On Feb 14, 2012, at 5:23 AM, Maglione Roberta wrote:
Please let me know if you have additional comments.
Thanks! I think you should change this text in the introduction:
The mandatory authentication was
originally motivated by a legitimate security concern whereby in some
network environments DHCP messages can be spoofed and an attacker
could more accurately guess the timing of DHCP renewal messages by
first sending a FORCERENEW message. However, in some networks native
security mechanisms already provide sufficient protection against
spoofing of DHCP traffic. An example of such network is a Broadband
Forum TR-101 [TR-101i2] compliant access network. In such
environments the mandatory coupling between FORCERENEW and DHCP
Authentication [RFC3118] can be relaxed and a lighter authentication
mechanism can be used for the FORCERENEW message.
To this:
[paragraph break]
The motivation for making authentication mandatory in DHCPFORCERENEW was to
prevent an off-network attacker from taking advantage of DHCPFORCERENEW to
accurately predict the timing of a DHCP renewal. Without DHCPFORCERENEW, DHCP
renewal timing is under the control of the client, and an off-network attacker
has no way of predicting when it will happen, since it doesn't have access to
the exchange between the DHCP client and DHCP server.
However, the requirement to use the DHCP authentication described in RFC3118 is
more stringent than is required for this use case, and has limited adoption of
DHCPFORCERENEW. RFC3315 defines an authentication protocol using a nonce to
prevent off-network attackers from successfully causing clients to renew.
Since the off-network attacker doesn't have access to the nonce, it can't trick
the client into renewing at a time of its choosing.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf