IETF Logo Mail Archive

Re: [dhcwg] lease query question

Kim Kinnear <kkinnear@cisco.com> Wed, 26 February 2003 17:06 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16204 for <dhcwg-archive@odin.ietf.org>; Wed, 26 Feb 2003 12:06:53 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h1QHGTi27137 for dhcwg-archive@odin.ietf.org; Wed, 26 Feb 2003 12:16:29 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1QHGTp27134 for <dhcwg-web-archive@optimus.ietf.org>; Wed, 26 Feb 2003 12:16:29 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16178 for <dhcwg-web-archive@ietf.org>; Wed, 26 Feb 2003 12:06:21 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1QHEQp27076; Wed, 26 Feb 2003 12:14:26 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1QHDUp27038 for <dhcwg@optimus.ietf.org>; Wed, 26 Feb 2003 12:13:30 -0500
Received: from rtp-core-2.cisco.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16082 for <dhcwg@ietf.org>; Wed, 26 Feb 2003 12:03:23 -0500 (EST)
Received: from goblet.cisco.com (IDENT:mirapoint@goblet.cisco.com [161.44.168.80]) by rtp-core-2.cisco.com (8.12.6/8.12.6) with ESMTP id h1QH7HNh021621; Wed, 26 Feb 2003 12:07:17 -0500 (EST)
Received: from KKINNEAR-W2K.cisco.com (dhcp-161-44-149-161.cisco.com [161.44.149.161]) by goblet.cisco.com (Mirapoint) with ESMTP id ACR65737; Wed, 26 Feb 2003 12:07:15 -0500 (EST)
Message-Id: <4.3.2.7.2.20030226115402.024c1818@goblet.cisco.com>
X-Sender: kkinnear@goblet.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 26 Feb 2003 12:07:14 -0500
To: Thomas Narten <narten@us.ibm.com>, Kim Kinnear <kkinnear@cisco.com>
From: Kim Kinnear <kkinnear@cisco.com>
Subject: Re: [dhcwg] lease query question
Cc: Ralph Droms <rdroms@cisco.com>, dhcwg@ietf.org
In-Reply-To: <200302261534.h1QFYkmY004458@rotala.raleigh.ibm.com>
References: <Message from kkinnear@cisco.com of "Tue, 25 Feb 2003 15:29:09 EST." <4.3.2.7.2.20030225152521.0244f068@goblet.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

Thomas,

This approach to access control was developed by joint work with
the folks building our access concentrators and several of us in
the DHCP implementation group.  They found that the functionality
delivered to actual users was of sufficient value to those users
to be worth the cost of engineering this particular solution.
We supported them in moving the implementation forward.

The solution was not based on the charter of the DHC working
group either then or now -- it was based on a rather pragmatic
approach to meeting the needs of users, which it has seemed to
do.  In my view at least, it fits within spirit of the DHC WG
activities, and was a logical extension of the those activities.

It isn't a comprehensive approach to any sort of security (nor
was it designed to be such) -- it is a supporting piece of
technology to one limited form of access control.

We decided to bring this work to IETF to see if anyone felt it
was worthwhile to standardize it, and at the time the sense of
the working group was that standardization was appropriate.  We
did this knowing full well that we would have to re-implement our
support after the standardization process was complete, but felt
that something this valuable should be standardized and available
to all.

I think it is time to ask that question again of the DHC WG -- is
there any value to standardizing the leasequery capability?

I will do so in a separate email, and we'll see just where this
work stands with the other members of the working group.

Kim


At 10:34 AM 2/26/2003, Thomas Narten wrote:
>> Would replacing the current problem statement with this one
>> suggested by Ralph be sufficient to meet (enough of) your
>> concerns to allow the draft to proceed?
>
>Not really.
>
>What we had originally (I had thought) was is a relatively simple
>problem, with a relatively simple solution, and one that didn't really
>change DHC in any serious way. The solution seem to have taken on
>feature creap, where the problem got expanded, and the solution got
>expanded. Sure, given any solution, one can go back and rewrite the
>problem statement to make it match the solution. While that is
>certainly necessary to make the document accurate, I have to wonder
>whether the problem statement actually makes sense or is well defined.
>
>> >        Router-type devices which want to enforce some level of access
>> >        control over which IP addresses are allowed on their links
>> >        need to maintain information concerning IP<->MAC/client-id
>> >        mappings.  One way in which these devices can obtain
>> >        information about IP<->MAC/client-id bindings is through "DHCP
>> >        gleaning", in which the device extracts useful information
>> >        from DHCP messages exchanged between hosts and DHCP
>> >        servers.
>
>So far, simple.
>
>> >        However, these devices don't typically have stable storage
>> >        sufficient to keep this information over reloads.  There may
>> >        be additional information that is useful to the device that
>> >        cannot be obtained through DHCP gleaning.  The leasequery
>> >        request message described in this document allows a device to
>> >        obtain information about IP<->MAC/client-id bindings from a
>> >        DHCP server.  This information may include currently active
>> >        bindings, bindings involving previously assigned addresses for
>> >        which the lease on the address has expired and static bindings
>> >        for devices that are otherwise configured and not using DHCP
>> >        for address assignment.
>
>Note, that above is pretty vague and doesn't say what information the
>access device needs. It's hard to look at the problem statement and
>say "yes, I understand the boundaries of the problem" and then "and
>the solution seems like a good match for the problem".
>
>Popping up a level, how is it even appropriate for the DHC WG to be
>doing work on "access control in router type devices"? One can argue
>that work of this broad a scope is well out-of-scope for this WG
>(e.g., look at the recently approved charter). I'm far from clear that
>work of this scope should be done in DHC or that the problem is well
>enough understood to conclude that DHC lease query is the right
>solution or that any DHC-based solution is the right one.  What about
>routers wanting to do access control that don't use DHC, for instance?
>
>And note, I'm not raising these issue just to be a PITA. These are
>questions that I expect that the IESG would ask if I brought the
>document forward. Thus, I need to have reasonable responses to those
>questions. Otherwise, I can predict the likely outcome.
>
>Thomas
>_______________________________________________
>dhcwg mailing list
>dhcwg@ietf.org
>https://www1.ietf.org/mailman/listinfo/dhcwg 

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.29.0 | Report a Bug | By Email | System Status