In message <527459c4.5000...@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes: > Mark Andrews wrote: > > >>>> It is a lot simpler and a lot more practical just to > >>>> use shared secret between a CPE and a ISP's name server > >>>> for TSIG generation. > >>> > >>> No it isn't. It requires a human to transfer the secret to the CPE > >>> device or to register the secret with the ISP. > >> > >> Not necessarily. When the CPE is configured through DHCP (or > >> PPP?), the ISP can send the secret. > > > > Which can be seen, in many cases, by other parties > > Who can see the packets sent from the local ISP to the CPE > directly connected to the ISP?
The dhcpd traffic coming in over the cable modem and you want to send secrets in the clear over a channel like this. bsdi# tcpdump -n -i sis0 port bootpc tcpdump: listening on sis0 15:05:15.637252 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc58c07ae flags:0x8000 Y:122.106.168.231 G:10.72.0.1 ether 0:1d:9:81:64:ba [|bootp] 15:05:15.650590 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc58c07ae flags:0x8000 Y:122.106.168.231 G:10.72.0.1 ether 0:1d:9:81:64:ba [|bootp] 15:05:34.942619 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x122cf3bb flags:0x8000 Y:10.72.194.250 S:10.72.0.1 G:10.72.0.1 ether 0:17:ee:4c:f3:74 [|bootp] 15:05:36.975213 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x122cf3bb secs:2 flags:0x8000 Y:10.72.194.250 S:10.72.0.1 G:10.72.0.1 ether 0:17:ee:4c:f3:74 [|bootp] 15:05:36.992714 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x122cf3bb secs:2 flags:0x8000 Y:10.72.194.250 S:10.72.0.1 G:10.72.0.1 ether 0:17:ee:4c:f3:74 [|bootp] 15:05:55.931705 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x732 flags:0x8000 Y:10.72.3.3 S:10.72.0.1 G:10.72.0.1 ether 0:11:1a:19:25:a2 [|bootp] 15:05:57.951400 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x732 secs:2 flags:0x8000 Y:10.72.3.3 S:10.72.0.1 G:10.72.0.1 ether 0:11:1a:19:25:a2 [|bootp] 15:05:57.964049 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x732 secs:2 flags:0x8000 Y:10.72.3.3 S:10.72.0.1 G:10.72.0.1 ether 0:11:1a:19:25:a2 [|bootp] 15:05:58.930921 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc7dba2af flags:0x8000 Y:122.106.152.0 G:10.72.0.1 ether 0:14:bf:a0:db:c8 [|bootp] 15:06:00.054322 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc7dba2b0 flags:0x8000 Y:122.106.152.0 G:10.72.0.1 ether 0:14:bf:a0:db:c8 [|bootp] 15:06:00.068061 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0xc7dba2b0 flags:0x8000 Y:122.106.152.0 G:10.72.0.1 ether 0:14:bf:a0:db:c8 [|bootp] 15:06:08.933232 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x111fb9c2 flags:0x8000 Y:10.72.23.110 S:10.72.0.1 G:10.72.0.1 ether 0:1a:de:6f:99:e6 [|bootp] 15:06:10.941233 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x111fb9c2 secs:2 flags:0x8000 Y:10.72.23.110 S:10.72.0.1 G:10.72.0.1 ether 0:1a:de:6f:99:e6 [|bootp] 15:06:10.959519 10.72.0.1.67 > 255.255.255.255.68: hops:1 xid:0x111fb9c2 secs:2 flags:0x8000 Y:10.72.23.110 S:10.72.0.1 G:10.72.0.1 ether 0:1a:de:6f:99:e6 [|bootp] ^C 10638 packets received by filter 0 packets dropped by kernel bsdi# > If you mind wire tapping, you have other things to worry > about, which needs your access line encrypted (by a manually > configured password), which makes DHCP packets invisible. > > Masataka Ohta -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
