IETF Logo Mail Archive

Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07

mohamed.boucadair@orange.com Thu, 09 February 2023 10:33 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: expand-draft-ietf-opsawg-add-encrypted-dns.all@virtual.ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id 0FA1CC14F747; Thu, 9 Feb 2023 02:33:14 -0800 (PST)
X-Original-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 010A3C16B5C9; Thu, 9 Feb 2023 02:33:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LyeuOm4QFWre; Thu, 9 Feb 2023 02:33:10 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.34]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91047C14F747; Thu, 9 Feb 2023 02:32:07 -0800 (PST)
Received: from opfednr03.francetelecom.fr (unknown [xx.xx.xx.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr26.francetelecom.fr (ESMTP service) with ESMTPS id 4PCCps4mdFz10WP; Thu, 9 Feb 2023 11:32:05 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1675938725; bh=odcHbSzJ75L9N7D0iWfoU/gQwWm84b481gRzns6axB8=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=PC7n3PWcJIK4cdWDYtU6QkXEdsnNLlesLDz6x+HjaR6YX8fWxUP2MTVNaQJJNHT09 P8GK5KtCfKYkAt7q4fIfxTL565gpitblk+sKS8HStXmPNvGzSpxRlzV0Ltblh3QIRT oWeWmhkXiTFQu1ixBbVAiN0LNEe11wvOwQFi4y6AsU70n10mHJQuFYAv/P5IsEqNuO 9igScnKXZuReb8lH7AHDBFpL9b+vLWQ9ajk/E908n46Nl3cJaxEGAGCwoA6t77UTny 0XYwx2by0yCz+PpQh8LAYgK57xWDGd3qG1o/G8J1Xahx1UngX6ZK4z9f0xU7UY2Cq5 stnsOOk8bxZKA==
From: mohamed.boucadair@orange.com
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>, Alan DeKok <aland@deployingradius.com>
CC: "draft-ietf-opsawg-add-encrypted-dns.all@ietf.org" <draft-ietf-opsawg-add-encrypted-dns.all@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
Thread-Index: AdkTyYf4o5ALslIxNkGdMbqgZJidOgAA5RyACgBS4TAAJNutAAABISNgAAKrcvA=
Content-Class:
Date: Thu, 09 Feb 2023 10:32:05 +0000
Message-ID: <20586_1675938725_63E4CBA5_20586_113_1_6e28bfcfa63b48ee992d2547d18efeea@orange.com>
References: <BY5PR11MB4196E89DEC6393A84923CC17B5E59@BY5PR11MB4196.namprd11.prod.outlook.com> <EDA5C486-7261-4668-ABF0-83871D9E1E2B@deployingradius.com> <BY5PR11MB4196BB5D2805639398D344B5B5D89@BY5PR11MB4196.namprd11.prod.outlook.com> <9291_1675933339_63E4B69B_9291_403_1_66463ab113c04cc88d3446194c92971c@orange.com> <BY5PR11MB4196E25F3A53AC4B4BE7E3E2B5D99@BY5PR11MB4196.namprd11.prod.outlook.com>
In-Reply-To: <BY5PR11MB4196E25F3A53AC4B4BE7E3E2B5D99@BY5PR11MB4196.namprd11.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2023-02-09T10:27:48Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=c9639410-6e70-4e60-8cbe-f23ee9529d03; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.50]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Resent-From: alias-bounces@ietf.org
Resent-To: jclarke@cisco.com, rwilton@cisco.com, bevolz@gmail.com, warren@kumari.net, mohamed.boucadair@orange.com, henk.birkholz@sit.fraunhofer.de, kondtir@gmail.com, aland@freeradius.org, dhcwg@ietf.org, zhoutianran@huawei.com
Resent-Message-Id: <20230209103314.0FA1CC14F747@ietfa.amsl.com>
Resent-Date: Thu, 09 Feb 2023 02:33:14 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/2UuH26E5-QEvkpzRPeGXUpS6lSs>
Subject: Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 10:33:14 -0000

Re-,

Thanks Rob for the follow-up. 

A new version with the proposed changes is now online: https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-add-encrypted-dns-09.

Cheers,
Med

> -----Message d'origine-----
> De : Rob Wilton (rwilton) <rwilton@cisco.com>
> Envoyé : jeudi 9 février 2023 11:04
> À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>;
> Alan DeKok <aland@deployingradius.com>
> Cc : draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> opsawg@ietf.org
> Objet : RE: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-
> dns-07
> 
> Hi Med, Alan,
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>
> > Sent: 09 February 2023 09:02
> > To: Rob Wilton (rwilton) <rwilton@cisco.com>; Alan DeKok
> > <aland@deployingradius.com>
> > Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> opsawg@ietf.org
> > Subject: RE: [OPSAWG] AD review of
> > draft-ietf-opsawg-add-encrypted-dns-07
> >
> > Hi Rob, all,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Rob Wilton (rwilton) <rwilton@cisco.com> Envoyé :
> mercredi 8
> > > février 2023 20:39 À : Alan DeKok <aland@deployingradius.com>
> Cc :
> > > draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> > > opsawg@ietf.org
> > > Objet : RE: [OPSAWG] AD review of draft-ietf-opsawg-add-
> encrypted-
> > > dns-07
> > >
> > > Hi Alan,
> > >
> > > Sorry for the delay.  Please see inline ...
> > >
> > > > -----Original Message-----
> > > > From: Alan DeKok <aland@deployingradius.com>
> > > > Sent: 19 December 2022 17:13
> > > > To: Rob Wilton (rwilton) <rwilton@cisco.com>
> > > > Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> > > opsawg@ietf.org
> > > > Subject: Re: [OPSAWG] AD review of
> > > > draft-ietf-opsawg-add-encrypted-dns-07
> > > >
> > > > On Dec 19, 2022, at 11:53 AM, Rob Wilton (rwilton)
> > > > <rwilton=40cisco.com@dmarc.ietf.org> wrote:
> > > > > It isn't really clear to me why some of the registries are
> > > needed,
> > > > > specifically
> > > > the ones in 8.4.1 and 8.4.2.  Why not allow any v4 or v6
> DHCP
> > > > attribute to be carried within the DHCPv6-Options or DHCPv4-
> > > Options field?
> > > >
> > > >   The original intent of the document was to define a
> limited
> > > set of
> > > > DHCP options which could be carried in RADIUS.  i.e. option
> X
> > > would
> > > > map to RADIUS attribute Y.  After some discussion, this was
> > > deemed to
> > > > be unworkable, and changed to the current method.
> > > >
> > > >   The previous limitations were still kept, however.
> > > >
> > > >   While it is useful, I could see issues with allowing any
> DHCP
> > > option
> > > > to be transported in RADIUS.  I'll have to dig deeper to get
> > > into details.
> > > [Rob Wilton (rwilton)]
> > >
> > > Okay.
> > >
> > > >
> > > > >
> > > > > (2) p 4, sec 3.  DHCP Options RADIUS Attributes
> > > > >
> > > > >   Absent any explicit configuration on the DHCP server,
> RADIUS
> > > supplied
> > > > >   data by means of DHCP*-Options Attributes take
> precedence
> > > over any
> > > > >   local configuration.
> > > > >
> > > > > This point may be worth discussing.  Naturally, I would
> > > explicit
> > > > > configuration
> > > > to a network device to generally take precedent over
> implicitly
> > > > learned configuration from the network.
> > > >
> > > >  I'm not sure which options are "implicitly learned" from
> the
> > > network.
> > > > One set is configured in the device, and another is
> configured
> > > on a
> > > > per-user / per- session basis.  This allows for sane
> defaults,
> > > with
> > > > specific over-rides where those are needed.
> > > >
> > > >   If the options configured on the device always take
> precedence
> > > over
> > > > the per- session options (via RADIUS), then there isn't much
> > > point in
> > > > sending per-session options.
> > > [Rob Wilton (rwilton)]
> > > To give a regular configuration example, if you were to enable
> the
> > > Ethernet auto-negotiation protocol but also explicitly
> configure an
> > > 10/100/1000 Ethernet interface to run at 100 Mb/s then I would
> > > expect the explicit client provided configuration to take
> precedence
> > > over negotiating the speed value.
> > >
> > > It sounds like, in what you describe, the configuration is
> > > effectively hierarchical.  I.e., it is really because the
> RADIUS
> > > supplied configuration is more-specific that it takes
> precedence
> > > over the local configuration.  If so, that is expected, but I
> think
> > > that it would be helpful to clarify the description to make
> that
> > > clear.
> > >
> >
> > [Med] OK. We can make this change:
> >
> > OLD:
> >    Absent any explicit configuration on the DHCP server, RADIUS
> >    supplied data by means of DHCP*-Options Attributes take
> precedence
> >    over any local configuration.
> >
> > NEW:
> >    RADIUS supplied data is specific configuration data that is
> >    returned as a function of authentication and authorization
> checks.
> >    As such, absent any explicit configuration on the DHCP
> server, RADIUS
> >    supplied data by means of DHCP*-Options Attributes take
> precedence
> >    over any local configuration.
> [Rob Wilton (rwilton)]
> 
> This is okay, but would probably prefer a slight tweak to the last
> sentence to:
> 
>    RADIUS supplied data is specific configuration data that is
>    returned as a function of authentication and authorization
> checks.
>    As such, absent any explicit configuration on the DHCP server,
> RADIUS
>    supplied data by means of DHCP*-Options Attributes take
> precedence
>    over any less specific or default local configuration.
> 
> But I'll leave this to the authors to decide.
> 
> 
> >
> > >
> > > >
> > > > > (3) p 6, sec 3.2.  DHCPv4-Options Attribute
> > > > >
> > > > >      Permitted DHCPv4 options in the DHCPv4-Options
> Attribute
> > > are
> > > > >      maintained by IANA in the registry created in Section
> > > 8.4.2.
> > > > >
> > > > > Comparing this text to the description for v6, this
> > > description is
> > > > > silent on
> > > > whether multiple instances of the same DHCPv4 option MAY be
> > > included.
> > > > Should that be specified here?
> > > >
> > > >   Likely, yes.  The RADIUS attributes are simply carrying
> DHCP
> > > > options, as if they were in a DHCP packet.  So all of the
> DHCP
> > > rules
> > > > about option handling should apply here.
> > > [Rob Wilton (rwilton)]
> > > Okay.
> > >
> > > >
> > > > >
> > > > > (4) p 10, sec 7.  Table of Attributes
> > > > >
> > > > >   The following table provides a guide as what type of
> RADIUS
> > > packets
> > > > >   that may contain these attributes, and in what quantity.
> > > > >
> > > > > Am I right that this is just a duplication of what is
> > > described in
> > > > > section 3?  If
> > > > so, perhaps change "guide" to "informative guide" and
> include
> > > text to
> > > > refer back to the  canonical definition in section 3.
> > > >
> > > >   Sure.  This table is traditional in RADIUS RFCs, so the
> text
> > > here
> > > > mirrors previous RADIUS RFCs.
> > > [Rob Wilton (rwilton)]
> > > Okay.
> > >
> > >
> > > >
> > > > > (8) p 3, sec 3.  DHCP Options RADIUS Attributes
> > > > >
> > > > >   These attributes use the "Long Extended Type" format in
> > > order to
> > > > >   permit the transport of attributes encapsulating more
> than
> > > 253 octets
> > > > >   of data.  DHCP options that can be included in the
> DHCP*-
> > > Options
> > > > >   RADIUS attributes are limited by the maximum packet size
> of
> > > 4096
> > > > >   bytes.  In order to accommodate deployments with large
> > > options,
> > > > >   implementations are RECOMMENDED to support a packet size
> up
> > > to 65535
> > > > >   bytes.
> > > > >
> > > > > I didn't find this text clear.  E.g., limit is 4k but
> should
> > > support up to 64K.
> > > > Which implementations should support larger packet sizes?
> Is
> > > this RADIUS
> > > > implementations?
> > > >
> > > >   It's a limitation of RADIUS.  Everything RADIUS has to
> support
> > > 4K packets.
> > > > Later RFCs allow for 64K packets.
> > > [Rob Wilton (rwilton)]
> > >
> > > Okay.  If this will be obvious to everyone
> implementing/deploying
> > > RADIUS then fine, otherwise it might be worth including an
> > > informative reference to the RFC that increases the limit to
> 64K.
> > >
> > >
> >
> > [Med] We do already have the following:
> >
> >    Note:  The 4096 bytes size limit was relaxed by other RFCs,
> e.g.,
> >       [RFC7499] and [RFC7930].
> >
> > Do we need to say more? Thanks.
> [Rob Wilton (rwilton)]
> 
> Nope.  I missed that you already state that.
> 
> >
> > >
> > > >
> > > > >
> > > > > (9) p 5, sec 3.1.  DHCPv6-Options Attribute
> > > > >
> > > > >      This field contains a list of DHCPv6 options.
> Multiple
> > > instances
> > > > >      of the same DHCPv6 option MAY be included.
> Consistent
> > > with
> > > > >      Section 17 of [RFC7227], this document does not
> impose
> > > any option
> > > > >      order when multiple options are present.
> > > > >
> > > > > Is there any requirement to merge multiple instances of
> > > options together,
> > > > presumably they are logically just concatenated today.
> > > >
> > > >   The rules for DHCP options processing should apply.
> > > [Rob Wilton (rwilton)]
> > >
> > > Okay.  Should that be stated here, or at least made consistent
> with
> > > the v4 description that has been updated to:
> > >
> > > |      This field contains a list of DHCPv4 options.  Multiple
> > > instances
> > > |      of the same DHCPv4 option MAY be included, especially
> for
> > > |      concatenation-requiring options that exceed the maximum
> > > DHCPv4
> > > |      option size of 255 octets.  The mechanism specified in
> > > [RFC3396]
> > > |      MUST be used for splitting and concatenating the
> instances
> > > of a
> > > |      concatenation-requiring option.
> > >
> >
> > [Med] We can echo the relevant part from 8415 here:
> >
> > OLD:
> >       This field contains a list of DHCPv6 options.  Multiple
> instances
> >       of the same DHCPv6 option MAY be included.  Consistent
> with
> >       Section 17 of [RFC7227], this document does not impose any
> option
> >       order when multiple options are present.
> >
> > NEW:
> >       This field contains a list of DHCPv6 options (Section 21
> of
> >       [RFC8415]).  Multiple instances of the same DHCPv6 option
> MAY be
> >       included.  If an option appears multiple times, each
> instance is
> >       considered separate and the data areas of the options MUST
> NOT be
> >       concatenated or otherwise combined.  Consistent with
> Section 17 of
> >       [RFC7227], this document does not impose any option order
> when
> >       multiple options are present.
> [Rob Wilton (rwilton)]
> 
> Looks good.
> 
> Let me know when you have posted an updated draft.
> 
> Thanks,
> Rob


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email