Re: [dhcwg] Pre-determining DUID
Chuck Anderson <cra@WPI.EDU> Sun, 11 October 2009 00:23 UTC
Return-Path: <cra@WPI.EDU>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 662BA3A68D9 for <dhcwg@core3.amsl.com>; Sat, 10 Oct 2009 17:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hj4GpoiZmrsJ for <dhcwg@core3.amsl.com>; Sat, 10 Oct 2009 17:23:38 -0700 (PDT)
Received: from MAIL1.WPI.EDU (MAIL1.WPI.EDU [130.215.36.91]) by core3.amsl.com (Postfix) with ESMTP id 3BD053A688A for <dhcwg@ietf.org>; Sat, 10 Oct 2009 17:23:37 -0700 (PDT)
Received: from SMTP.WPI.EDU (SMTP.WPI.EDU [130.215.36.186]) by MAIL1.WPI.EDU (8.14.4.Beta1/8.14.4.Beta1) with ESMTP id n9B0PODs031274 for <dhcwg@ietf.org>; Sat, 10 Oct 2009 20:25:24 -0400
X-DKIM: Sendmail DKIM Filter v2.8.3 MAIL1.WPI.EDU n9B0PODs031274
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wpi.edu; s=_dkim; t=1255220724; bh=KGTP2+J3ORs0FzBShvJB1XGXFB7jg8+EhRz5bt+an3E=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Transfer-Encoding:In-Reply-To; b=OEsfsokSGlkiQYBuxydR3Ndjv6wMxhifMRLjp/l5Yt6/juaDpaywArRZ+VNGej5fR dLVBssFb95TjHptBn3HWT2zH8xutT0uSI3AND6Wl0WKa8/O1GuDx3pdgj9ir4I94xp wwRDVjXTvXWoeRkTWvuUvMAt6em8NIpsGDVAT71U=
Received: from angus.ind.WPI.EDU (ANGUS.IND.WPI.EDU [130.215.130.21]) by SMTP.WPI.EDU (8.14.2/8.14.2) with ESMTP id n9B0PN3Z011756 for <dhcwg@ietf.org>; Sat, 10 Oct 2009 20:25:23 -0400 (envelope-from cra@WPI.EDU)
Received: from angus.ind.WPI.EDU (angus.ind.WPI.EDU [127.0.0.1]) by angus.ind.WPI.EDU (8.14.2/8.14.2) with ESMTP id n9B0PNCc027161 for <dhcwg@ietf.org>; Sat, 10 Oct 2009 20:25:23 -0400
Received: (from cra@localhost) by angus.ind.WPI.EDU (8.14.2/8.14.2/Submit) id n9B0PMIV027159 for dhcwg@ietf.org; Sat, 10 Oct 2009 20:25:22 -0400
X-Authentication-Warning: angus.ind.WPI.EDU: cra set sender to cra@WPI.EDU using -f
Date: Sat, 10 Oct 2009 20:25:22 -0400
From: Chuck Anderson <cra@WPI.EDU>
To: dhcwg@ietf.org
Message-ID: <20091011002522.GA26560@angus.ind.WPI.EDU>
Mail-Followup-To: dhcwg@ietf.org
References: <fab4e42a0910091810j71fcabd8h12d992be6d28d320@mail.gmail.com> <FFE5030C-7341-471F-9731-EC069F857A01@nominum.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <FFE5030C-7341-471F-9731-EC069F857A01@nominum.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [dhcwg] Pre-determining DUID
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Oct 2009 00:23:39 -0000
On Sat, Oct 10, 2009 at 03:48:25PM -0700, Ted Lemon wrote: > It seems that you want to use the client id as a token to identify a > particular piece of hardware for some purpose, but you haven't said what > the purpose is. It also seems that you are (perhaps without realizing > it) proposing that we break a bunch of protocol functionality for > everyone in order to solve a problem that is specific to your > application. I don't see how it breaks protocol functionality to provide additionaly information in a DHCP packet in order to identify and classify a client. > Rather than starting out with the solution, could you please clearly > state the problem you are trying to solve? Here are the problems we have that I'm sure many others share: - Identify "known" clients vs. "unknown" clients, and other client classification: We desire to only use a single identifier across IPv4 and IPv6. Current systems and workflows use the MAC address for this purpose, so it is only natural to want to use it for IPv6 as well. I hesitate to use the word "authenticate", but when combined with other switch security features (MAC security, DHCP Snooping, IP Source Guard), the MAC address works great as a way to casually authenticate clients for access to the network and is universally supported, unlike 802.1X. We also need to classify systems to offer different options to different groups of systems. - Stability/semi-permanence of MAC addresses vs. DUIDs MAC addresses only change/move when network hardware changes or moves between machines, which is a rare event, and an obvious one, done either by IT or the machine owner. DUIDs are supposed to be generated at OS-install time and hence be long-lived/unchanging, but they would have to change/move when the OS is reinstalled, hard drives moved around, etc. Also, different OSes or firmwares on the same hardware (think PXE boot) will most likely have differing DUIDs. Finally, given that DUIDs aren't as “permanent” as MAC addresses, it is conceivable that various circumstances (bugs, troubleshooting procedures, uninformed or malicious users, etc.) could cause a DUID to change (think resetting the TCP/IP stack in some OSes). Granted, an advantage to DUIDs is that all network cards in a system will use the same DUID, so we would no longer require separate registrations for each wired card and wireless card in a machine. However, we just trade that for requiring multiple separate DUID registrations for each OS on the machine instead, and requiring registration changes on OS reinstall since the original DUID would be lost at that point. If we continue to use MAC addresses for DHCPv4 while using DUID for DHCPv6, this will cause weird situations due to the different scenarios under which each value changes. Replacing the network card will cause v4 to break, but v6 will still work. Swapping hard drives between two systems will cause the v6 registration to move, but the v4 registration will stay with the original machine. Tracking systems via MAC and via DUID will require two separate systems. Overall, it seems like a very bad idea to go this route. - Locating a system physically on the network, auditing: It is easy to track MAC addresses on the network and find which switch port they are used on at any particular time by looking at the switch forwarding tables. It is therefore easy to associate a client's physical location with the identity of the registrant. This makes automated, captive-portal based registration systems easy to implement and integrate with other security mechanisms such as locking a MAC address down to a switch port. Since we bind a user account to a MAC address when they register the MAC in our system, this allows us to track down that user and associate network activity with the user who registered the system. How do we do the same with DUID? We'd need some kind of new switch feature like DHCPv6-snooping with DUID capturing support. - Detecting when a registration is no longer needed: Similar to above, we can keep track of activity on the network for particular MAC addresses, and purge unused registrations after a period of time. This would become difficult if not impossible if we no longer registered MAC addresses and instead registered DUIDs. We'd rather not require our users to register multiple things (MAC and DUID), and as stated above we can automate the MAC capturing part, but not the DUID capturing part. - Preprovisioning and automated deployment: We want to jot down the MAC address of a machine from the box it came in (without opening the box) and pre-provision the machine on the network so that when it is eventually set up, it can boot up, install itself via PXE, and be associated with the particular pre-provisioned identity on the network. We want to maintain this same identity on the network via IPv4 and IPv6, regardless of how many times the system is reinstalled or booted into multiple operating systems. Right now, one can simply read the MAC address off a machine (on the box or label, or through software) and this value will never change (unless the hardware changes). This can be used to associate that specific hardware to a DHCP Class for PXE booting to a specific server/filename, etc. With DUIDs, the PXE boot firmware will have a different DUID from the OS which will generate a new DUID every time the OS is re-deployed. This implies at the very least that PXE booting will require a separate “registration”, and that the OS will need to be re-registered after each re-deployment. So these are the motivations behind our desire at least to provide the chaddr in the DHCP packet as a way to identify and classify clients. As I said in my other email, we have a working prototype that does exactly this for ISC dhcrelay.
- [dhcwg] Pre-determining DUID Jarrod Johnson
- Re: [dhcwg] Pre-determining DUID Chuck Anderson
- Re: [dhcwg] Pre-determining DUID Ted Lemon
- Re: [dhcwg] Pre-determining DUID Chuck Anderson
- Re: [dhcwg] Pre-determining DUID Tim Chown
- Re: [dhcwg] Pre-determining DUID Bernie Volz (volz)
- Re: [dhcwg] Pre-determining DUID Ted Lemon
- Re: [dhcwg] Pre-determining DUID Bud Millwood
- Re: [dhcwg] Pre-determining DUID Jarrod Johnson
- Re: [dhcwg] Pre-determining DUID Ted Lemon
- Re: [dhcwg] Pre-determining DUID Bud Millwood
- [dhcwg] Pre-determining DUID Jarrod Johnson
- [dhcwg] Bringing DHCPv6 to DHCPv4-feature-complet… David W. Hankins