Re: [Dhcpv6bis] PPPoE/DSL use of DHCPv6
"Bernie Volz (volz)" <volz@cisco.com> Thu, 12 May 2016 18:24 UTC
Return-Path: <volz@cisco.com>
X-Original-To: dhcpv6bis@ietfa.amsl.com
Delivered-To: dhcpv6bis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 060BD12D6F4 for <dhcpv6bis@ietfa.amsl.com>; Thu, 12 May 2016 11:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.517
X-Spam-Level:
X-Spam-Status: No, score=-15.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pciXomx9ij2s for <dhcpv6bis@ietfa.amsl.com>; Thu, 12 May 2016 11:24:02 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D41F112D6F2 for <dhcpv6bis@ietf.org>; Thu, 12 May 2016 11:24:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8654; q=dns/txt; s=iport; t=1463077441; x=1464287041; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=f1CSL4Vcue2YSXlRQe7B32utsvZHauZ7l69wEIu0shM=; b=UjTR+H1lQbHARTvvhBipy4hIEb+bnnEu9oh3pkozQvm84zOkJXR7AYd4 2y+ENcImFOxpe2ViKthG9mX/uLGSfdFnuJFoxkv6h11c2RNP4n7uTlkyr JJvsKU/AhWJV6APQlJgga8VkGbPHJMABwjxrK5+8ec4qKMwReeIop6RbK U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D3AQBmyTRX/49dJa1egzhVfga5WgENgXYkgj6DMgIcgR04FAEBAQEBAQFlJ4RCAQEBAwEjET0UBAIBCBEEAQEDAiMDAgICMBQBCAgCBAESCIgfCA6sDpEFAQEBAQEBAQEBAQEBAQEBAQEBAQEBFwWBAYlwhBAZLQ+CWoJZBZgnAYV9hWWCNIIHjRmPQAEeAQFCggUbgUtuAYZyJBt/AQEB
X-IronPort-AV: E=Sophos;i="5.24,610,1454976000"; d="scan'208";a="271000747"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 May 2016 18:24:00 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id u4CIO02r014011 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 May 2016 18:24:00 GMT
Received: from xch-aln-003.cisco.com (173.36.7.13) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 12 May 2016 13:23:59 -0500
Received: from xch-aln-003.cisco.com ([173.36.7.13]) by XCH-ALN-003.cisco.com ([173.36.7.13]) with mapi id 15.00.1104.009; Thu, 12 May 2016 13:23:59 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "dhcpv6bis@ietf.org" <dhcpv6bis@ietf.org>
Thread-Topic: [Dhcpv6bis] PPPoE/DSL use of DHCPv6
Thread-Index: AQHRq6bKhvovJ6S3QUKUjepO7y9yop+0T14A//+vErCAAJeIAIABBvVw
Date: Thu, 12 May 2016 18:23:59 +0000
Message-ID: <4cf7a04beb3241e1851906d35f6b3a0a@XCH-ALN-003.cisco.com>
References: <b32cecf196974099b78a0636cfd28fec@XCH-ALN-003.cisco.com> <27050.1462485683@obiwan.sandelman.ca> <12843.1462986084@obiwan.sandelman.ca> <CAPt1N1=UxAG3zj+DpK4iJ6huefQZS2+s_7WKrqS3SsUcZc-hSw@mail.gmail.com> <4f9c4b6899e647c3bbca98bc4419c7a6@XCH-ALN-003.cisco.com> <11180.1463002396@obiwan.sandelman.ca>
In-Reply-To: <11180.1463002396@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.131.76.130]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcpv6bis/zPsd4Ax20paNO1Onpu1UGebqw-Q>
Subject: Re: [Dhcpv6bis] PPPoE/DSL use of DHCPv6
X-BeenThere: dhcpv6bis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "DHCPv6 \(RFC3315\) bis discussion list" <dhcpv6bis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcpv6bis>, <mailto:dhcpv6bis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcpv6bis/>
List-Post: <mailto:dhcpv6bis@ietf.org>
List-Help: <mailto:dhcpv6bis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcpv6bis>, <mailto:dhcpv6bis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 18:24:04 -0000
Michael: I suspect in PPP you also have control over the RAs sent on the PPP link (if there is even one). So, I think if you are sure that SLAAC would not be used for a client end of the PPP link, I think you're OK to have the DHCPv6 server provide the "SLAAC" (or RFC7217) address to the client (of course, the SLAAC won't work if there are multiple IA_NAs for all but one of them). FYI - Or perhaps https://tools.ietf.org/html/draft-gont-dhcpv6-stable-privacy-addresses-01 .... as Fernando is still working on this draft. - Bernie -----Original Message----- From: Dhcpv6bis [mailto:dhcpv6bis-bounces@ietf.org] On Behalf Of Michael Richardson Sent: Wednesday, May 11, 2016 5:33 PM To: dhcpv6bis@ietf.org Subject: Re: [Dhcpv6bis] PPPoE/DSL use of DHCPv6 Bernie Volz (volz) <volz@cisco.com> wrote: BV> Yes. I always wondered if for DHCPv6 failover we should have a BV> “failover DUID” (same for both failover partners) that would allow BV> RENEWs to be handled by either server. But we have never really BV> discussed and there could be some drawbacks. So, for now left it BV> alone. The existing separate server-ids (DUIDs) works fine. It is BV> less efficient when one server is down for extended periods (as the BV> Renews generated by clients trying to reach it are ignored), but BV> ideally neither server is offline for long!! In the PPPoE/DSL situation, the Renews go onto the PPP link can only be seen by the gateway/router aggregator. If the aggregator is up, the DHCP server on that same machine is probably up. There is no shared media. In the situation where it is really a DHCP relay agent, and the relay agent uses the ALL DHCP servers multicast to reach an appropriate server (vs unicasting directly to the server it knows is up), then it seems that the Renews would also be lost even if the correct server is up. > 2) Can the returned non-temporary IA_NA returned by the DHCPv6 server be > the > same address as would be generated by SLAAC? Clearly RA doesn't actually > generate the address, and given stable private addresses the CPE device > could well come up with a different address, but is the IA_NA allowed > to be the same? BV> While it COULD be, it does create some more complex issues if a BV> prefix is set to also allow auto-configuration. I’m not sure how BV> common this is today (it was used a bit more early on before there BV> were many DHCPv6 clients). Android’s lack of DHCPv6 may still force BV> some places to do this. And, there is a v6ops or 6man draft that I BV> think indicated that this caused issues for certain operating BV> systems. (Our server does have an knob (default is disabled) to do BV> this, and some customers used it .. but I think they’ve all moved BV> away from doing so.) BV> BTW: I’m also not sure how you would know the SLAAC generated address BV> in the PPP case. When packets are relayed from Ethernet, it is easy since BV> the Relay-Forw’s peer-address has that in it. Perhaps you are trying to BV> extract the mac-address from the Client ID (DUID). If so, I think that is BV> very bad. No, that's not it at all.... PPP doesn't have MAC addresses at all. PPP creates link-local addresses as part of IP6CP. Both ends know the exact address created, and therefore know what SLAAC would produce if applied. see: https://tools.ietf.org/html/rfc5072#section-4.1 From client side logs: Wed May 11 21:12:20 2016 daemon.notice pppd[1224]: local LL address fe80::ec41:c689:aeaa:5130 Wed May 11 21:12:20 2016 daemon.notice pppd[1224]: remote LL address fe80::021e:68ff:feb7:9688 ifconfig on client router: pppoe-wan Link encap:Point-to-Point Protocol inet addr:10.10.223.7 P-t-P:10.0.0.1 Mask:255.255.255.255 inet6 addr: 2620:120:9001:31f::5544/128 Scope:Global inet6 addr: 2620:120:9001:31f:ec41:c689:aeaa:5130/64 Scope:Global inet6 addr: fe80::ec41:c689:aeaa:5130/10 Scope:Link my radius server returned PW_FRAMED_IPV6_PREFIX containing ...::5544 , which is why it is like that. ( (naw, you can't ping6 those IPs right now, the OSPF router for this test instance is powered off) RFC5072 section suggests that these link-local addresses be consistent across invocations, and my concentrator uses an eui48 from an ethernet device to accomplish this. But, openwrt doesn't do that. Whether intention or omission I'm not sure. Unclear to me if it's good or not. From client side logs: Wed May 11 21:17:23 2016 daemon.notice pppd[1535]: local LL address fe80::3d52:f20f:5196:8f72 Wed May 11 21:17:23 2016 daemon.notice pppd[1535]: remote LL address fe80::021e:68ff:feb7:9688 the point is that for any given invocation, one can know the EUI-64 easily, and using a single address for both. > Radius defines PW_FRAMED_IPV6_PREFIX for the PPP link itself, and nothing > stops this from being a /128, AFAIK. > Should we say something about this situation? > (I neither help the radius admin to shoot themselves in the foot, nor > prevent it) BV> Where do you want to say something? I don’t think this belongs in RFC BV> 3315 bis. And, I’m not even sure what situation you are referring BV> to. And, with the move to randomly generated mac-addresses and thus BV> DUIDs, I’m not sure what value using the SLAAC would have. I think that there is zero privacy advantages for a customer CPE device to have a randomly generated lower 64-bits while the upper-64 bits remain constant. There are significant operational downsides if the CPE device changes address every time it restarts it's PPP connection (and few PPPoE connections stay up for more than 24 hours in my experience), and I think that ISPs will use use FW_FRAMED_IPV6_PREFIX to set the CPE devices address. The question then becomes: is it okay if the provided DHCPv6 address matches an address generated by SLAAC and/or rfc7217 "Semantically Opaque Interface Identifiers". It's not that the server would *AIM* for that, but rather, how should the client react? -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [Dhcpv6bis] first email thoughts/edits on my … Bernie Volz (volz)
- Re: [Dhcpv6bis] first email thoughts/edits on my … Tomek Mrugalski
- [Dhcpv6bis] Wednesday's call - reminder & discuss… Bernie Volz (volz)
- [Dhcpv6bis] my read through Michael Richardson
- Re: [Dhcpv6bis] my read through Bernie Volz (volz)
- [Dhcpv6bis] first email thoughts/edits on my read… Michael Richardson
- Re: [Dhcpv6bis] first email thoughts/edits on my … Bernie Volz (volz)
- [Dhcpv6bis] PPPoE/DSL use of DHCPv6 Michael Richardson
- Re: [Dhcpv6bis] PPPoE/DSL use of DHCPv6 Ted Lemon
- Re: [Dhcpv6bis] first email thoughts/edits on my … Bernie Volz (volz)
- Re: [Dhcpv6bis] PPPoE/DSL use of DHCPv6 Bernie Volz (volz)
- Re: [Dhcpv6bis] PPPoE/DSL use of DHCPv6 Michael Richardson
- Re: [Dhcpv6bis] PPPoE/DSL use of DHCPv6 Michael Richardson
- Re: [Dhcpv6bis] PPPoE/DSL use of DHCPv6 Bernie Volz (volz)
- Re: [Dhcpv6bis] PPPoE/DSL use of DHCPv6 Bernie Volz (volz)