IETF Logo Mail Archive

Re: [dhcwg] recommendation on DHCP6 source port numbers

Bernie Volz <bevolz@gmail.com> Thu, 29 February 2024 20:12 UTC

Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F657C14F69B for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 12:12:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.212
X-Spam-Level:
X-Spam-Status: No, score=-6.212 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcSKot-sKGiV for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 12:12:44 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F1CFC14F680 for <dhcwg@ietf.org>; Thu, 29 Feb 2024 12:12:44 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-42a0ba5098bso8720121cf.0 for <dhcwg@ietf.org>; Thu, 29 Feb 2024 12:12:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709237563; x=1709842363; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=BO6kRwjPX68VCOrUxccJpGY0a1yARbTQjFhG650zikM=; b=MCyKX3vyRkKpW9pSmz2nhV+CJWchmTSBjGtcH7+DathZsISGEX6vFwfDp/olpGCUtN AZyrNJWfuo0qUPcjycFwpuI+icga09aoLPCcsfbluGIy9U2/z16cXEYvPiZ+gn2YVh2c 3b54G08wvdyHOMKMlEm35Noe8W1sKdbWjN/yl8isGHKdLeCvBZGcvyTDCHvqkRm19UsL PClWEwFOnLcv45B62AZbG9Pp6iXA33lFs+t+z8+r8P6nAJREkd1KcqzEDKf+tD1Hqo0O nvv/x4zale1eC+GdQf3kgDXxMIofD4Hj1C8+BAhEaug5ezkdnCKJ3fboBu8fis4x6543 aKQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709237563; x=1709842363; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BO6kRwjPX68VCOrUxccJpGY0a1yARbTQjFhG650zikM=; b=Nm8JFRYEdYicaa0sD9kkhYSSqgbq7Pvi8xvp+zX9eS/Aw8rE3TM7itm06JZsb0NH+U ZZgEC3AnbWdrVP6D7PICSIjhsZr+EKzwPKRU4/NEQuyf46bDlS6Z9xnkxTW1CbFbNJDb T0NaClS73eWW1nshzGHYB8KpD9PulyaGWCnGJbl90iTUjfhoSOfhD+ib/uW8HcPRgpGm kZGUprqHPcrBc4FPHs1X/0lq+6B3hroHrQfkkStid12eEklBGDWKDtr1mGH+kyob1aA/ ogH7rTzKJkBDsTGWrtp/rjPPJriH3UqORab8inWPLAzOv5Ul1RAJxpeNxqpjRtKeaWVw RWbA==
X-Forwarded-Encrypted: i=1; AJvYcCU3IeXO9yM6DiPbCDh0cN9ZzoZDIFznd0EetLtAuW7jFkwtoHbsueTJSgmJGaTEVlY49ZPOgVP8rM4qHTBzdA==
X-Gm-Message-State: AOJu0YzYDnxZRMQWeQObgs2+SyUItQDoRih2i3OojqKR0iDR9Gz4fG6r UDKcx94P4nlHXvaozeXFBH/J1v+6p9mJhD/vILXaDgi8lkoxQeOINIAJ3rpJFg==
X-Google-Smtp-Source: AGHT+IEDu4R6wKp8vEKD82cUGktZZ6cupParhY0jVXsT6yY8lpFhX5J9+nZ17Tr/gGYqogmo+JZmCg==
X-Received: by 2002:a05:622a:34d:b0:42e:80ca:376d with SMTP id r13-20020a05622a034d00b0042e80ca376dmr3290541qtw.54.1709237563168; Thu, 29 Feb 2024 12:12:43 -0800 (PST)
Received: from smtpclient.apple (072-043-051-165.biz.spectrum.com. [72.43.51.165]) by smtp.gmail.com with ESMTPSA id c14-20020ac8518e000000b0042eb74c707fsm1020347qtn.61.2024.02.29.12.12.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Feb 2024 12:12:42 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-0A830EF3-73C1-4FDE-A808-F9F715F28F7A"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 29 Feb 2024 15:12:31 -0500
Message-Id: <A51674A4-56CB-433F-BC7F-643C959B8DB3@gmail.com>
References: <CAN-Dau3cMV8yXF=WVXrdD36oV+_FQELDsgP4cddjrFfsagpv2w@mail.gmail.com>
Cc: rob@deepdivenetworking.com, dhcwg <dhcwg@ietf.org>
In-Reply-To: <CAN-Dau3cMV8yXF=WVXrdD36oV+_FQELDsgP4cddjrFfsagpv2w@mail.gmail.com>
To: David Farmer <farmer=40umn.edu@dmarc.ietf.org>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/0pwjGzv94NkAAxjtTiBTffZI0tk>
Subject: Re: [dhcwg] recommendation on DHCP6 source port numbers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 20:12:46 -0000

We’re not starting from scratch - thus if you mandate this, you make existing implementations that are operating non-compliant. And if it cannot be mandated, you cannot rely on it.

Also, dhcp is probably not a protocol that goes through firewalls? Firewalls likely block these ports.

- Bernie (from iPhone)

On Feb 29, 2024, at 2:03 PM, David Farmer <farmer=40umn.edu@dmarc.ietf.org> wrote:


Actually, given that return DHCP messages MUST be sent to their designated destination ports and not the source port used by the originating DHCP message, there is no advantage to using randomized source ports to prevent spoofing. Using randomized source ports only makes firewall traversal for DHCP messages more difficult.

Thanks.

On Thu, Feb 29, 2024 at 12:44 PM rob@deepdivenetworklng.com <rob@deepdivenetworking.com> wrote:
I think we are in the middle of the (no end in sight argument) of;  If we make it completely predictable it is easy to monitor and punch holes for firewalls vs if we make it easily predictable it is super easy to exploit. Just look at DNS needing to randomize source ports to combat cache poisoning. I think we don't have to say it “Should" be source and destination port that is  forced. People can do that if they choose to given the current text, but we don't paint them into a corner.

Rob



On Feb 29, 2024, at 10:39 AM, David Farmer <farmer=40umn.edu@dmarc.ietf.org> wrote:

If we did, that would ensure DHCP messages will make it through typical stateful firewalls without special rules.

Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.

Clients, servers, and relay agents SHOULD send DHCP messages from their designated destination ports, as this will facilitate firewall traversal for DHCP messages. Nevertheless, DHCP messages MUST be accepted from any UDP (source) port, and regardless of the source port used, return DHCP messages MUST be sent to their designated destination port.

On Thu, Feb 29, 2024 at 12:05 PM Ole Trøan <otroan=40employees.org@dmarc.ietf.org> wrote:
Should we also make it recommended to use the designated port as the source port? With the may to send arbitrary port and a must to accept an arbitrary port?

O. 

On 29 Feb 2024, at 18:51, David Farmer <farmer=40umn.edu@dmarc.ietf.org> wrote:


Ok, it's a little less wordy this time.

Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.

Clients, servers, and relay agents MAY send DHCP messages from any UDP (source) port they are allowed to use, including their designated destination ports. Nevertheless, regardless of the source port used, DHCP messages MUST be sent to their designated destination ports.

Thanks

On Thu, Feb 29, 2024 at 10:24 AM David Farmer <farmer@umn.edu> wrote:
Would this text clarify things?

Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.

Clients, servers, and relay agents MAY send DHCP messages from any UDP (source) port they are allowed to use, including their designated destination ports. Nevertheless, regardless of the source port the client uses, the server or relay agent MUST send traffic to the designated destination port of the client. And vice versa, regardless of the source port used by the server or relay agent, the client MUST send traffic to the designated destination port of the server or relay agent.

Thanks

On Thu, Feb 29, 2024 at 10:03 AM Ole Troan <otroan=40employees.org@dmarc.ietf.org> wrote:
Bernie,

> DHCPv6 has been successfully deployed and this is the first I recall of this kind of discussion/issue.
> You would likely also invalidate a lot of implementations with such a change, which is not really in line with advancing this to Full Standard.

It’s a lot more important to have the specification clear and unambiguous. I think it has been shown that it isn’t.
Happy with whatever solution there is consensus for, but the ambiguity has to be resolved I think.

O.
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg" rel="noreferrer nofollow" target="_blank">https://www.ietf.org/mailman/listinfo/dhcwg


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota   
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
=============================================== 


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota   
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
=============================================== 


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota   
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
=============================================== 
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/dhcwg



--
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email