Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-relay-requirements-00.txt
"Bernie Volz (volz)" <volz@cisco.com> Wed, 25 March 2020 18:34 UTC
Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8421E3A0CFB; Wed, 25 Mar 2020 11:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=XRn8Hybw; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=BL0zUdHe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d690vzyYx2mz; Wed, 25 Mar 2020 11:34:44 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6369F3A0C2A; Wed, 25 Mar 2020 11:34:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=118836; q=dns/txt; s=iport; t=1585161284; x=1586370884; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=vfuaq8nSXj5LkgF6mnHpOiAb3Xca83OXRlxBtx2Dsb0=; b=XRn8HybwDrtUXRENbwrnkjuquPr3ZkJ3a77JMWmXUU3Gfzqh66Ck02fB haMDczDvOthAW5aVuJnZGss+kIf7xeD3idDh9KJs/Ts6RjKe+bVcQMHat 7RXSMc4noi8WoqOmy4xVlVw3MZhcrrNnvabFnRbLMoayeA1VorfGGf5RM I=;
IronPort-PHdr: 9a23:gahe7BeFDvz0WM5y2DfJ0hvSlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwKUD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFlcejNkO2QkpAcqLE0r+eeDtaz4SF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DjCABGo3te/5pdJa1mHAEBAQEBBwEBEQEEBAEBgXuBJS8kBScFbFggBAsqCoQPg0UDinVOmi+BQoEQA1QKAQEBDAEBJQgCBAEBhEQCF4IRJDgTAgMBAQsBAQUBAQECAQUEbYVWDIVkAgEDEggJChMBASUTDwIBCBImAQkCAgIwFw4CBAEaGoI5TIF+TQMuAQ6jIgKBOYhidYEygn8BAQWFKhiCDAMGgTiMLxqCAIEQAUeBT34+gmQBAQIBgToOAhorgmQygiyNXIE4gWOFeIl6Ko5QdgqCPIdfhVOJc4JMjQKCN4lZjjNegVCHQJJkAgQCBAUCDgEBBYFpIoFYcBUagw0JRxgNgRqNAwwXg1CFFIVBdAIBgSaLPIEyATBfAQE
X-IronPort-AV: E=Sophos;i="5.72,305,1580774400"; d="scan'208,217";a="730584244"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Mar 2020 18:34:42 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 02PIYg1r003686 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 25 Mar 2020 18:34:42 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 25 Mar 2020 13:34:42 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 25 Mar 2020 14:34:40 -0400
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 25 Mar 2020 13:34:40 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fue0vW1lbxSHoL8ElMk5u7gk2MJ4unSJh2xpSrzD93R8OogqC84A2qpyGRRNs7X/J3gzjL6AQMvieZtXLcPhrGX2YZXDc+79P/gsbITuDYgTSISx7OO4O8yGfBXb9jBXFzU6Z+4/xYbj2tWOjShjmy92V/QY27Cd0EVDnXM7OxuLcEF2e6Su2BoFW+CFwlfBMl+2BkL4VgMysXgdxJCGaa06gq/zYCY919MO53a6j5mzTzYkSr5Pfj6F8WnBl93s7vEk1sDr+GhL2QEq1xMUVccKhNbd00OoBY2F3kWcdxShgcC0SkdxkR2vXFEOPbhveZA06rpCHf4ype28fYTaBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vfuaq8nSXj5LkgF6mnHpOiAb3Xca83OXRlxBtx2Dsb0=; b=FHcTR2f8goTs90iroGqppubCrm+LcTk7yW6JFdvOhSi2zfwONfy2HiyzO6GEWsQTqgI6pSf72WTi3YpgQ3xwEbB93CTwMGzbCFir8FAuhEagsAzwnEuP+VKCCwlt7wbEMDXjvg0fmFSAppfiLrwfqGQO/xL+b/k4CZf0/UpDzU/DfghZW87vHWli7aOniYjnxCejOtL7wlt7kWj8K5qNA0vHt84nzf/ZswLJel0nARjWoZ1N4cfImVURk7o82dET4ycvYH2W7ZYOd9l8lupG0HJUe5AytPT2H70JOWoy1cDu2gbSKfAYNr+qrJCXfbt0wOcX4txfM6sGAUzfMqAC6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vfuaq8nSXj5LkgF6mnHpOiAb3Xca83OXRlxBtx2Dsb0=; b=BL0zUdHergjjQNqEpjAPMqPvef6+djcrZUEWUw5vxYlxdvNtRxucx6V1OJ+1Ln8E/Z6rwHYcqgkyYLV8urKg4vPv3Juyf8Az7sfzUNyVa16udV7fCcj8pCHZLZAOo/m2ICS0q1t9ca8qFZ/yDlPyOeYnMBPT0ntmo098zKzjb/I=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN7PR11MB2612.namprd11.prod.outlook.com (2603:10b6:406:b4::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.22; Wed, 25 Mar 2020 18:34:39 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::29d4:9c08:fa95:c26e]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::29d4:9c08:fa95:c26e%7]) with mapi id 15.20.2835.023; Wed, 25 Mar 2020 18:34:39 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "draft-ietf-dhc-dhcpv6-pd-relay-requirements@ietf.org" <draft-ietf-dhc-dhcpv6-pd-relay-requirements@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-relay-requirements-00.txt
Thread-Index: AQHV98bEC9/aF5Xkw028jQpGj8sRqKhDn3CQgAGc4gD//8IOgIARUXJQgANV7eA=
Date: Wed, 25 Mar 2020 18:34:38 +0000
Message-ID: <BN7PR11MB254754D841622448F49B021ACFCE0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <158346050095.14620.2547383825421375669@ietfa.amsl.com> <CANFmOt=21NNyYom9KtVQ7x5mTE6rR2GAAg8DwAdaptuOWAJLrQ@mail.gmail.com> <BN7PR11MB2547E17639F673343B5210BBCFFC0@BN7PR11MB2547.namprd11.prod.outlook.com> <CANFmOtnWHJzNtw8-aj+Dqgbqh0aeDMVtXcnib0RC4Bpi+OW0eg@mail.gmail.com> <43727BCE-732F-4629-8BCD-EBCDE2507B82@cisco.com> <BN7PR11MB2547273DA5E1D5F39F26629ACFF00@BN7PR11MB2547.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB2547273DA5E1D5F39F26629ACFF00@BN7PR11MB2547.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=volz@cisco.com;
x-originating-ip: [173.38.117.83]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b819043e-672d-4bf4-c607-08d7d0eb2d49
x-ms-traffictypediagnostic: BN7PR11MB2612:
x-microsoft-antispam-prvs: <BN7PR11MB261215C64D892DF28F8AC3E3CFCE0@BN7PR11MB2612.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0353563E2B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(136003)(396003)(376002)(366004)(39860400002)(66476007)(66446008)(66946007)(66556008)(64756008)(52536014)(450100002)(186003)(6506007)(26005)(76116006)(55016002)(66574012)(5660300002)(9686003)(7696005)(30864003)(2906002)(316002)(86362001)(81156014)(81166006)(110136005)(71200400001)(8676002)(33656002)(8936002)(478600001)(559001)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2612; H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4qQ1vmb36OA3cuqyO4F9PCHhCeGvh0HQw8cVjBBvNOnfc5mpm+aAdo7vNoEvVrUdw8sxgEgTDZhG8H7a0aVW1w3jjuZr/kT8KGI9MNGj/1JgkyP7uumNB8L3Y2efbdDFs4GOH/aXY9mCCA3XFQfh8biLSoxrRd/us/6X+p17J4y0vguPI2X4rWRkEZsduVjP31bHcmQp9puHuf9mCuSlJuSHxgz0AArCqUb8Si4JuX9fVDkYa7A7066DkvoLizThTYh1HqrVfkX3oEkeZw8cpj23uop69W3uyXSTWgmZWZZ+QZ3Td4cNj6ttFouPfbWNz4ze/PTk1Yf1Az56g1us9mvw5nF+ffzPrAd+l8LfvKBBADiXXs9otudmrJOZx3J2WOwGGPA7CF4TZhy9kVXXKEvX2o4iayYOyeIkJVx/gIqQjpRRswphb3xRecR9gtoZO4VAgpL/0GOcqM7wK/3O2JoTQVJsv3efxuuA7mCtrQkuzqjrfhRiKgWtlxk4PZ5QdGmRj9ntsqH81+N/6QRIAA==
x-ms-exchange-antispam-messagedata: UOwL/o23USGo/vqSMNIC8MsHZDs8D4K66l+9rqCKsAtmFFUrrQNWrPYzdqvVsBFFTWfPWP/oEOrLskDAYAuQcRUSD8KtfT9pjO21A4tXdDPaVAJz8pezRVxCY0sUyn/W3yGv+kbQjmNo4x81Yb6/kA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB254754D841622448F49B021ACFCE0BN7PR11MB2547namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b819043e-672d-4bf4-c607-08d7d0eb2d49
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2020 18:34:38.9877 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 72aMEqLJj/Gg2Z9W1zXVf48kd9EqA+//vI2UnvczyP8pSKrs14wtWUw0Fi+x1OTQ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2612
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/5SMHYFAbh1H-5TgBj_NViqPGJ4s>
X-Mailman-Approved-At: Wed, 25 Mar 2020 11:37:41 -0700
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-relay-requirements-00.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 18:34:55 -0000
Hi: I did a more thorough review of the draft and have the following comments. As the draft is fairly short, I’ve decided to copy and paste the bulk of the text here to provide the comments. I do encourage others to read this draft and provide their comments. WARNING: It may not be wise to just Reply (Reply-All) to this message without editing out much of the text below as it is likely a large message and may not go through (without WG chair approval). Abstract Operational experience with DHCPv6 prefix delegation has shown that when the DHCPv6 relay function is not co-located with the DHCPv6 server function, issues such as timer synchronization between the DHCP functional elements, rejection of client's messages by the relay, and other problems have been observed. These problems can result in prefix delegation failing or traffic to/from clients addressed from the delegated prefix being unrouteable. Although - l think that “not being routed” might be better here? [RFC8415<https://tools.ietf.org/html/rfc8415>] mentions this deployment scenario, it does not provide necessary detail on how the relay element should behave when used with PD. - Spell out PD – prefix delegation. Another choice would be to add “ (PD)” after the first occurrence and then used this in the abstract. This document describes functional requirements for a DHCPv6 PD relay - Same issue for PD – see above when used for relaying prefixes delegated by a separate DHCPv6 server. Status of This Memo … 1<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-1>. Introduction For Internet service providers that offer native IPv6 access with prefix delegation to their customers, a common deployment - Perhaps add “ (PD)” here so you can use the term later? Note that RFC8415 never used “PD” by itself. architecture is to have a DHCPv6 relay agent function located in the ISP's Layer-3 customer edge device and separate, centralized DHCPv6 server infrastructure. [RFC8415<https://tools.ietf.org/html/rfc8415>] describes the functionality of a DHCPv6 relay and Section 19.1.3<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-19.1.3> mentions the deployment scenario, but does not provide detail for all of the functional requirements that the relay needs to fulfill to operate deterministically in this deployment scenario. … The behavior defined in [RFC7283<https://tools.ietf.org/html/rfc7283>] is also applicable for DHCv6-PD- relay deployments. - “DHCv6”? And perhaps “DHC[P]v6-PD-relay deployments” is best replaced by “relay deployments”. I think this applies to all relays; even if they are not doing PD. 2<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-2>. Terminology 2.1<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-2.1>. General … Delegating relay A delegating relay acts as an intermediate device, forwarding DHCPv6 messages containing IA_PD/IAPREFIX options between the client and server. The delegating relay does not implement a DHCPv6 server function. The delegating relay is also responsible for routing traffic for the delegated prefixes. Where the term 'relay' is used on its own within this document, it should be understood to be a delegating relay, unless specifically stated otherwise. - I wonder if adding some additional text such as “In CableLabs DOCSIS environments, the Cable Modem Termination System (CMTS) would be considered a delegating relay with respect to Customer Premises Devices (CPEs).” Perhaps could also mention something about Broadband Network Gateway (BNG)? [RFC8415] defines the 'DHCP server', (or 'server') as: "A node that responds to requests from clients. It may or may not be on the same link as the client(s). Depending on its capabilities, if it supports prefix delegation it may also feature the functionality of a delegating router. - Add the closing “ … 3<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-3>. Problems Observed with Existing Delegating Relays Implementations - Replace Relays with Relay in title. The following sections of the document describe problems that have been observed with delegating relay implementations in commercially available devices. 3.1<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-3.1>. DHCP Messages not being Forwarded by the Delegating relay - Upper case R in relay in title Delegating relay implementations have been observed not to forward messages between the client and server. This generally occurs if a client sends a message which is unexpected by the delegating relay. For example, the delegating router already has an active PD lease entry for an existing client on a port. A new client is connected to this port and sends a solicit message. The delegating relay then drops the solicit messages until it receives either a DHCP release message from the original client, or the existing lease times out. This causes a particular problem when a client device needs to be replaced due to a failure. - Use RFC8415 style casing for the message names (Solicit message, Release message) … 3.2<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-3.2>. Delegating Relay Loss of State on Reboot For proper routing of client's traffic, the delegating relay requires - I think just “client traffic” would be fine here. a corresponding routing table entry for each active prefix delegated to a connected client. A delegating router which does not store this state persistently across reboots will not be able to forward traffic to client's delegated leases until the state is re-established through new DHCP messages. 3.3<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-3.3>. Multiple Simultaneous Delegated Prefixes for a Single DUID on a Single Client - Retitle as “Multiple Delegated Prefixes for a Single Client” [RFC8415] allows for a client to include more than one instance of OPTION_IA_PD in messages in order to request multiple prefix delegations by the server. If configured for this, the server supplies one instance of OPTION_IAPREFIX for each received instance - “one (or more)”? There’s no reason there could not be multiple IAPREFIX options for an IA_PD. And, I don’t want someone pointing to this text to only support one. of OPTION_IA_PD, each containing information for a different delegated prefix. In some delegating relay implementations, only a single delegated prefix per-DUID is supported. In those cases only one IPv6 route for only one of the delegated router is installed; meaning that other - second only is not needed. Also shouldn’t “delegated router” be “delegated prefixes”? prefixes delegated to a client are unreachable. 3.4<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-3.4>. Dropping Messages from Devices with Duplicate MAC addresses and DUIDs It is an unfortunate operational reality that client devices with duplicate MAC addresses and/or DUIDs exist and have been deployed. In this situation, the operational costs of locating and swapping out such devices are prohibitive. Delegating relays have been observed to restrict forwarding client messages originating from one client DUID to a single interface. In this case if the same client DUID appears from a second client on another interface while there is already an active lease, messages originating from the second client are dropped causing the second client to be unable to obtain a prefix delegation. - We need to be a bit careful in this section and not sure exactly how to fix it. But in DOCSIS, for Cable Modems, often these restrictions exist to prevent theft of service (as there have been cloned devices). I think this document means the devices behind the CMs (in the case of DOCSIS) and perhaps similar environments. The complexity here is that “delegating relays” are the devices passing DHCPv6 packets and so could be interpreted to include all devices. Perhaps this will require some further discussions. … G-4: The relay MUST allow for multiple prefixes with separate IA_PDs to be delegated to a single client connected to a - I think you should either drop “with separate IA_PDs” or say “with or without separate IA_PDs”. Again, a single IA_PD could contain multiple IAPREFIX options. single interface, identified by its DHCPv6 Client Identifier (DUID). G-5: The relay MUST allow the same client identifier (DUID) to have active delegated prefix leases on more than one interface simultaneously. This is to allow client devices with duplicate DUIDs to function on separate broadcast domains. - See earlier my points in section 3.4; not sure how best to “modify” this item. G-6: The maximum number of simultaneous prefixes delegated to a single client MUST be configurable. G-7: The relay MUST implement a mechanism to limit the maximum number of active prefix delegations on a single port for all client identifiers and IA_PDs. This value SHOULD be configurable. - For G-6 ad G-7, are there some recommendations about what (a) a reasonable number to support is and (b) what the default should be? While it would be great to have this be “unlimited”, likely equipment manufacturers might like some guidance. For example we could say that “While allowing this to be fully configurable, delegating relays should support at least 8 per client device and use this as the default limit.” That’s just an example. G-8: The delegating relay MUST synchronize the lifetimes of active prefix delegation leases with server. - I’m not sure I completely understand what this requirement means. Are you suggesting NTP or similar time synchronization be used? As lifetimes are relative (seconds remaining, not absolute time stamps) in DHCP messages, I’m not sure why NTP would be that critical. As there are 3 places lifetimes would be stored (server, delegating relay, client), unless all of these clocks were synchronized, some drift should be tolerated (i.e., not all clocks will tick at the same rate). 4.2<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-4.2>. Routing Requirements R-1: The relay MUST maintain a local routing table that is dynamically updated with prefixes and the associated next- hops as they are delegated to clients. When a delegated prefix is released or expires, the associated route MUST be removed from the relay's routing table. R-2: The relay MUST provide a mechanism to dynamically update access control lists permitting ingress traffic sourced from clients' delegated prefixes. This is to implement anti- - Probably just “client delegated prefixes” is sufficient? spoofing as described in [BCP38<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#ref-BCP38>]. R-3: The relay MAY provide a mechanism to dynamically advertise delegated prefixes into an routing protocol as they are learnt. When a delegated prefix is released or expires, the delegated route MUST be withdrawn from the routing protocol. The mechanism using which the routes are inserted and deleted - I think “using which” should be “by which” is out of the scope of this document. 4.3<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-4.3>. Service Continuity Requirements … S-2: If a client's next-hop link-local address becomes unreachable (e.g., due to a link-down event on the relevant physical interface), routes for the client's delegated prefixes MUST be retained by the delegating relay unless they are released or removed due to expiring DHCP timers. This is to re- establish routing for the delegated prefix if the client next-hop becomes reachable without the relay needing to be re-learnt. - Should “relay” be replaced by “delegating prefixes”. … 4.4<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-4.4>. Operational Requirements … O-3: To facilitate troubleshooting of operational problems between the delegating relay and other elements, it is RECOMMENDED that the delegating relay's system time is synchronised with the network. - Would adding something like “using NTP [RFC7822] or similar time synchronization protocol”? Perhaps reword as “it is RECOMMENDED that a time synchronization protocol is used by the delegating routers and DHCP servers”? That would avoid the RFC7822 reference. … 7<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-7>. Security Considerations If the delegating relay implements [BCP38<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#ref-BCP38>] filtering, then the filtering rules will need to be dynamically updated as delegated prefixes are leased. [RFC8213] describes a method for securing traffic between the relay - I’m not sure if this is a tools bug, but RFC8213 is not hyperlinked. I suspect it is just a tools issue as this is the only reference to this document. agent and server by sending DHCP messages over an IPSec tunnel. In this case the IPSec tunnel is functionally the server-facing interface and DHCPv6 message snooping can be carried out as described. It is RECOMMENDED that this is implemented by the delegating relay. * Bernie
- [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-rela… internet-drafts
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… ianfarrer
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… ianfarrer
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Timothy Winters
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… otroan
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Timothy Winters
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… otroan
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Timothy Winters
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Timothy Winters
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… ianfarrer
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Timothy Winters
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-… ianfarrer