On 6/8/2012 3:37 AM, t.p. wrote:
Just to make public what I have hinted at privately, I think that steps
in section 4.1 may be somewhat underspecified.
They give the logic a client, one which supports both DHCP and DNS,
should
follow in order to find a KDC, with DNS information being preferred.
Yes, this is because the DNS auth models are better than DHCP today AFAIK.
One scenario outlined in section 1 is of a user having entered userid
and
passphrase and waiting to be authenticated. The steps imply a number of
timeouts in succession without specifying what balance to take of how
long
to wait for a server to respond versus how long to keep the user
waiting.
True but this is likely to be set in the client as a flat config value
one would think.
And if so this is actually a good thing you bring up Tom. My take is
that from a policy management standpoint the timeout period should be a
"policy level" control IMHO and should have both a default value and a
method of overriding it to allow people when they need to to create a
more "synchronous" expectation from a responder.
I would find it difficult to know what balance to strike without
guidance.
A related issue is that section 4.1 prefers DNS to DHCP for Kerberos
information but the Security Considerations stress the weakness of
DHCP and recommend authenticating DHCP. What if DHCP is secure
and DNS is not? Should DNS still be preferred?
DNSSEC is clearly beyond DHCP security models so perhaps for a working
system this makes sense unless you want to create an autonomous DNS
client which can exist in a pre-boot model.
Pardon my restating the obvious but "Still the issue is that DNS
services dont work until they are loaded and DHCP is designed to work
from a firmware boot (as we all know)".
How does this fit into what NEA is supposed to provide as a baseline?
Tom Petch
----- Original Message -----
From: "Jeffrey Hutzelman"<jhutz@xxxxxxx>
To: "Samuel Weiler"<weiler+secdir@xxxxxxxxxx>
Cc:<draft-sakane-dhc-dhcpv6-kdc-option@xxxxxxxxxxxxxx>;
<secdir@xxxxxxxx>;<ietf@xxxxxxxx>;<jhutz@xxxxxxx>
Sent: Thursday, May 24, 2012 6:50 PM
Subject: Re: [secdir] secdir review of
draft-sakane-dhc-dhcpv6-kdc-option
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.2178 / Virus Database: 2433/5055 - Release Date: 06/07/12