ietf
[Top] [All Lists]

Re: Gen-ART LC Review of draft-ietf-dhc-forcerenew-nonce-03

2012-02-14 10:46:25
On Feb 14, 2012, at 5:23 AM, Maglione Roberta wrote:
Please let me know if you have additional comments.

Thanks!   I think you should change this text in the introduction:


The mandatory authentication was
   originally motivated by a legitimate security concern whereby in some
   network environments DHCP messages can be spoofed and an attacker
   could more accurately guess the timing of DHCP renewal messages by
   first sending a FORCERENEW message.  However, in some networks native
   security mechanisms already provide sufficient protection against
   spoofing of DHCP traffic.  An example of such network is a Broadband
   Forum TR-101 [TR-101i2] compliant access network.  In such
   environments the mandatory coupling between FORCERENEW and DHCP
   Authentication [RFC3118] can be relaxed and a lighter authentication
   mechanism can be used for the FORCERENEW message.

To this:

[paragraph break]
The motivation for making authentication mandatory in DHCPFORCERENEW was to 
prevent an off-network attacker from taking advantage of DHCPFORCERENEW to 
accurately predict the timing of a DHCP renewal.   Without DHCPFORCERENEW, DHCP 
renewal timing is under the control of the client, and an off-network attacker 
has no way of predicting when it will happen, since it doesn't have access to 
the exchange between the DHCP client and DHCP server.

However, the requirement to use the DHCP authentication described in RFC3118 is 
more stringent than is required for this use case, and has limited adoption of 
DHCPFORCERENEW.   RFC3315 defines an authentication protocol using a nonce to 
prevent off-network attackers from successfully causing clients to renew.   
Since the off-network attacker doesn't have access to the nonce, it can't trick 
the client into renewing at a time of its choosing.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf