IETF Logo Mail Archive

Re: [dhcwg] Comments ondraft-ietf-dhc-leasequery-by-remote-id-02.txt

"Woundy, Richard" <Richard_Woundy@cable.comcast.com> Tue, 06 October 2009 16:50 UTC

Return-Path: <richard_woundy@cable.comcast.com>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 385A83A688D for <dhcwg@core3.amsl.com>; Tue, 6 Oct 2009 09:50:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.473
X-Spam-Level:
X-Spam-Status: No, score=-2.473 tagged_above=-999 required=5 tests=[AWL=-2.010, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKNtFz4tl0Bw for <dhcwg@core3.amsl.com>; Tue, 6 Oct 2009 09:50:21 -0700 (PDT)
Received: from paoakoavas09.cable.comcast.com (paoakoavas09.cable.comcast.com [208.17.35.58]) by core3.amsl.com (Postfix) with ESMTP id ECC593A67E9 for <dhcwg@ietf.org>; Tue, 6 Oct 2009 09:50:18 -0700 (PDT)
Received: from ([10.52.116.30]) by paoakoavas09.cable.comcast.com with ESMTP id KP-NTF18.80083861; Tue, 06 Oct 2009 12:51:07 -0400
Received: from PACDCEXCMB06.cable.comcast.com ([24.40.15.22]) by PAOAKEXCSMTP01.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 6 Oct 2009 12:51:08 -0400
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 06 Oct 2009 12:51:07 -0400
Message-ID: <8A82D1BFEDDE7E4597978355239BBBCB3BBF18@PACDCEXCMB06.cable.comcast.com>
In-Reply-To: <31D55C4D55BEED48A4459EB64567589A0F6B2E064A@BLRKECMBX02.ad.infosys.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dhcwg] Comments ondraft-ietf-dhc-leasequery-by-remote-id-02.txt
Thread-Index: AcogKEnENouqd3OKRVuwgUKDk00McQazR6DAAAW8cVABrbWBFAE16TeQ
References: <9195A029-8FEE-4BFB-BF25-10AED953EC88@nominum.com><7221E17E68B1A944ADCE8A83364DBEE61AF2CC92E6@BLRKECMBX01.ad.infosys.com><E2DB14A8-AAA7-4D87-866A-45B83D7F5328@nominum.com><7221E17E68B1A944ADCE8A83364DBEE61AF2CC9B14@BLRKECMBX01.ad.infosys.com><82234DC4-F5C8-4BC6-8D80-39B2643CCA91@nominum.com><7221E17E68B1A944ADCE8A83364DBEE61AFE02D6CA@BLRKECMBX01.ad.infosys.com><83BE11C0-4D56-41D0-BD42-0C24709518FB@nominum.com><20090818172107.GA30340@shell-too.nominum.com><8A82D1BFEDDE7E4597978355239BBBCB2A251B@PACDCEXCMB06.cable.comcast.com>, <8A82D1BFEDDE7E4597978355239BBBCB2A251C@PACDCEXCMB06.cable.comcast.com> <31D55C4D55BEED48A4459EB64567589A0F6B2E064A@BLRKECMBX02.ad.infosys.com>
From: "Woundy, Richard" <Richard_Woundy@cable.comcast.com>
To: Bharat Joshi <bharat_joshi@infosys.com>, Stephen Jacob <Stephen.Jacob@nominum.com>, Damien Neil <Damien.Neil@nominum.com>
X-OriginalArrivalTime: 06 Oct 2009 16:51:08.0674 (UTC) FILETIME=[33D6BE20:01CA46A5]
Cc: DHC-WG WG <dhcwg@ietf.org>
Subject: Re: [dhcwg] Comments ondraft-ietf-dhc-leasequery-by-remote-id-02.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2009 16:50:22 -0000

>Now after some time, lets assume, that lease for this IP address is
forcibly removed from the DHCP server.

I think you are making an assumption that I am not making.

I see the lease time (option 51) in a leasequery message to be somewhat
like an implicit contract. If the lease is forcibly removed from the
DHCP server, then the contract is broken.

There isn't a lease time in a DHCPLEASEUNASSIGNED or DHCPLEASEUNKNOWN
message, so there isn't a contract. If a subnet is subsequently added to
the DHCP server, then again it doesn't change any contract.

This behavior is important because in the real world, you don't want to
make assumptions about the order of activities. If an IP subnet is added
to a relay agent before it is added to a DHCP server, then it is
possible that a DHCPLEASEUNKNOWN message could be generated by a lease
query from the relay agent. It is desirable that when the IP subnet is
added to the DHCP server, that any cached DHCPLEASEUNKNOWN messages are
purged from the relay agent in a timely manner.

In general, it is better not to persist negative cache entries.

-- Rich

-----Original Message-----
From: dhcwg-bounces@ietf.org [mailto:dhcwg-bounces@ietf.org] On Behalf
Of Bharat Joshi
Sent: Wednesday, September 30, 2009 11:25 PM
To: Woundy, Richard; Stephen Jacob; Damien Neil
Cc: DHC-WG WG
Subject: Re: [dhcwg] Comments
ondraft-ietf-dhc-leasequery-by-remote-id-02.txt

Dear Rich,

       Sorry for a very delayed reply. Please see my response in line.

> And the reason that the DHCPLEASEUNKNOWN negative response is cached
--
> not permanently stored -- is that the state of the DHCP server might
> change in the future, which may not be detectable through DHCP message
> gleaning.

> For example, someone could add an IP subnet to the DHCP server, or
even
> possibly forcibly add an IP lease to the DHCP server.

Ok. We had thought of this and had discussed it among ourselves
[co-authors]. But there are issues with this assumption.

What we think is that a Relay Agent [Access Concentrator] should not
worry about what it can not detect by gleaning DHCP messages. If it
worries about things happening in DHCP server also, a Relay Agent [AC]
would need to keep querying DHCP server even for Active leases. 

Taking cue from your above example, lets assume, an IP lease is first
forcibly added and because of the caching and querying, we later
received a LEASEACTIVE for this IP address. Now after some time, lets
assume, that lease for this IP address is forcibly removed from the DHCP
server. Now as mentioned above, Relay Agent can not detect this by
gleaning DHCP messages as there is no DHCP release for this IP address.
So how will Relay Agent find the new state for this IP address. Only by
periodically checking the state of this IP address. That means it has to
keep querying for all IP addresses for which LEASE is ACTIVE. This will
result in too many unnecessary messages being exchanged between DHCP
server and Relay Agents.

So this is one of the reasons, we decided against the use of periodic
query if a DHCPLEASEUNKNOWN or DHCPLEASEUNASSIGNED is received for a
specific 'Query-by-remote-id'.

Thanks,
Bharat

> -- Rich
> 
> -----Original Message-----
> From: dhcwg-bounces@ietf.org [mailto:dhcwg-bounces@ietf.org] On Behalf
> Of Woundy, Richard
> Sent: Monday, September 21, 2009 6:11 PM
> To: Stephen Jacob; Damien Neil
> Cc: DHC-WG WG
> Subject: Re: [dhcwg] Comments
> ondraft-ietf-dhc-leasequery-by-remote-id-02.txt
> 
> >>I would be interested to learn why the language regarding cacheing
of
> DHCPLEASEUNKNOWN responses was originally included in RFC 4388.
> 
> >I would also like to know that. :)
> 
> I assume you are talking about this text concerning the from section
6.5
> of RFC 4388: "The access concentrator SHOULD cache this information,
but
> only for a relatively short lifetime, approximately 5 minutes."
> 
> This 'negative caching' was added to prevent a denial of service
attack
> on the DHCP server itself. From section 7:
> 
>    Access concentrators SHOULD minimize potential denial of service
>    attacks on the DHCP servers by minimizing the generation of
>    DHCPLEASEQUERY messages.  In particular, the access concentrator
>    SHOULD employ negative caching (i.e., cache DHCPLEASEUNASSIGNED,
>    DHCPLEASEACTIVE, and DHCPLEASEUNKNOWN responses to DHCPLEASEQUERY
>    messages) and ciaddr restriction (i.e., don't send a DHCPLEASEQUERY
>    message with a ciaddr outside of the range of the attached
broadband
>    access networks).  Together, these mechanisms limit the access
>    concentrator to transmitting one DHCPLEASEQUERY message (excluding
>    message retries) per legitimate broadband access network IP address
>    after a reboot event.
> 
> -- Rich
> 
> P.S. Expect a slow response from me, as I'm working on other projects
> lately.
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended
solely 
for the use of the addressee(s). If you are not the intended recipient,
please 
notify the sender by e-mail and delete the original message. Further,
you are not 
to copy, disclose, or distribute this e-mail or its contents to any
other person and 
any such actions are unlawful. This e-mail may contain viruses. Infosys
has taken 
every reasonable precaution to minimize this risk, but is not liable for
any damage 
you may sustain as a result of any virus in this e-mail. You should
carry out your 
own virus checks before opening the e-mail or attachment. Infosys
reserves the 
right to monitor and review the content of all messages sent to or from
this e-mail 
address. Messages sent to or from this e-mail address may be stored on
the 
Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email