Mark Andrews wrote:
The DHCP reply packet is special as is is broadcasted.
What?
Rfc3315 is explicit on it:
18.2.8. Transmission of Reply Messages
The Reply message MUST be unicast through the interface on which the original message was received.
While IPv6 is unicast, IPv4 isn't and having a scheme that will work for IPv4 as well as IPv6 is useful.
In your draft, you wrote: CPE generates DHCPv6 Prefix Delegation [RFC3633] request which Moreover, even for IPv4, the scheme can (and should) mandate unicast DHCP reply.
Also there is NO GUARANTEE that the response can't be seen so you design the protocol to work when it can be seen.
Your misunderstanding on DHCPv6 is OK, because you also misunderstand that it were more secure? Then, as there is NO GUARANTEE that CAs of DNSSEC can't be compromised, you MUST design the protocol to work when they can be compromised.
And carrying TSIG key in DHCP reply is just secure from the both sides.
Not in the clear it isn't.
Clear text in DHCP reply is just secure when required security level allows to use DHCP. Masataka Ohta