Mark Andrews wrote: >> You misunderstand very basic points on why forward and reverse >> DNS checking is useful. >> >> If an attacker can snoop DHCP reply packet to a victim's CPE, the >> attacker can snoop any packet to a victim's server, which is >> already bad. > > The DHCP reply packet is special as is is broadcasted.
What? Rfc3315 is explicit on it: 18.2.8. Transmission of Reply Messages The Reply message MUST be unicast through the interface on which the original message was received. >> That is, Mark's security model is broken only to introduce >> obscurity with worse security. > > This is a about adding a delegation into the DNS securely so only > the machine that the prefix is delegated to and the ISP can update > it. There are a number of reasons to want to do this securely from > both the ISP side and the customer side regardless of whether you > secure the DNS responses themselves. And carrying TSIG key in DHCP reply is just secure from the both sides. Masataka Ohta