On Jan 21, 2009, at 6:04 PM, Sean Shen wrote:
I think you need to step back and figure out exactly what
problem you're trying to solve by adding this capability. Just
beause we could do something, doesn't mean we should.
The motivation and benefit (including advantages in relay scenarios
and IP
binding) is described in section 3 of the draft.
It's possible that this is just my lack of experience with CGAs
speaking, but section 3 hasn't enlightened me on the benefit of this
proposal.
My understanding is that CGA authentication will permit a client to
verify that a DHCP message received from a server with a given address
was, in fact, sent by the server with that address. Is there a
mechanism, however, which permits the client to verify that this
server is authorized to act as a DHCP server? If not, what security
is added by signing the message?
What prevents a malicious DHCP server from generating a new CGA, using
it to sign its messages, and serving addresses to clients?
It might help me understand the benefits of this proposal if you could
describe a specific attack which it can defend against.
- Damien
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
