Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
Ted Lemon <mellon@fugue.com> Sat, 13 August 2022 14:14 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECA55C15C503 for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcG1AdF5zPnO for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:14:51 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04DC6C157B37 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:14:50 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id h4so2689465qtj.11 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:14:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc; bh=6B3ToHp4jFhj4H4phazRlC/dm8/QwxIuOKSUAcogBSQ=; b=cuC2C16VvJ0AZeaZHq+hIwYDNRdejo30B26Y5m9XrPVtmwxIQlznetiwIaOPm80puq 8nej4T37FIEhgJBmGVemupRTuigHXRq3tXUqARMiSMgqviXqB1ZApXlo4TeN4NWBPi74 eNeNZ8nkITSQA/+1z3PexMA7Y/+++cpq83kG5rjThqDBn6fEUZl4AUivWhX7kfHSa7Sn C/QdT+3YClPmno0Y91hyr6MfEIX/qxXIqZO2+VKCRTR1ti6WrbuNDLZ7JnbG/acxs/N1 CwAV5YtHsDoo+11HvulfhM9JVroPQ1d9MlJwni3a8IPxMfKletilKRNWueGWD82SDh03 X7HA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc; bh=6B3ToHp4jFhj4H4phazRlC/dm8/QwxIuOKSUAcogBSQ=; b=oV37PxfhXfz5+n0y44S+7XqidPioLcl3OMSaJlOL5cuarscHAtQxXGie3mon18QlS8 ZGkuEto/9FdgobAmXoIQy7gJF+7cHDtZWHYvluG5lZOblMgBSyJ9SlofyTTndgfeZWFY eeXnmKoYcct/wiyyLclLcJqTs1q2jGK6+z7/F+JieRcJoR9Yj2pL3oxLhxotjLXwUfjl O2/CwIsVyZCE0b0TErDo3MMzAuTQKqzyBX7wjNgjElw8qo1PgVV4+IYM9NjBkiP0Bbew 8qWfIq3dqneMb+jCxNFU1MwUqPKX5iz0e0cJSjuMDZpooycHGxkabY5jBlY0bsjSElkN 7TEQ==
X-Gm-Message-State: ACgBeo3owixyzWkoByUzYCQ77R5vXnsu0gSbGTfsF2t+e5seynKavwx4 mZGyZombQb4bkxJqkCNEHxrEeMidARAILg==
X-Google-Smtp-Source: AA6agR6iPNB++deVNpd5uB37oEyxRmPIQBqL2I10dExAmpfRC6u8oHKH9qHZh/zNScq2ACLb/uwlFQ==
X-Received: by 2002:a05:622a:148:b0:31f:1a18:7ee9 with SMTP id v8-20020a05622a014800b0031f1a187ee9mr7273353qtw.363.1660400087757; Sat, 13 Aug 2022 07:14:47 -0700 (PDT)
Received: from smtpclient.apple ([2601:18b:300:3380:755d:42f7:429a:7771]) by smtp.gmail.com with ESMTPSA id h5-20020a05620a400500b006b615cd8c13sm3721077qko.106.2022.08.13.07.14.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Aug 2022 07:14:46 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-D9066825-D5D2-49A1-A932-29FF1E34459A"
Content-Transfer-Encoding: 7bit
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 13 Aug 2022 10:14:45 -0400
Message-Id: <DE568FDD-FF15-4F46-BF42-BF1F471890D1@fugue.com>
References: <66A9F135-F1AC-45DE-8981-78F4959689A9@gmail.com>
Cc: Michael Richardson <mcr@sandelman.ca>, dhcwg@ietf.org
In-Reply-To: <66A9F135-F1AC-45DE-8981-78F4959689A9@gmail.com>
To: Bernie Volz <bevolz@gmail.com>
X-Mailer: iPad Mail (19F77)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/3bHbVNmnnP7QsFo5H7tRV9v4ub0>
Subject: Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 14:14:56 -0000
If a client wants to do DNS registration, the DNSSD service registration protocol might be a good option: https://datatracker.ietf.org/doc/draft-ietf-dnssd-srp/ As to why not use DHCPv6 IA_NA, the answer is that this allows the DHCP server to control the client’s address, whereas registering the address doesn’t give the DHCP server that sort of control. This is a significant difference, and is why a client implementation might choose to include registration, but not IA_NA allocation. Sent from my iPad > On Aug 13, 2022, at 7:43 AM, Bernie Volz <bevolz@gmail.com> wrote: > > > These are great points Michael. > > For the earlier (circa 2014) draft that was similar, draft-ietf-dhc-addr-registration, the reason a client would have implemented it was to get its information in DNS (as there would presumably be a reason it needed this, such as to allow other devices to communicate with it). With this new draft, there is really zero benefit to the client. I’m not promoting a shift to this DNS registration as that had its own issues. > > If you want “notification”, why not just require DHCPv6 for address assignments? If you don’t care or are using other tools, use SLAAC. Do we really need something in between? > > - Bernie Volz > >>> On Aug 12, 2022, at 9:03 PM, Michael Richardson <mcr@sandelman.ca> wrote: >>> >> >> This document seems to require many changes to many systems. >> Do I hear that Google is willing to do this for Android? >> I am very enthusiastic about having better information. >> >> It works only if all the devices implement it, it's not that useful until all >> the devices do it. Until that happens, then it's completely useless to the >> helpdesk. >> It requires updates to DHCPv6 server, assuming that there is one, which if >> you are using SLAAC... you probably don't even have one. >> It does not require updates to the core routers, which is the only >> interesting part. {But, in homes and small offices, and remotely supported >> small offices with a b2b ISP..., that's all the same openwrt box.} >> >> It seems that if one already had an SNMP or YANG/NETCONF feed from the >> routers for the Neighbor Entry Cache, that feeding that into the "database" >> would be good. >> >> Warren eventually says that he thinks this would be *more* complicated, and I >> read his slide 10.... and come-on. You hacked up something that needs to be >> clearly coded correctly in the router. Yes, it's chatty, but it doesn't need >> to tell about every state transition. >> BUT, even if it did, who cares if you can't read it scrolling on your screen. >> That's what the networking monitoring system is for. Actually, I think you >> just proved how easily this could be done even without code changes to the routers. >> >> So, I don't think that I agree at all. The best part about linking it to the NCE >> is that if the NCE is bad, overwhelmed or has been forged, then the client >> machine probably doesn't get connectivity anyway. There is some fate sharing here. >> >> Another way would be to send the proposed DHCPv6 message along the DHCPv6-relay >> path. This is very much akin to the Accounting records that radius sends. >> Doing it this way links the v6 address more directly to the MAC address, >> while not requiring the host to actually know what it is doing. >> >> As Lorenzo says in the chat, it needs to be tied in "whatever" L2 security >> mechanisms they already have, but I'm not really sure how this should involve >> the client system. >> >> And...if I was going to upload all the source code, the first thing I'd do is send >> one of these messages saying that I'm either the CEO, or the new hire, and then do it. >> >> -- >> Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) >> Sandelman Software Works Inc, Ottawa and Worldwide >> _______________________________________________ >> dhcwg mailing list >> dhcwg@ietf.org >> https://www.ietf.org/mailman/listinfo/dhcwg > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-wkumari-dhc-addr-notification and t… Michael Richardson
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Ted Lemon
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Ted Lemon
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Lorenzo Colitti
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Ms. Li HUANG
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Michael Richardson
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… David Farmer