This is why we need to actually think about trust and not just handwave. There are a number of serious misconceptions in what you've said, Paul.
DHCP _is_ worse than TOFU, because there is an opportunity for attack at every lease renewal, not just the first time you ever talk to a particular DHCP server. I actually proposed a protocol that would have worked nicely for TOFU, but it didn't get consensus, so we don't even have TOFU-level authenticity. The rest of what you said is nice, but "we have to balance theoretical risk versus sane and widespread deployment" is a statement that sounds a lot better if we *do the math.* If we just decide to do something without doing the math, then we aren't really balancing anything. We're just deciding not to do our homework, because math is hard. On Mon, Aug 20, 2018 at 10:26 PM, Paul Ebersman <list-dn...@dragon.net> wrote: > ebersman> That may be the consensus at the IETF but it's not even close > ebersman> the consensus with ISPs, nor large enterprise. That seems to > ebersman> cover most of the eyeball/consumer... DHCP is still how much > ebersman> of the world gets connected and that hasn't changed in decades. > > pusateri> You're misquoting me and arguing against a point I didn't > pusateri> make. There was no one saying we don't need DHCP. There was a > pusateri> general agreement that DHCP should not be extended. > > pusateri> The DHC working group never completed the work for DHCP > pusateri> authentication. It's not trustworthy enough in its current > pusateri> form to add more things to it. > > And I'd argue that this is also an IETF opinion, not the majority of the > internet. There's a reason it's still the most widespread configuration > management for devices. "Not trustworthy enough to extend" is a fine > academic opinion but doesn't hold water in the marketplace. > > DHCP is no worse currently than TOFU. We trust that the OFFER packet > will be from the DHCP server we're supposed to use. Trust On First > Use. Not great but it works more than not. At least that's the argument > I kept hearing for TOFU. We actually have operational experience of > decades for DHCP and this isn't a wide spread enough problem to kill any > innovation forever because it's not perfect. > > If we want the world to use what the IETF develops, we have to be able > to balance theoretical risk vs sane and widespread deployment. > > If not, someone will just wind up shoving this into yet another DHCP > vendor option and every vendor will be different. That will be even less > secure. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
