Attacking networks using DHCP, DNS - probably kills DNSSEC

Major Variola (ret) mv at cdc.gov
Mon Jun 30 15:54:45 PDT 2003


At 01:05 PM 6/30/03 -0400, William Allen Simpson wrote:
>"Steven M. Bellovin" wrote:
>>
>> I can pretty much guarantee that the IETF will never standardize
that,
>> except possibly in conjunction with authenticated dhcp.
>>
>Would this be the DHCP working group that on at least 2 occasions
>when I was there, insisted that secure DHCP wouldn't require a secret,
>since DHCP isn't supposed to require "configuration"?

In some cases it would be trivial to distribute a key for DHCP trust
purposes.
My cable ISP distributes a CDROM which configures Wintel machines for
it.  (I don't use this.)  It would be easy enough for them to distribute
secret
or public keys or even hash sigs that worked with their DHCP, *if* the
clients
could use it, and *if* the users paid attention to whatever UI
accompanied
problems.

In other cases --the visitor who wants to connect a laptop to an office
net--
there is a perhaps unacceptable burden.





More information about the cypherpunks-legacy mailing list