[13739] in cryptography@c2.net mail archive
Re: Attacking networks using DHCP, DNS - probably kills DNSSEC
daemon@ATHENA.MIT.EDU (William Allen Simpson)
Mon Jun 30 14:20:52 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 30 Jun 2003 13:05:38 -0400
From: William Allen Simpson <wsimpson@greendragon.com>
To: cryptography@metzdowd.com
Cc: cypherpunks@lne.com
"Steven M. Bellovin" wrote:
>
> In message <iluof0gh7vy.fsf@latte.josefsson.org>, Simon Josefsson writes:
> >Of course, everything fails if you ALSO get your DNSSEC root key from
> >the DHCP server, but in this case you shouldn't expect to be secure.
> >I wouldn't be surprised if some people suggest pushing the DNSSEC root
> >key via DHCP though, because alas, getting the right key into the
> >laptop in the first place is a difficult problem.
> >
>
> I can pretty much guarantee that the IETF will never standardize that,
> except possibly in conjunction with authenticated dhcp.
>
Would this be the DHCP working group that on at least 2 occasions
when I was there, insisted that secure DHCP wouldn't require a secret,
since DHCP isn't supposed to require "configuration"?
And all I was proposing at the time was username, challenge, MD5-hash
response (very CHAP-like). They can configure ARP addresses for
"security", but having both the user and administrator configure a per
host secret was apparently out of the question.
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
