about an option which will be used by network operators to provide
configuration to phones (in order to avoid manual configuration), or in
general to provide a TFTP server address for whatever is the next step in
the boot process, then "secure the object" sounds like good advice but IMHO
is less practical than "configure your network to prevent DHCP spoofing".
There are ways to mitigate DHCP spoofing but
discussion of those is outside scope of this draft.
I agree that discussion of how to mitigate DHCP spoofing is out of scope.
However, I think recommending that operators do so is appropriate.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf