Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-access-network-identifier-10: (with DISCUSS)
"Sri Gundavelli (sgundave)" <sgundave@cisco.com> Tue, 08 December 2015 23:53 UTC
Return-Path: <sgundave@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0D281ACEB4; Tue, 8 Dec 2015 15:53:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKnNaYv6qW4I; Tue, 8 Dec 2015 15:53:09 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C7911ACEB2; Tue, 8 Dec 2015 15:53:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=20953; q=dns/txt; s=iport; t=1449618788; x=1450828388; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=wU85nmjNTWdtYhBDKTmR4jTM6B5I7rtRU/WlZF9B8VU=; b=Enq14dgJW/FOT8KlxfZmTE0rZTubG33G2/DmMlMpVMXYS+xVpIuZ1/Rb i8oMqo2yrQmppvLvzHnqgAMpx3EXoFdtQufZR4TC5zI0CvQhvuYDt+2BN o5ayQmjT4UXsxX/KrsKYpMqXCvKXV7KKbf9Pam+IwYVId6DHFCsyvPpMe Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D/AQCobGdW/4UNJK1UCoJuTFNfDwa7H4IaAQ2BbiGFbQKBNjgUAQEBAQEBAYEKhDUBAQRnEhACAQhGMiUCBA4giBQNvwQBAQEBAQEBAQIBAQEBAQEBAQEBARQEhlSEfYQwEkaEMwWWYQGFLIgPgVuEQ5Jdg3EBHwEBQoIMBR0WgUByAYRngQcBAQE
X-IronPort-AV: E=Sophos; i="5.20,401,1444694400"; d="scan'208,217"; a="51811321"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Dec 2015 23:53:07 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id tB8Nr7Hs018621 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Dec 2015 23:53:07 GMT
Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 8 Dec 2015 17:53:06 -0600
Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1104.009; Tue, 8 Dec 2015 17:53:06 -0600
From: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
To: "Benoit Claise (bclaise)" <bclaise@cisco.com>
Thread-Topic: Ben Campbell's Discuss on draft-ietf-dhc-access-network-identifier-10: (with DISCUSS)
Thread-Index: AQHRMhOVLt0kOmTzbk+kJn8ayLFZhg==
Date: Tue, 08 Dec 2015 23:53:06 +0000
Message-ID: <D28CA317.1FA673%sgundave@cisco.com>
References: <D28C940C.1FA5DF%sgundave@cisco.com> <D28C9CDC.1FA630%sgundave@cisco.com>
In-Reply-To: <D28C9CDC.1FA630%sgundave@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.8.151023
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.246.210]
Content-Type: multipart/alternative; boundary="_000_D28CA3171FA673sgundaveciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/5Qva3jEn8qab-vVGCVEPgQR63lU>
Cc: "Bernie Volz (volz)" <volz@cisco.com>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "draft-ietf-dhc-access-network-identifier.shepherd@ietf.org" <draft-ietf-dhc-access-network-identifier.shepherd@ietf.org>, IESG <iesg@ietf.org>, "draft-ietf-dhc-access-network-identifier.ad@ietf.org" <draft-ietf-dhc-access-network-identifier.ad@ietf.org>, "<dhcwg@ietf.org>" <dhcwg@ietf.org>, "draft-ietf-dhc-access-network-identifier@ietf.org" <draft-ietf-dhc-access-network-identifier@ietf.org>
Subject: Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-access-network-identifier-10: (with DISCUSS)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2015 23:53:12 -0000
Hi Benoit,
Thank you for your review. Please see inline. Please let us know if you are OK with the suggested text for resolving the issues.
I would like to discuss the following point.
You define the "Vendor ID" and then the Operator Enterprise ID. Why don't you reuse the RFC 6757 Operator-Identifier?
Sri] I believe we made a mistake here. Thanks for catching this. There is just Operator Id and not vendor id.
OLD:
Vendor ID
The Vendor ID is the SMI Network Management Private Enterprise
Code of the IANA-maintained Private Enterprise Numbers registry
[SMI].
NEW:
Operator-Identifier
The Operator-Identifier is the Structure of Management Information
(SMI) Network Management Private Enterprise Code of the IANA-
maintained "Private Enterprise Numbers" registry [SMI<https://tools.ietf.org/html/rfc6757#ref-SMI>]. It
identifies the operator running the network attached to a specific
interface of the mobile access gateway.
OLD:
Operator Enterprise ID
The operator's Vendor ID (as described in Section 3) is Private
Enterprise Number (PEN) [SMI].
NEW:
Operator Enterprise ID
The operator's Enterprise ID (as described in Section 3) is a Private
Enterprise Number (PEN) [SMI].
I'm been confused by the following text and the figure 1, as it doesn't mention the dhcp relay-agents and servers
The PMIPv6 extension as specified in [RFC6757] defines PMIPv6 options
to carry access network identifiers in PMIPv6 signaling from Mobile
Access Gateway (MAG) to LMA. MAG can learn this information from
DHCP options as inserted by DHCP Relay agent before MAG. If MAG
relays DHCP messages to LMA as specified in [RFC5844] this
information can be inserted by MAG towards LMA in the forwarded DHCP
messages.
Figure 1 illustrates an example Proxy Mobile IPv6 deployment where
Access Points (AP) acting as a DHCP relay agent inserts access
network identifiers in DHCP messages relayed from the connected
clients. The mobile access gateway learns this information over DHCP
and delivers the information elements related to the access network
to the local mobility anchor over Proxy Mobile IPv6 signaling
messages. In this example, the additional information could comprise
the SSID of the used IEEE 802.11 network and the identities of the
operators running the IEEE 802.11 access network infrastructure.
Discussing with Sri and Mark, I discovered my source of confusion.
There are two cases, as discussed in https://tools.ietf.org/html/rfc5844#section-3.4:
This specification supports the following two DHCP deployment
configurations.
o DHCP relay agent co-located with the mobile access gateway.
o DHCP server co-located in the mobile access gateway.
Either the DHCP server is on the LMA, and the MAG just forwards the DHCP message to the LMA. The LMA receives the
access network identifiers from DHCP (the MAG just forwards the DHCP message, modified by the AP)
Or the DHCP server is on the MAG, and then the PMIPv6 extension carries the access network identifiers to the LMA, learned with DHCP from the AP.
However, in the context of WLAN-EPC interworking, the only supported mode is DHCP server collocation on the MAG. Hence the figure 1 focuses on this case.
The text and the figure should be improved IMO.
[Sri] Sure. We can identify the DHCP Relay function on the AP and the DHCP Server on the MAG.
OLD:
Figure 1 illustrates an example Proxy Mobile IPv6 deployment where
Access Points (AP) acting as a DHCP relay agent inserts access
network identifiers in DHCP messages relayed from the connected
clients. The mobile access gateway learns this information over DHCP
and delivers the information elements related to the access network
to the local mobility anchor over Proxy Mobile IPv6 signaling
messages. In this example, the additional information could comprise
the SSID of the used IEEE 802.11 network and the identities of the
operators running the IEEE 802.11 access network infrastructure.
NEW:
Figure 1 illustrates an example Proxy Mobile IPv6 deployment where
Access Points (AP) acting as a DHCP relay agent inserts access
network identifiers in DHCP messages relayed from the connected
clients. The DHCP Server collocated on the mobile access gateway learns this information over DHCP
and delivers the information elements related to the access network
to the local mobility anchor over Proxy Mobile IPv6 signaling
messages. In this example, the additional information could comprise
the SSID of the used IEEE 802.11 network and the identities of the
operators running the IEEE 802.11 access network infrastructure.
- I agree with Al Morton, in his OPS-DIR review.
This draft specifies the optional capability in DHCP to identify
access network ID and operator ID for the possible application of policy
on operator-specific handling, traffic management, or differentiated
services. Often these are carefully planned and controlled networking
capabilities, so some form of ID integrity protection would be welcome.
Thus, it's worrisome when the authors remind us in the Security
Considerations section (9):
[Sri] Ok.
OLD:
DHCP server administrators are
strongly advised to configure DHCP servers that use this option to
communicate with their relay agents using IPsec, as described in
Section 21.1 of [RFC3315].
NEW:
DHCP server administrators are
strongly advised to configure DHCP servers that use this option to
communicate with their relay agents using IPsec security
association(s) offering integrity protection, as described in
Section 21.1 of [RFC3315].
...DHCP itself is inherently unsecure and
thus link-layer confidentiality and integrity protection should be
employed to reduce the risk of disclosure and tampering.
maybe s/should/SHOULD/ ? or stronger? Other solutions or explanation welcome.
[Sri] Ok.
DHCP itself is inherently insecure and thus link-layer confidentiality and integrity protection should be employed to reduce the risk of disclosure and tampering.
NEW:
DHCP itself is inherently insecure and thus link-layer confidentiality and integrity protection SHOULD be employed to reduce the risk of disclosure and tampering.
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Benoit Claise
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Ben Campbell