Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-access-network-identifier-10: (with DISCUSS)
"Sri Gundavelli (sgundave)" <sgundave@cisco.com> Tue, 08 December 2015 23:53 UTC
Return-Path: <sgundave@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0D281ACEB4; Tue, 8 Dec 2015 15:53:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKnNaYv6qW4I; Tue, 8 Dec 2015 15:53:09 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C7911ACEB2; Tue, 8 Dec 2015 15:53:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=20953; q=dns/txt; s=iport; t=1449618788; x=1450828388; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=wU85nmjNTWdtYhBDKTmR4jTM6B5I7rtRU/WlZF9B8VU=; b=Enq14dgJW/FOT8KlxfZmTE0rZTubG33G2/DmMlMpVMXYS+xVpIuZ1/Rb i8oMqo2yrQmppvLvzHnqgAMpx3EXoFdtQufZR4TC5zI0CvQhvuYDt+2BN o5ayQmjT4UXsxX/KrsKYpMqXCvKXV7KKbf9Pam+IwYVId6DHFCsyvPpMe Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D/AQCobGdW/4UNJK1UCoJuTFNfDwa7H4IaAQ2BbiGFbQKBNjgUAQEBAQEBAYEKhDUBAQRnEhACAQhGMiUCBA4giBQNvwQBAQEBAQEBAQIBAQEBAQEBAQEBARQEhlSEfYQwEkaEMwWWYQGFLIgPgVuEQ5Jdg3EBHwEBQoIMBR0WgUByAYRngQcBAQE
X-IronPort-AV: E=Sophos; i="5.20,401,1444694400"; d="scan'208,217"; a="51811321"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Dec 2015 23:53:07 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id tB8Nr7Hs018621 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Dec 2015 23:53:07 GMT
Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 8 Dec 2015 17:53:06 -0600
Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1104.009; Tue, 8 Dec 2015 17:53:06 -0600
From: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
To: "Benoit Claise (bclaise)" <bclaise@cisco.com>
Thread-Topic: Ben Campbell's Discuss on draft-ietf-dhc-access-network-identifier-10: (with DISCUSS)
Thread-Index: AQHRMhOVLt0kOmTzbk+kJn8ayLFZhg==
Date: Tue, 08 Dec 2015 23:53:06 +0000
Message-ID: <D28CA317.1FA673%sgundave@cisco.com>
References: <D28C940C.1FA5DF%sgundave@cisco.com> <D28C9CDC.1FA630%sgundave@cisco.com>
In-Reply-To: <D28C9CDC.1FA630%sgundave@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.8.151023
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.246.210]
Content-Type: multipart/alternative; boundary="_000_D28CA3171FA673sgundaveciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/5Qva3jEn8qab-vVGCVEPgQR63lU>
Cc: "Bernie Volz (volz)" <volz@cisco.com>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "draft-ietf-dhc-access-network-identifier.shepherd@ietf.org" <draft-ietf-dhc-access-network-identifier.shepherd@ietf.org>, IESG <iesg@ietf.org>, "draft-ietf-dhc-access-network-identifier.ad@ietf.org" <draft-ietf-dhc-access-network-identifier.ad@ietf.org>, "<dhcwg@ietf.org>" <dhcwg@ietf.org>, "draft-ietf-dhc-access-network-identifier@ietf.org" <draft-ietf-dhc-access-network-identifier@ietf.org>
Subject: Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-access-network-identifier-10: (with DISCUSS)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2015 23:53:12 -0000
Hi Benoit, Thank you for your review. Please see inline. Please let us know if you are OK with the suggested text for resolving the issues. I would like to discuss the following point. You define the "Vendor ID" and then the Operator Enterprise ID. Why don't you reuse the RFC 6757 Operator-Identifier? Sri] I believe we made a mistake here. Thanks for catching this. There is just Operator Id and not vendor id. OLD: Vendor ID The Vendor ID is the SMI Network Management Private Enterprise Code of the IANA-maintained Private Enterprise Numbers registry [SMI]. NEW: Operator-Identifier The Operator-Identifier is the Structure of Management Information (SMI) Network Management Private Enterprise Code of the IANA- maintained "Private Enterprise Numbers" registry [SMI<https://tools.ietf.org/html/rfc6757#ref-SMI>]. It identifies the operator running the network attached to a specific interface of the mobile access gateway. OLD: Operator Enterprise ID The operator's Vendor ID (as described in Section 3) is Private Enterprise Number (PEN) [SMI]. NEW: Operator Enterprise ID The operator's Enterprise ID (as described in Section 3) is a Private Enterprise Number (PEN) [SMI]. I'm been confused by the following text and the figure 1, as it doesn't mention the dhcp relay-agents and servers The PMIPv6 extension as specified in [RFC6757] defines PMIPv6 options to carry access network identifiers in PMIPv6 signaling from Mobile Access Gateway (MAG) to LMA. MAG can learn this information from DHCP options as inserted by DHCP Relay agent before MAG. If MAG relays DHCP messages to LMA as specified in [RFC5844] this information can be inserted by MAG towards LMA in the forwarded DHCP messages. Figure 1 illustrates an example Proxy Mobile IPv6 deployment where Access Points (AP) acting as a DHCP relay agent inserts access network identifiers in DHCP messages relayed from the connected clients. The mobile access gateway learns this information over DHCP and delivers the information elements related to the access network to the local mobility anchor over Proxy Mobile IPv6 signaling messages. In this example, the additional information could comprise the SSID of the used IEEE 802.11 network and the identities of the operators running the IEEE 802.11 access network infrastructure. Discussing with Sri and Mark, I discovered my source of confusion. There are two cases, as discussed in https://tools.ietf.org/html/rfc5844#section-3.4: This specification supports the following two DHCP deployment configurations. o DHCP relay agent co-located with the mobile access gateway. o DHCP server co-located in the mobile access gateway. Either the DHCP server is on the LMA, and the MAG just forwards the DHCP message to the LMA. The LMA receives the access network identifiers from DHCP (the MAG just forwards the DHCP message, modified by the AP) Or the DHCP server is on the MAG, and then the PMIPv6 extension carries the access network identifiers to the LMA, learned with DHCP from the AP. However, in the context of WLAN-EPC interworking, the only supported mode is DHCP server collocation on the MAG. Hence the figure 1 focuses on this case. The text and the figure should be improved IMO. [Sri] Sure. We can identify the DHCP Relay function on the AP and the DHCP Server on the MAG. OLD: Figure 1 illustrates an example Proxy Mobile IPv6 deployment where Access Points (AP) acting as a DHCP relay agent inserts access network identifiers in DHCP messages relayed from the connected clients. The mobile access gateway learns this information over DHCP and delivers the information elements related to the access network to the local mobility anchor over Proxy Mobile IPv6 signaling messages. In this example, the additional information could comprise the SSID of the used IEEE 802.11 network and the identities of the operators running the IEEE 802.11 access network infrastructure. NEW: Figure 1 illustrates an example Proxy Mobile IPv6 deployment where Access Points (AP) acting as a DHCP relay agent inserts access network identifiers in DHCP messages relayed from the connected clients. The DHCP Server collocated on the mobile access gateway learns this information over DHCP and delivers the information elements related to the access network to the local mobility anchor over Proxy Mobile IPv6 signaling messages. In this example, the additional information could comprise the SSID of the used IEEE 802.11 network and the identities of the operators running the IEEE 802.11 access network infrastructure. - I agree with Al Morton, in his OPS-DIR review. This draft specifies the optional capability in DHCP to identify access network ID and operator ID for the possible application of policy on operator-specific handling, traffic management, or differentiated services. Often these are carefully planned and controlled networking capabilities, so some form of ID integrity protection would be welcome. Thus, it's worrisome when the authors remind us in the Security Considerations section (9): [Sri] Ok. OLD: DHCP server administrators are strongly advised to configure DHCP servers that use this option to communicate with their relay agents using IPsec, as described in Section 21.1 of [RFC3315]. NEW: DHCP server administrators are strongly advised to configure DHCP servers that use this option to communicate with their relay agents using IPsec security association(s) offering integrity protection, as described in Section 21.1 of [RFC3315]. ...DHCP itself is inherently unsecure and thus link-layer confidentiality and integrity protection should be employed to reduce the risk of disclosure and tampering. maybe s/should/SHOULD/ ? or stronger? Other solutions or explanation welcome. [Sri] Ok. DHCP itself is inherently insecure and thus link-layer confidentiality and integrity protection should be employed to reduce the risk of disclosure and tampering. NEW: DHCP itself is inherently insecure and thus link-layer confidentiality and integrity protection SHOULD be employed to reduce the risk of disclosure and tampering.
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Benoit Claise
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Ben Campbell