[dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-v6only-06: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Sat, 08 August 2020 04:47 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dhcwg@ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 109273A0CF9; Fri, 7 Aug 2020 21:47:14 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dhc-v6only@ietf.org, dhc-chairs@ietf.org, dhcwg@ietf.org, Bernie Volz <volz@cisco.com>, volz@cisco.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.13.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <159686203404.30124.6988781392051471498@ietfa.amsl.com>
Date: Fri, 07 Aug 2020 21:47:14 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/-mRS1g4sVwfbYv4X6rq6m-ysH4o>
Subject: [dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-v6only-06: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Aug 2020 04:47:14 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-dhc-v6only-06: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dhc-v6only/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for addressing Martin's point already! Abstract This document specifies a DHCPv4 option to indicate that a host supports an IPv6-only mode and willing to forgo obtaining an IPv4 address if the network provides IPv6 connectivity. It also updates nit: "is willing" RFC2563 to specify the DHCPv4 server behavior when the server receives a DHCPDISCOVER not containing the Auto-Configure option. I know Abstracts should be concise, but perhaps we should pay the few extra words and note that this is limited to just the v6only case -- the current text makes it sound like this is some completely orthogonal thing. Section 1.2 I worry a little bit about how we are sometimes assuming that IPv6-only includes NAT64+DNS64, and sometimes not, but the current text about "this document currently implies" is probably enough to clarify things. Section 2 Thank you for acknowledging the new DoS attack vector :) Being a client/server protocol, DHCPv4 allows IPv4 to be selectively disabled on a per-host basis on a given network segment. Coexistence of IPv6-only, dual-stack and even IPv4-only hosts on the same LAN would not only allow network administrators to preserve scarce IPv4 addresses but would also drastically simplify incremental deployment of IPv6-only networks, positively impacting IPv6 adoption. It seems that the cost of achieving this benefit is that the v4 stack on the network equipment needs to know about the v6 capabilities of the network. When the same hardware provides the v4 and v6 service (would that ever not be the case?), this is presumably no great burden, but it does perhaps present an abstraction barrier violation. Section 3.1 Am I reading this wrong, or do we only specify the semantics of the "Value" field for the server-to-client direction? Should the client just set it to all-zeros in messages it generates? Section 3.2 Is the "for at least <N> seconds or until a network attachment event happens" common enough in DHCP documents that the "whichever comes sooner" is implicit? to that value. Otherwise, the client SHOULD set the V6ONLY_WAIT timer to MIN_V6ONLY_WAIT. The client SHOULD stop the DHCPv4 configuration process for at least V6ONLY_WAIT seconds or until a network attachment event happens. The host MAY disable the IPv4 stack completely for V6ONLY_WAIT seconds or until the network disconnection event happens. I'm not entirely sure if there are some subtle semantic differences between "network attachment event" and "network disconnection event" such that the former applies to the "stop the DHCPv4 configuration process" cases but the latter applies to "disabled IPv5 stack completely" cases. (We only talk about "network disconnection event" in the following paragraph, as applying to both pausing configuaration and disabling the stack entirely.) Section 3.3.1 contain the Auto-Configure option, it is not answered." Such behavior would be undesirable for clients supporting the IPv6-Only Preferred option w/o supporting the Auto-Configure option as they would not receive any response from the server and would keep asking, instead of disabling DHCPv4 for V6ONLY_WAIT seconds. Therefore the Should I infer that the "V6ONLY_WAIT seconds" is modified by "or until a network attachment event occurs"? Section 3.4 V6ONLY_WAIT The minimum time the client SHOULD stop the DHCPv4 configuration process for. The value MUST NOT be less than MIN_V6ONLY_WAIT seconds. Default: 1800 seconds nit(?): is this really a "minimum" time? The previous discussion is inconsistent about using "at least V6ONLY_WAIT seconds" or just "for V6ONLY_WAIT seconds", which might be worth tightening up. Section 6 An attacker might send a spoofed DHCPOFFER containing IPv6-only Preferred option with the value field set to 0xffffffff, disabling DHCPv4 on clients supporting the option. If the network is IPv4-only I don't remember us assigning special semantics to 0xffffffff, so maybe we should just say "value field set to a large number, such as 0xffffffff, effectively disabling DHCPv4". I guess this attack also only works if the client ends up picking that offer (right?), so we might mention that the attacker needs to make the rest of the offer look compelling enough for the client to pick it anyway, even in the presence of other (legitimate) offers. Section 8.1 We seem to only use RFC 4861 in the definition of RA, which itself seems to be unused. Section 8.2 It's a little surprising to see RFC 6146 listed as only an informational reference, given how heavily we rely on/expect NAT64 to be available alongside this mechanism.
- [dhcwg] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [dhcwg] Benjamin Kaduk's No Objection on draf… Jen Linkova
- Re: [dhcwg] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk