Re: [dhcwg] Spencer Dawkins' No Objection on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with COMMENT)
Kim Kinnear <kkinnear@cisco.com> Thu, 01 October 2015 15:20 UTC
Return-Path: <kkinnear@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C8E71B2A06; Thu, 1 Oct 2015 08:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GuX5qAe9UubE; Thu, 1 Oct 2015 08:20:53 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 370C41B2A04; Thu, 1 Oct 2015 08:20:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7636; q=dns/txt; s=iport; t=1443712853; x=1444922453; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=dF8OK3psZMCncR9xGrH+EIXWHCtm4tg5BpPw/4OsTAg=; b=iuOeNzLN8+YwDr35KKt/6rEhK2Kiq/eA9tadISgGQHzw8YcEFdPq7bZo 1wrC8ncONggtw+jKrg7Y1GrG7xPJTGcDD2ZtMO0HdhkjZerdD2N2OLBUQ nvbnkF+0tKKTiVqKX2+d3k9CQvpqOwkN4+9+oP1RvC2grDRAYiijeHQvb k=;
X-IronPort-AV: E=Sophos;i="5.17,618,1437436800"; d="scan'208";a="611959171"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP; 01 Oct 2015 15:20:51 +0000
Received: from dhcp-10-131-65-126.cisco.com (dhcp-10-131-65-126.cisco.com [10.131.65.126]) (authenticated bits=0) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id t91FKlrR026906 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 1 Oct 2015 15:20:49 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Kim Kinnear <kkinnear@cisco.com>
In-Reply-To: <20150930194313.3703.1816.idtracker@ietfa.amsl.com>
Date: Thu, 01 Oct 2015 11:20:47 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <3586AEAE-0A11-4730-85EE-806653FCC802@cisco.com>
References: <20150930194313.3703.1816.idtracker@ietfa.amsl.com>
To: Spencer Dawkins <spencerdawkins.ietf@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
X-Authenticated-User: kkinnear
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/53c37onQRsL3R1Aq495_tzKwRck>
Cc: dhcwg@ietf.org, The IESG <iesg@ietf.org>, Kim Kinnear <kkinnear@cisco.com>
Subject: Re: [dhcwg] Spencer Dawkins' No Objection on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 15:20:55 -0000
Spencer, Thank you for reviewing the draft. My comments are in-line, below... On Sep 30, 2015, at 3:43 PM, Spencer Dawkins <spencerdawkins.ietf@gmail.com> wrote: > Spencer Dawkins has entered the following ballot position for > draft-ietf-dhc-dhcpv4-active-leasequery-06: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv4-active-leasequery/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for including a lot of TCP-awareness in this specification. > > I had a few questions, but nothing at Discuss level. If you have > questions about my questions, please ask, of course. > > In this text, > > A requestor attempts to establish a TCP connection to a DHCPv4 Server > in order to initiate a Leasequery exchange. If the attempt fails, > the Requestor MAY retry. > > you might want to give some guidance about reasonable intervals to wait > before retrying, randomizing retry intervals, and/or backing off retry > intervals to some conservative maximum value. This isn't a > general-purpose client-server protocol, and you understand the use case > better than I do (and I wouldn't try to offer defaults), so please just > consider whether this would be helpful. Both you and Ben Campbell seem to think this is important. I will add: "Retries SHOULD NOT be more frequent than one every ACTIVE_LQ_IDLE_TIMEOUT (Section 5.3)." > > In this text, > > In any of the first three possibilities, the DHCPv4 server can be > assumed to not support TLS. In this case, the requestor MUST close > the connection. > > is the assumption that all three possibilities would happen again if you > retried the attempt with the same server? I wondered especially about the > second possibility (server side TCP connection close, as a possible > load-shedding strategy to reject a connection request that might work at > another time). Wow, good question. I think that all three would happen again if you retried the attempt. I believe that load-shedding would reject the TCP connection altogether, or it would reject the ACTIVELEASEQUERY message. I don't see that rejecting the TLS connection would buy anyone anything. I'll put a sentence in Section 8.1 saying: "If a connection is to be rejected because of a limitation of the number of open connections, the TCP connection itself should be rejected, or the ACTIVELEASEQUERY message should be rejected. Capacity related rejections SHOULD NOT affect the response to the DHCPTLS message." > > In this text, > > The Requestor attempts to read a DHCPv4 leasequery reply message from > the TCP connection. If the stream of replies becomes blocked, the > Requestor SHOULD terminate the connection after > ACTIVE_LQ_RCV_TIMEOUT, and MAY begin retry processing if configured > to do so. > > I'm not sure what "becomes blocked" means from the Requestor's > perspective. I'm guessing the following paragraph, describing interaction > with DHCPLEASEQUERYSTATUS, is the clue I'm missing, but if so, reversing > the order of the paragraphs, and tying that more tightly ("becomes > blocked, with no DHCPLEASEQUERYSTATUS messaging", or whatever the clue > I'm missing is), would likely be clearer. I'll switch the paragraphs. > > I have pretty much the same question about the corresponding text for the > server side in 8.1, > > If the TCP connection becomes blocked while the server is accepting a > connection or reading a query, it SHOULD terminate the connection > after a BULK_LQ_DATA_TIMEOUT. We make this recommendation to allow > servers to control the period of time they are willing to wait before > abandoning an inactive connection, independent of the TCP > implementations they may be using. > > and in 8.2, > > If the connection becomes blocked while the server is attempting to > send reply messages, the server SHOULD terminate the TCP connection > after ACTIVE_LQ_SEND_TIMEOUT. This timeout governs how long the > DHCPv4 server is prepared to wait for the requestor to read and > process enough information to unblock the TCP connection. The > default is two minutes, which means that if more than two minutes > goes by without the requestor reading enough information to unblock > the TCP connection, the DHCPv4 server SHOULD close the TCP > connection. This is all about the requestor not being able to process replies quickly enough, and the server getting backed up and backed up waiting to send messages. It won't wait forever, and that is what these paragraphs are about. I'm not sure exactly what the concern is about these paragraphs, so I'm not sure just what to do about it. > > This text > > 8.3. Multiple or Parallel Queries > > Every Active Leasequery request MUST be made on a single TCP > connection where there is no other request active at the time the > request is made. Note that this is different than what was allowed > in [RFC6926] section 7.7 for Bulk Leasequery requests. > > and the following two paragraphs are good, but I didn't see any > corresponding description of whether parallel queries were allowed on a > single TCP connection in Section 7, for Requestor behavior, and the > Requestor would be the entity that does this wrong, wouldn't it? Or did I > miss it? You are correct. We used to allow parallel queries, but one of the reviews had us remove it. In removing it, we probably didn't say that you couldn't do it from the requestor's standpoint. I'll add the sentence below to Section 7.1, General Processing for the Requestor: "Only one ACTIVELEASEQUERY is allowed on any one TCP connection at a time. Parallel ACTIVELEASEQUERY requests on the same TCP connection are not allowed." > > I've seen some use cases described in IESG evaluation e-mail that sounds > like the Requestor and DHCPv4 server are close enough for a human to > touch both at the same time, but Kathleen commented that some ISPs > provide DHCP service to customer edge routers. Is it worth saying > anything about firewalls and NATs treating TCP differently? Or would even > those cases be part of a trusted network path, so no firewalls or NATs? I expect that if someone does DHCP at a customer edge routers that they have built a trusted path to get there. Possibly not, though. I don't know enough about the common aspects of such deployments (assuming that such common aspects even exist) to create useful guidance in this draft. It would be easy to make assumptions that don't hold in many cases, resulting in more confusion than enlightenment. I'm going to remain silent on this issue. Thanks much -- Kim > > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Spencer Dawkins' No Objection on draft-ie… Spencer Dawkins
- Re: [dhcwg] Spencer Dawkins' No Objection on draf… Kim Kinnear
- Re: [dhcwg] Spencer Dawkins' No Objection on draf… Spencer Dawkins at IETF
- Re: [dhcwg] Spencer Dawkins' No Objection on draf… Kim Kinnear