Re: Reverse DNS RFCs and Recommendations

[Masataka Ohta <mohta () necom830 hpcl titech ac jp>]

Mark Andrews wrote:

> > > The DHCP reply packet is special as is is broadcasted.
> >
> > What?
> >
> > Rfc3315 is explicit on it:
> >
> >     18.2.8. Transmission of Reply Messages
> >
> >     The Reply message MUST be unicast
> >     through the interface on which the original message was received.
>
> While IPv6 is unicast, IPv4 isn't and having a scheme that will work
> for IPv4 as well as IPv6 is useful.

In your draft, you wrote:

   CPE generates DHCPv6 Prefix Delegation [RFC3633] request which

Moreover, even for IPv4, the scheme can (and should) mandate unicast
DHCP reply.

> Also there is NO GUARANTEE that
> the response can't be seen so you design the protocol to work when
> it can be seen.

Your misunderstanding on DHCPv6 is OK, because you also
misunderstand that it were more secure?

Then, as there is NO GUARANTEE that CAs of DNSSEC can't be
compromised, you MUST design the protocol to work when they
can be compromised.

> > And carrying TSIG key in DHCP reply is just secure from the both
> > sides.
>
> Not in the clear it isn't.

Clear text in DHCP reply is just secure when required security
level allows to use DHCP.

                                        Masataka Ohta