In message <[email protected]>, Ted Lemon writes: > On Mar 4, 2014, at 5:58 PM, Mark Andrews <[email protected]> wrote: > > Please go read draft-andrews-dnsop-pd-reverse. This technique will > > work with any zone to be delegated by the ISP. For most cases the > > wire is the authenticator by for things like WiMax you will be > > putting credentials into the box to authenticticate your DHCP request > > to the ISP as the medium is not secure anyway. > > Your draft is certainly a valid solution to the problem it sets out to = > solve, but it doesn't actually change the security model I was talking = > about. Given that my point was that you have to trust the wire to make = > this work, I think are in violent agreement at least on this point, = > except that I would like us to describe a solution that at least = > addresses the use case where you can't trust the wire. A HMAC-* option for DHCP (c.f. TSIG) would work if we have to authenticate a DHCP request without relying on any other layers.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
