Mark Andrews wrote:
>> You misunderstand very basic points on why forward and reverse
>> DNS checking is useful.
>>
>> If an attacker can snoop DHCP reply packet to a victim's CPE, the
>> attacker can snoop any packet to a victim's server, which is
>> already bad.
>
> The DHCP reply packet is special as is is broadcasted.
What?
Rfc3315 is explicit on it:
18.2.8. Transmission of Reply Messages
The Reply message MUST be unicast
through the interface on which the original message was received.
>> That is, Mark's security model is broken only to introduce
>> obscurity with worse security.
>
> This is a about adding a delegation into the DNS securely so only
> the machine that the prefix is delegated to and the ISP can update
> it. There are a number of reasons to want to do this securely from
> both the ISP side and the customer side regardless of whether you
> secure the DNS responses themselves.
And carrying TSIG key in DHCP reply is just secure from the both sides.
Masataka Ohta
