|
On Feb 14, 2012, at 5:23 AM, Maglione Roberta wrote:
Please let me know if you have additional comments. Thanks! I think you should change this text in the introduction:
The mandatory authentication was originally motivated by a legitimate security concern whereby in some network environments DHCP messages can be spoofed and an attacker could more accurately guess the timing of DHCP renewal messages by first sending a FORCERENEW message. However, in some networks native security mechanisms already provide sufficient protection against spoofing of DHCP traffic. An example of such network is a Broadband Forum TR-101 [TR-101i2] compliant access network. In such environments the mandatory coupling between FORCERENEW and DHCP Authentication [RFC3118] can be relaxed and a lighter authentication mechanism can be used for the FORCERENEW message. To this:
[paragraph break]
The motivation for making authentication mandatory in DHCPFORCERENEW was to prevent an off-network attacker from taking advantage of DHCPFORCERENEW to accurately predict the timing of a DHCP renewal. Without DHCPFORCERENEW, DHCP renewal timing is under
the control of the client, and an off-network attacker has no way of predicting when it will happen, since it doesn't have access to the exchange between the DHCP client and DHCP server.
However, the requirement to use the DHCP authentication described in RFC3118 is more stringent than is required for this use case, and has limited adoption of DHCPFORCERENEW. RFC3315 defines an authentication protocol using a nonce to prevent off-network
attackers from successfully causing clients to renew. Since the off-network attacker doesn't have access to the nonce, it can't trick the client into renewing at a time of its choosing.
|
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf