Boeing Research & Technology

P.O. Box 3707 Seattle WA 98124 USA fltemplin@acm.org

I-D Internet-Draft Secure DHCPv6 includes mechanisms for encryption and authentication, where encryption is currently mandated due to concerns for pervasive monitoring in the Internet. The Secure DHCPv6 specification states that the mechanisms are applicable in any environment where physical security on the link is not assured and attacks on DHCPv6 are a concern. However, this document presents a reference use case where physical and/or link-layer security are already assured. This document therefore proposes an authentication-only application of Secure DHCPv6 when there is already sufficent protection against pervasive monitoirng.

DHCPv6 is the stateful autoconfiguration protocol for IPv6 . Secure DHCPv6 includes mechanisms for encryption and authentication, where encryption is currently mandated due to concerns for pervasive monitoring in the Internet. The Secure DHCPv6 specification states that the mechanisms are applicable in any environment where physical security on the link is not assured and attacks on DHCPv6 are a concern. However, this document presents a reference use case where physical and/or link-layer security are assured. This document therefore proposes an authentication-only application of Secure DHCPv6 when there is already sufficient protection against pervasive monitoirng. Encryption avoidance becomes important when information sharing between DHCPv6 clients, relays and servers is required and/or when an application of an additional layer of encryption would be redundant and would result in poor performance. The document therefore proposes an authentication-only mode for specific use cases where pervasive monitoring is already mitigated through other means, but a means for authenticating the source of the DHCPv6 message is still required.

depicts a reference use case for an authentication-only mode for Secure DHCPv6, where the link between the DHCPv6 client and relay is protected by link-layer encryption and/or physical security:

In this reference use case, the link between the client and relay is secured against pervasive monitoring through the application of link-layer encryption. (The link itself also may or may not be secured at the phsyical layer.) No information is therefore available in plain text over the link that connects the client and relay. The channel between the relay and server (or, between the first-hop relay and next-hop relay) is further secured against pervasive monitoring through the application of mechanisms such as IPsec and/or physical security. In the reference use case, therefore, no opportunity for pervasive monitoring exists and the application of an additional layer of encryption at the DHCPv6 layer would be unnecessary, inefficient and would interfere with client/relay/server information sharing. An example where this use case applies is in the AERO protocol . This document therefore recommends an amendment of the Secure DHCPv6 specification to permit an authentication-only application of the protocol when pervasive monitoring is already mitigated through other means.

This document introduces no IANA considerations.

Security considerations are discussed in the DHCPv6 and Secure DHCPv6 specifications . This document notes that, in addition to proection against pervasive monitoring of DHCPv6 messages, a means for authenticating the sources of DHCPv6 messages may still be necessary in some environments to mitigate insider attacks such as spoofing and theft of service.

TBD