IETF Logo Mail Archive

Re: [dhcwg] recommendation on DHCP6 source port numbers

Bernie Volz <bevolz@gmail.com> Fri, 01 March 2024 02:08 UTC

Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B145DC14F70C for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 18:08:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQ8vVJ6nisTb for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 18:08:01 -0800 (PST)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9268BC14F70A for <dhcwg@ietf.org>; Thu, 29 Feb 2024 18:08:01 -0800 (PST)
Received: by mail-qk1-x72a.google.com with SMTP id af79cd13be357-787dacbcfeeso86398185a.1 for <dhcwg@ietf.org>; Thu, 29 Feb 2024 18:08:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709258880; x=1709863680; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=EpW/YwYRO5rlrdIzdZkUJ0jxfJrvjoj02Iv4Q3+04nI=; b=GByXYV3+gQCxRsNeCikgv8pe8hUmDyR+RB9HT+odUE6TujwnNFBXOTBzGwPTyzRBrO zV0QSOzKeYCTROPtwHZFTEwwaGawMQaXhovwShwMsnpbaRpx5zfWf/fKDwXFr53TPren rurbrcycpBFtBKNN6o2xw3T3ufL8Bd7QCyVfGB+ntnlq2cY5wk2h0Kj5CRYdtb+bLghD 6dTgAUwRD0LlyGG9CMMxLN9/43opYMXKhZAuYTdSz/oxB2+b2VI+lwcvV3jD5mzG4VW5 0VsoI94lZ6bTgZNN2n27/yHxKp7ygTgPK7EZN+QcTeF2q4gTmeXcJvuLCW2F6BxlUInQ IONw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709258880; x=1709863680; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EpW/YwYRO5rlrdIzdZkUJ0jxfJrvjoj02Iv4Q3+04nI=; b=lAeOjn/6ajCzcGE3zYzsKSltIn//SBCCLIXxK/aVd4gMu8M2rgb6ZywAj3MmN/uaRe AHuuW7zeRXHVg3dWIVE9T9/ocMlPeibFymchgm3tYc+Vk8/zA+nk0bJkdVr7P+C5Gp8e C0PATVW74FdyhOt+1d2sRn6gBFWGr7gJWhs7EZbsrOjaGm3pQsxFwsD4oSRZovMPcBT4 PmEBrJmHDC7YVOS/75i8ePjT3ik7ibgZiTG2ktIXIkztFcMvmFSqjAOVCKCF+WSTZXAZ BksPG358AsccH33cnqaYrPVmvOEwb4A8uxNo+4pNG411qjzwmQhOVZVeI8qvGtIA8vSg 5IOQ==
X-Forwarded-Encrypted: i=1; AJvYcCXPANa0n+P0UZU1OzqVtIM53kHo7bcxjeXqZTTOh/Q3dVQAjAg5lm5o+m2vhcETqwA1agha9BTmEgpQdRlgpA==
X-Gm-Message-State: AOJu0YxK5MXwybgcbKFrV47zgpkY21Yc1LJ++0TRw/gLPDvFIpN10Q9F UzviRbE12MB8RyOTCKcZTeeUqCe9Ks20FIW63rOWEH+mxwtDevU=
X-Google-Smtp-Source: AGHT+IFRC0U/0r2lnwboRqSoJaLa2uRmoQre4WTkBQNmnd2qSduzx8eLd6WqrG4VPjWE7piwnO6eKw==
X-Received: by 2002:a05:620a:84b:b0:787:9c13:4b with SMTP id u11-20020a05620a084b00b007879c13004bmr405357qku.23.1709258880155; Thu, 29 Feb 2024 18:08:00 -0800 (PST)
Received: from smtpclient.apple (d-69-161-122-95.nh.cpe.atlanticbb.net. [69.161.122.95]) by smtp.gmail.com with ESMTPSA id i28-20020a05620a145c00b007879ec3e543sm1231190qkl.12.2024.02.29.18.07.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Feb 2024 18:07:59 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-D705EA94-B179-4195-B7C6-27320FA90081"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 29 Feb 2024 21:07:48 -0500
Message-Id: <D64872D8-E3DF-4D18-A389-D7C55061B022@gmail.com>
References: <6B61C919-ED53-4F66-8011-DC6A536EEF67@deepdivenetworking.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, dhcwg <dhcwg@ietf.org>
In-Reply-To: <6B61C919-ED53-4F66-8011-DC6A536EEF67@deepdivenetworking.com>
To: rob@deepdivenetworking.com
X-Mailer: iPad Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/7JqGFG8Ut7a6VhEZshUO1s_-8D8>
Subject: Re: [dhcwg] recommendation on DHCP6 source port numbers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 02:08:05 -0000

Perhaps for relay/server interaction see RFC8213? This is controlled communication between known endpoints.

- Bernie (from iPad)

> On Feb 29, 2024, at 8:34 PM, rob@deepdivenetworking.com wrote:
> 
> Michael,
> 
> Thats an important distinction that I should have thought about before replying. I was thinking client - server but really its client - relay and  relay - server in 99% of cases…. It also negates my comparison to Cache-poisoning issue. I need a nap apparently. So if we are only making recommendations for client source port to be locked down, I have zero argument with that. Once we get into relay->Server then we have to consider those packets could be going anywhere.
> 
> Rob
> 
> Robert Nagy
> - - - - - - - - - -
> Senior Dive Master | Deep Dive Networking Inc
> p: 408.480.5133 
> e: rob@deepdivenetworking.com
> www.deepdivenetworking.com
> 
>>> On Feb 29, 2024, at 5:03 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>>> 
>>> 
>>> rob@deepdivenetworklng.com <rob@deepdivenetworking.com> wrote:
>>> David, I can see that argument. But we also didn't think randomized
>>> source ports were going to be important for DNS... I guess I don't see
>>> why we should be declaring what an implementer does on the source port
>> 
>> We expect DNS messages to leave the "enterprise" (site) and get returned to
>> us.  We require it for DNS to work.  It's the whole point.
>> Yes, there was a point in the past where many DNS requests were *from* port-53.
>> 
>> DHCPv6: not so. Just the opposite.
>> OpenWRT actually blocks port 546/547 from being accepted on the wan
>> interface, unless it's LL. (zone_wan_input)
>> If DHCPv6 leaves the local link, it's because there is a DHCP relay configured.
>> 
>> So I feel confident that we will NEVER need clients to port randomized
>> source ports.  We *might* decide that there is some scenario where we want a
>> DHCPv6 *RELAY* to do something like that, but I'll bet we won't do that
>> without a DTLS or IPsec wrapper.
>> 
>> 
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>           Sandelman Software Works Inc, Ottawa and Worldwide
>> 
>> 
>> 
>> 
> 
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email