IETF Logo Mail Archive

Re: [dhcwg] DHCPv6 RAAN options

"Bernie Volz (volz)" <volz@cisco.com> Fri, 15 August 2014 20:13 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8CBE1A02F9 for <dhcwg@ietfa.amsl.com>; Fri, 15 Aug 2014 13:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.169
X-Spam-Level:
X-Spam-Status: No, score=-15.169 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jIC7naWgH-Tf for <dhcwg@ietfa.amsl.com>; Fri, 15 Aug 2014 13:13:38 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 317741A03CA for <dhcwg@ietf.org>; Fri, 15 Aug 2014 13:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4266; q=dns/txt; s=iport; t=1408133609; x=1409343209; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=JXEPhGRbdvhvBZRou5g8YGxv/ES8B4HC+3XGdEnjhys=; b=DxQRswACs+GJzKqXqVwj1d1MgU7qvxP+Subx0u4HroYNGY1aSebjA3f9 XTxzcN+LF8Js0KsShGyAZWNoLr56Hypzo9cX8UsDVGy68Cl57P+eLnvyy UBywxPbYVLxUfV699K0L7+Md/pMjnd/g2HhkaRkGq0ONxNYMApkbr4+cH 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgcFACVp7lOtJV2T/2dsb2JhbABZgw1TW84ECodYAYETFneEAwEBAQQBAQE3NAsMBAIBCBEEAQEBCgsJCQcnCxQJCAIEAQ0FCBOIJw3DaReOfgUYBisHAgQEgyWBHQWBWI9IhCaITpMng1xsAYEGAR4GHIEHAQEB
X-IronPort-AV: E=Sophos;i="5.01,873,1400025600"; d="scan'208";a="347939797"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-4.cisco.com with ESMTP; 15 Aug 2014 20:13:28 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id s7FKDS5P001320 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 15 Aug 2014 20:13:28 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.173]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.03.0195.001; Fri, 15 Aug 2014 15:13:28 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>, Ted Lemon <ted.lemon@nominum.com>
Thread-Topic: [dhcwg] DHCPv6 RAAN options
Thread-Index: Ac+yf+stS7sJIaihTkKQdnTDfuT8QwALYBYAAACH5gAAAE+4gAAAlg4AAAApuQAAAESMAAAA0J4AAAEhrQAAISM8AAAAUOmAAAI4CYAAAFXUgAAAUwAAAABOYQAAAE3JAAAAgokAAVw1aYA=
Date: Fri, 15 Aug 2014 20:13:27 +0000
Message-ID: <489D13FBFA9B3E41812EA89F188F018E1B6568D8@xmb-rcd-x04.cisco.com>
References: <2134F8430051B64F815C691A62D9831832CECA61@XCH-BLV-504.nw.nos.boeing.com> <83E91E35-3F30-4659-B4AE-58DD11E74DB6@nominum.com> <2134F8430051B64F815C691A62D9831832CECB68@XCH-BLV-504.nw.nos.boeing.com> <075FB3EE-EA09-4CBD-AFE9-CF14E77ED007@nominum.com> <2134F8430051B64F815C691A62D9831832CECBF5@XCH-BLV-504.nw.nos.boeing.com> <9C369D15-88ED-4E1E-8138-A538760C6FDE@nominum.com> <2134F8430051B64F815C691A62D9831832CECC7B@XCH-BLV-504.nw.nos.boeing.com> <2134F8430051B64F815C691A62D9831832CECD1A@XCH-BLV-504.nw.nos.boeing.com> <35F4F6CF-7CBC-4935-9E9F-2EC946D7EBB7@nominum.com> <2134F8430051B64F815C691A62D9831832CED2CD@XCH-BLV-504.nw.nos.boeing.com> <65C2A9BF-B153-4BD0-89EF-6D7D8FE459B3@nominum.com> <E5A9495C-DC3F-4CA3-8448-F6F510DA587E@gmail.com> <2134F8430051B64F815C691A62D9831832CED559@XCH-BLV-504.nw.nos.boeing.com> <DA0A1AF1-9E75-4509-A14F-8E0161F409BF@nominum.com> <2134F8430051B64F815C691A62D9831832CED5E7@XCH-BLV-504.nw.nos.boeing.com> <F14EC75C-D91C-47F5-A988-4E33A22D35A7@nominum.com> <2134F8430051B64F815C691A62D9831832CED674@XCH-BLV-504.nw.nos.boeing.com>
In-Reply-To: <2134F8430051B64F815C691A62D9831832CED674@XCH-BLV-504.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.86.241.204]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/5pLktk00Nix_yfyeny0o1gA-tmA
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, Ralph Droms <rdroms.ietf@gmail.com>
Subject: Re: [dhcwg] DHCPv6 RAAN options
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 20:13:50 -0000

Fred:

How about a 3rd option ...

Perhaps you should look at the Active Leasequery work as that might be a better option for the Relay tracking what the server has?

See http://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-active-leasequery.


One issue for RAAN and even Relay gleaming the Reply is that the Reply message might be lost and never get to the Relay. The client may not retry (or all Releases suffer from this issue) - it is suggested that the client retry, not a requirement.

   Because Release messages may be lost, the client should retransmit
   the Release if no Reply is received.  However, there are scenarios
   where the client may not wish to wait for the normal retransmission
   timeout before giving up (e.g., on power down).

(I guess we could argue here that 3315 should say "Because Release or Reply messages may be lost ...". Perhaps another 3315bis item if we haven't caught this already? No, at least not as of the bis 02 document.)

On the other hand, I'm also not sure how serious this issue is. The Relay is probably keeping some state about what addresses/prefixes are in use by what clients. So, when a Release is received, it can at least validate that the client has this lease and remove it. If a rouge client did the Release, what happens? I guess that depends on what the Relay is doing with this information. If the Relay is also acting as a router or network traffic cop, such as in DOCSIS CMTS, when a unknown addresses is seen, the Relay does a Leasequery to the server to ask it who is using this address. If it gets back information, it updates it state tables and all is well. (Note that PD leases can be recovered - as the Leasequery will return the PD lease containing the address). The only bad thing when the Relay removes the lease early is that if it was injecting the PD into the routing table, that would obviously stop and potentially be a problem.

Note that Bulk LQ might also be needed by the Relay to recover state if the relay loses stable storage? Hence, using Active LQ may not be such a stretch to avoid these security holes.

- Bernie

-----Original Message-----
From: dhcwg [mailto:dhcwg-bounces@ietf.org] On Behalf Of Templin, Fred L
Sent: Friday, August 08, 2014 12:48 PM
To: Ted Lemon
Cc: dhcwg@ietf.org; Ralph Droms
Subject: Re: [dhcwg] DHCPv6 RAAN options

Hi Ted,

> -----Original Message-----
> From: Ted Lemon [mailto:ted.lemon@nominum.com]
> Sent: Friday, August 08, 2014 9:34 AM
> To: Templin, Fred L
> Cc: Ralph Droms; dhcwg@ietf.org
> Subject: Re: [dhcwg] DHCPv6 RAAN options
> 
> On Aug 8, 2014, at 12:24 PM, Templin, Fred L <Fred.L.Templin@boeing.com> wrote:
> > It is a link-layer consideration that occurs below the IPv6 layer.
> > So, yes it is DHCPv6 over a specific link layer.
> 
> Right, I don't think this makes sense as an Internet standard unless 
> there's some broad applicability, in which case that would have to be documented as a DHCP extension first.
> 
> > If that is still troubling, then please also consider the case of a 
> > link that is physically constrained to have only a single
> > DHCPv6 relay.
> 
> A special extension to DHCP just to account for this use case seems like the wrong approach when you
> consider the general applicability of the DHCP protocol.   ISTM that either solution we've talked
> about would work for you as a private hack, but the question is which 
> one (if any) makes sense as a standard extension to DHCP.

Just so we can be clear on the alternatives, the first one we talked about was to ask the server to include in its Reply message any IAs that were released as a result of the client's Release message and with lifetimes set to 0. The second alternative was to resurrect RAAN options somehow.

If I am understanding this correctly, then the RAAN option provides a convenient way of relay agent gleaning. But, option 1 would still allow for a slightly less convenient means for gleaning.

Thanks - Fred
fred.l.templin@boeing.com

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email