Re: [dhcwg] Alissa Cooper's No Objection on draft-ietf-dhc-rfc3315bis-10: (with COMMENT)

Tomek Mrugalski <tomasz.mrugalski@gmail.com> Thu, 25 January 2018 03:16 UTC

Return-Path: <tomasz.mrugalski@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 291CD12D7EC; Wed, 24 Jan 2018 19:16:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fOUb6vnEA5zy; Wed, 24 Jan 2018 19:16:04 -0800 (PST)
Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC5161289B0; Wed, 24 Jan 2018 19:16:03 -0800 (PST)
Received: by mail-lf0-x22a.google.com with SMTP id q194so7888884lfe.13; Wed, 24 Jan 2018 19:16:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=9HpWEMMWlI7PknGv9xCiYhlsXYWa8KJ6xUxZzov3gjY=; b=Yc1BTSlCVut641LYx1Chck8Qu+FPwW/Uyd9KKGINmkIx+HcxQR8y+jVqmMMeZdAJkg Y6WaQ5xhMD4mom+JBAIf3F3qVXrR024675GJ7iaq9ntMrbVco8mwc2dargg0GCkfH7+E tsw+ymzdo0vKks9sWO1RiBGxrgAqLwaYB/3DLFeEM7RVddiTzaWAZdFJopgzZD+LDYp3 5otLIwkSQH4tcek1WblgadPSm+YVDpuJbJ/ypAR4BSu8ytTO0O2AsJfTc1V8IMAC/igu sIVMhkZrDl6NuulFIFCZC+B2G8JE+ya3ET7mCC2SaAQyvql7q6UCh/oigGUi0SGRCpqK aIcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=9HpWEMMWlI7PknGv9xCiYhlsXYWa8KJ6xUxZzov3gjY=; b=LdHxqlYAFEtTo25LVa73kGI7qe24VEKlafRzitrHi1U8KpCwt1T9e9X0qcxbduut8j rnXtjppqPG02jCF7HhlT23ltQ6XZjr7ZAlGvZfbQ/JpMrZhzVlwPeoMn+RGy4wcdDiRI F8QJd3UR+jrVDr6EatqyN0OKV94cUtRz6UY3BAcULZTaoCKSeu5I6H642k9xvIi70iIh oZPzTQRvZ4VpzNBAa3Exo97gomVXbzrWKcttSOm+tZ9M3fWxnAVVzfeZPX6oKVOZJTcO 5X2+NeoUbPvPnZJy7MWEQFX1oLAeZa2icNeiv9PZRxSGDKtHD1bMz6df7lFhX6DTWH/c voTg==
X-Gm-Message-State: AKwxytdwzyo7JTMUEkGVzJQ2LN1V0eVAjgJhwnk3frUfBch/kd6rvtQT 6juubvaaki2jNuRxf73HwUc79bde
X-Google-Smtp-Source: AH8x225zS9dVK9gneU9FuMOh3x/rXLOhVofpi+/IzMtL9/q9dwBpm8oKB6769+JMa/sxG+DGE8ggqA==
X-Received: by 10.46.124.11 with SMTP id x11mr5088644ljc.99.1516850161517; Wed, 24 Jan 2018 19:16:01 -0800 (PST)
Received: from [192.168.1.100] (109241079151.gdansk.vectranet.pl. [109.241.79.151]) by smtp.googlemail.com with ESMTPSA id d8sm306436lja.54.2018.01.24.19.15.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jan 2018 19:16:00 -0800 (PST)
To: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
Cc: draft-ietf-dhc-rfc3315bis@ietf.org, Ralph Droms <rdroms.ietf@gmail.com>, dhc-chairs@ietf.org, dhcwg@ietf.org
References: <151672300452.14002.12223423833579701386.idtracker@ietfa.amsl.com>
From: Tomek Mrugalski <tomasz.mrugalski@gmail.com>
Message-ID: <11140289-ecf7-c987-bdf9-c1bc0af5a3fe@gmail.com>
Date: Thu, 25 Jan 2018 04:15:57 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <151672300452.14002.12223423833579701386.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/2NF4YHUENJhOwgyKYtnzuVTSNe8>
Subject: Re: [dhcwg] Alissa Cooper's No Objection on draft-ietf-dhc-rfc3315bis-10: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2018 03:16:06 -0000

On 01/23/18 16:56, Alissa Cooper wrote:
> Alissa Cooper has entered the following ballot position for
> draft-ietf-dhc-rfc3315bis-10: No Objection

Alissa,
Thank you for your review and your favourable ballot. See my comments below.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Many thanks to the Gen-ART reviewer for a thorough review. It sounds like the
> authors plan to incorporate edits in response but I wanted to particularly call
> out these bits from his summary with which I agree:
> 
> "I also found that the new document did not do a good job on the interactions
> between relay-agents and servers.  Particularly on the processing of options
> between relays and servers and details of reception of Relay-forward messages a
> little more detail would help naive readers.
Understood. How about adding a new Section 19.4 "Interaction between
relay agents and servers" with the following text. The text is a bit
long, but I believe it covers the topic adequately without going into
too much detail and should be easy enough to follow even by naive readers.

Each time a packet is relayed by a Relay Agent towards a server, a new
encapsulation level is added around the packet. Each relay is allowed to
insert additional options on the encapsulation level it added. If there
are multiple relays between a client and a server, multiple
encapsulations are used. Although it makes packet processing
slightly more complex, it has a big advantage of having clear indication
which relay inserted a given option. The response packet is expected to
travel through the same relays, but in reverse order. Each time a
response packet is relayed, one encapsulation level is removed.

In certain cases relays insert additional options. These options can be
inserted for several reasons. First, relays can insert additional
information about the client or how it is connected. That is usually
more trusted by a server administrator as it comes from a network
infrastructure rather then the client himself and cannot be easily
spoofed. These options can be used by the server to determine its
allocation policy.

Second, relay may need some information to send a response back to the
client. Relay agents are expected to be stateless (not retain any state
after a packet has been processed). Relay agent may include an option,
send it to the server and ask the server to echo the option back in the
response. This option will be then used by the relay agent to send the
response back. The client will never see this option. See RFC4994 for
details.

Third, sometimes a relay is the best device to provide values for
certain options. A relay can insert an option to the client packet being
forward and ask the server to pass that option back to the client. The
client will receive that option. See RFC6422 for details.

Servers may want to retain the relay information after the packet
processing is completed for various reasons. One is a bulk leasequery
mechanism that may ask for all addresses and/or prefixes that were
assigned via specific relay. Second reason is reconfigure mechanism. The
server may chose to not send the Reconfigure message directly to the
client, but rather send it via relays. This particular behavior is
considered an implementation details and is out of scope for this document.

> Finally the draft has not made much of an effort to
> support possible alternative security algorithms - IETF policy now encourages
> protocols to deal with algorithm flexibility  - DHCPv6 as it stands is pretty
> thoroughly wedded to HMAC-MD5 and would need some (relatively small) IANA
> improvements plus some thought to cope with different algorithms."
Although getting an algorithm flexibility would be nice, it was never
the goal of this work. Our understanding was that publishing 3315bis
intends to provide cleaner, easier to read somewhat unified text, but
not introduce any new features. If we added this new feature, we'd soon
be dealing with a flood of new proposals.

It is worth mentioning that our hope was the draft-ietf-dhc-sedhcpv6
draft would move forward and solve algorithm flexibility (among many
other security issues), but sadly our hopes were proven futile. The WG
ran out of steam, is no longer able to move forward and the draft is
pretty much dead.

Thanks again for your review,
Tomek