Re: [Dhcpv6bis] Doubts on "Relay agents MUST NOT modify the message" restriction
"Bernie Volz (volz)" <volz@cisco.com> Thu, 04 June 2015 22:33 UTC
Return-Path: <volz@cisco.com>
X-Original-To: dhcpv6bis@ietfa.amsl.com
Delivered-To: dhcpv6bis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABAE81A1ADD for <dhcpv6bis@ietfa.amsl.com>; Thu, 4 Jun 2015 15:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MimN-HMPkpJU for <dhcpv6bis@ietfa.amsl.com>; Thu, 4 Jun 2015 15:32:57 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C48561A1AD0 for <dhcpv6bis@ietf.org>; Thu, 4 Jun 2015 15:32:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=26690; q=dns/txt; s=iport; t=1433457172; x=1434666772; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=dHgefRZoRF91+0kuZErPOtFvEYzJcja6xFW4Q5ZQqLY=; b=mSmEGnxe2t82D4VFhN/e2/qHat0LeCRrxELmTSrfWrXsLFnkCd+K9n4L NbA/Y2YNeQPRdYQ6ZLOFFn7g6gepRkMupeNtoAryp5TxIYVTrgDgyDygS 7nVGXMIrQkoN9f3dFcn2PeKiZ58Lg1zJAXE0dTxk7RxGaCENH52nOPHj+ M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AQBQDJ0HBV/4UNJK1bgkVLVF4Ggxi7PIdSAhyBEzkTAQEBAQEBAYEKhCIBAQEEIwpcAgEIEQQBAQsWBwMCAgIwFAkIAgQBEggTiBK3TaQaAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4tDhDsaNwEGgmIvgRYFhQ2ODYkKg0mSSINZJGGBWYE9b4FGgQEBAQE
X-IronPort-AV: E=Sophos;i="5.13,554,1427760000"; d="scan'208,217";a="156424740"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-8.cisco.com with ESMTP; 04 Jun 2015 22:32:51 +0000
Received: from xhc-aln-x01.cisco.com (xhc-aln-x01.cisco.com [173.36.12.75]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id t54MWpCo004240 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 4 Jun 2015 22:32:51 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.169]) by xhc-aln-x01.cisco.com ([173.36.12.75]) with mapi id 14.03.0195.001; Thu, 4 Jun 2015 17:32:51 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Guido Marelli <guido.marelli@intraway.com>, "dhcpv6bis@ietf.org" <dhcpv6bis@ietf.org>
Thread-Topic: [Dhcpv6bis] Doubts on "Relay agents MUST NOT modify the message" restriction
Thread-Index: AQHQnw/jXFWdwD0TPEKeP8D+u/QfDZ2c6Mdg
Date: Thu, 04 Jun 2015 22:32:51 +0000
Message-ID: <489D13FBFA9B3E41812EA89F188F018E1CB06BF5@xmb-rcd-x04.cisco.com>
References: <CA+rsa=MpyQsg8CRrbpSaXvJk6AumWS7UKs3T8HKRJEFzw-9J0w@mail.gmail.com>
In-Reply-To: <CA+rsa=MpyQsg8CRrbpSaXvJk6AumWS7UKs3T8HKRJEFzw-9J0w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.98.1.200]
Content-Type: multipart/alternative; boundary="_000_489D13FBFA9B3E41812EA89F188F018E1CB06BF5xmbrcdx04ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcpv6bis/yVt-Ak7baQa4OmxBHR4i0cqbpIY>
Subject: Re: [Dhcpv6bis] Doubts on "Relay agents MUST NOT modify the message" restriction
X-BeenThere: dhcpv6bis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "DHCPv6 \(RFC3315\) bis discussion list" <dhcpv6bis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcpv6bis>, <mailto:dhcpv6bis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcpv6bis/>
List-Post: <mailto:dhcpv6bis@ietf.org>
List-Help: <mailto:dhcpv6bis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcpv6bis>, <mailto:dhcpv6bis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 22:33:02 -0000
Hi: Thanks for looking at the document and noticing some of the differences! The main reason for this statement is that this would break any kind of client/server data integrity checking that might exist (i.e., such as the Delayed Authentication, which we are planning to depreciate, draft-ietf-dhc-sedhcpv6-07, and also draft-cui-dhc-dhcpv6-encryption-00). In DHCPv4, this was one reason that RFC 5107 was developed. But I suspect there are plenty of cases in DHCPv4 were similar things happen (i.e., in DOCSIS). I would suspect the right way to have done this in DOCSIS would be for the Relay Agent to provide that information to the DHCPv6 server (in the Relay’s options) so the server can place that information into what goes to the client. But this does make the server more complicated too. With the push for more secure and privacy networking in the IETF, it may be harder to do what is being done in the long term. I guess the options include: 1. Relaxing this statement (Relay agents MUST NOT modify the message) in some way. Though I think that is bad. 2. Remove the statement and be silent on the issue. Again, I think that is bad as it probably lead to this (if RFC 3315 has explicitly stated this, perhaps it would have given pause to Cablelabs). 3. Cablelabs might need to say “OK, new RFCxxxx says MUST NOT but we’re going to ignore that and understand it will prevent use of some security/privacy capabilities (but we don’t require DOCSIS devices to use those anyway)”. 4. Cablelabs updates standard to have the Relay provide the information (as options, perhaps Cablelabs Vendor options) that the DHCPv6 server is to use in responding to the client (where applicable). #4 is the best long term solution. #3 is probably what can be done in the interim (for DOCSIS). We’ll see what others on the bis team think. You may want to raise this with the CableLabs folks? - Bernie From: Dhcpv6bis [mailto:dhcpv6bis-bounces@ietf.org] On Behalf Of Guido Marelli Sent: Thursday, June 04, 2015 5:46 PM To: dhcpv6bis@ietf.org Subject: [Dhcpv6bis] Doubts on "Relay agents MUST NOT modify the message" restriction Dear all, I've been working with DHCP for more than 8 years and I would like to get involved in the DHC WG discussions. I'm reading rfc3315bis and caught my attention what I believe is a change from the original specification and I wasn't able to find the source of this change. In section 21.2 (Relaying a Relay-reply Message) the revised rfc3315bis says: "Relay agents MUST NOT modify the message." As far as I understand, this statement has some compatibility issues with the DOCSIS 3.1 Security Specification from Cablelabs (CM-SP-SECv3.1-I02-150326). In these type of networks, there are some security features that require the relay agent to change the message (for example: TFTP proxy for hiding the true address of the TFTP server). However, the option modified to provide these features is the Vendor-Specific Information Option (OPTION_VENDOR_OPTS). I believe it would be interesting to have an exception and allow relay agents to alter OPTION_VENDOR_OPTS to provide flexibility and permit vendor-specific behavior. What are your thoughts on this matter? Best Regards, Guido
- [Dhcpv6bis] Doubts on "Relay agents MUST NOT modi… Guido Marelli
- Re: [Dhcpv6bis] Doubts on "Relay agents MUST NOT … Bernie Volz (volz)
- Re: [Dhcpv6bis] Doubts on "Relay agents MUST NOT … Ted Lemon
- Re: [Dhcpv6bis] Doubts on "Relay agents MUST NOT … Bernie Volz (volz)
- Re: [Dhcpv6bis] Doubts on "Relay agents MUST NOT … Ted Lemon
- Re: [Dhcpv6bis] Doubts on "Relay agents MUST NOT … Guido Marelli