IETF Logo Mail Archive

RE: [dhcwg] Renumbering Requirements for Stateless DHCPv6

Changming Liu <cliu@netscreen.com> Tue, 02 March 2004 22:20 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04670 for <dhcwg-archive@odin.ietf.org>; Tue, 2 Mar 2004 17:20:34 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AyIFD-0000u3-MK for dhcwg-archive@odin.ietf.org; Tue, 02 Mar 2004 17:20:08 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i22MK78x003430 for dhcwg-archive@odin.ietf.org; Tue, 2 Mar 2004 17:20:07 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AyIFA-0000t7-GN for dhcwg-web-archive@optimus.ietf.org; Tue, 02 Mar 2004 17:20:04 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04649 for <dhcwg-web-archive@ietf.org>; Tue, 2 Mar 2004 17:20:00 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AyIF7-0000yk-00 for dhcwg-web-archive@ietf.org; Tue, 02 Mar 2004 17:20:01 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AyIEJ-0000oP-00 for dhcwg-web-archive@ietf.org; Tue, 02 Mar 2004 17:19:12 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1AyIDD-0000X1-00 for dhcwg-web-archive@ietf.org; Tue, 02 Mar 2004 17:18:03 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AyIDB-0000Zd-14; Tue, 02 Mar 2004 17:18:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AyICc-0000V1-OH for dhcwg@optimus.ietf.org; Tue, 02 Mar 2004 17:17:26 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04235 for <dhcwg@ietf.org>; Tue, 2 Mar 2004 17:17:23 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AyICa-0000NU-00 for dhcwg@ietf.org; Tue, 02 Mar 2004 17:17:24 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AyIB7-00009F-00 for dhcwg@ietf.org; Tue, 02 Mar 2004 17:15:53 -0500
Received: from [63.126.135.18] (helo=mail2.netscreen.com) by ietf-mx with esmtp (Exim 4.12) id 1AyIAB-0007iA-00 for dhcwg@ietf.org; Tue, 02 Mar 2004 17:14:55 -0500
Received: from ns-ca.netscreen.com (ns-ca-local [10.100.3.35]) by mail2.netscreen.com (Switch-3.1.3/Switch-3.1.0) with ESMTP id i22MDw9u016986; Tue, 2 Mar 2004 14:14:10 -0800 (PST)
Received: by NS-CA with Internet Mail Service (5.5.2653.19) id <FV1JRYC5>; Tue, 2 Mar 2004 14:13:58 -0800
Message-ID: <1B6D4CAFB8CA554EB1A0925685A07DFC0342C682@MONTEREY.netscreen.com>
From: Changming Liu <cliu@netscreen.com>
To: 'JINMEI Tatuya / ???? ' <jinmei@isl.rdc.toshiba.co.jp>, 'Tim Chown ' <tjc@ecs.soton.ac.uk>
Cc: "'dhcwg@ietf.org '" <dhcwg@ietf.org>
Subject: RE: [dhcwg] Renumbering Requirements for Stateless DHCPv6
Date: Tue, 02 Mar 2004 14:13:56 -0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-2022-jp"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60

This draft comes at the exact time we need it. We just implemeneted DHCP
server and client and one of our big customers run into this reconfig issue
in their planned deployment right away! I wish I would have read it early.

The scenario is different from the two described in section 3. Our customer
runs DHCP clients on two unpstream interfaces and DHCP server on on
downstream interface which connects to a LAN with PCs, etc, The DHCP is used
just to pass configuration info . Depending on the availaibility of upstream
routers which have different DNS server setup among other configs, the DHCP
server needs to update DNS to the LAN immediately to avoid service outage.
Note that these DNS servers are in different zones. This, to my opinion,
should be another major scenario: dynamic change of config info.


In section 5, among three proposed mechanisms, to me, only 1) looks viable.
Multicast support should not be any issue anyway. Is it true that the entire
stateless auto-config and ND are based on that? The only concern may be
security for forged reconfigure message. But this is a more generic issue
than just for reconfigure message itself. Or am I missing something?

The lifetime has several significant drawbacks. The first one is how to
engineer the lifetime value? A difficult choice. if too long it will cause
too long delay, which is unacceptable for service shortage. if too short, it
may cause periodic storms of request/replies. This itself sounds like a
attack to me. The second one is the maintenance effort for both server and
client to maintain these timers as someone pointed out in the meeting. 

The third option looks better, but it won't work between upstream router and
downstream router using DHCPv6 to pass auto-config info. The draft requires
the DHCP relay which may not exist in the scenario I just described.


I guess, actually, the debate, if any,  will boil down to event-driven or
polling? which is better and efficient? Agree?

Changming Liu
Netscreen Technologies Inc.

-----Original Message-----
From: JINMEI Tatuya / ????
To: Tim Chown
Cc: dhcwg@ietf.org
Sent: 3/1/2004 5:11 PM
Subject: Re: [dhcwg] Renumbering Requirements for Stateless DHCPv6

>>>>> On Tue, 10 Feb 2004 13:45:49 +0000, 
>>>>> Tim Chown <tjc@ecs.soton.ac.uk> said:

> There have not been any list comments on a draft that I wrote with
Stig and
> A.K. after Minneapolis on the issue of how nodes using DHCPv6 only for
non
> address configuration options should leanr ofconfiguration changes.

>
http://www.ietf.org/internet-drafts/draft-chown-dhc-stateless-dhcpv6-ren
umbering-00.txt

I've read the draft, and don't see a major problem in it.

One minor comment:  the draft repeatedly say there should be no
additional security concerns in actual proposals to address the
renumbering issues:

In Section 4, it says
   The solution should also be secure, such that additional security
   concerns are not added to the stateless DHCPv6 networking
   environment.

And in Section 7, it says
   However, whatever mechanism is designed or chosen to address this
   problem should avoid the introduction of new security concerns for
   (stateless) DHCPv6.

I have sympathy for you here, but is this actually a clear and
realistic requirement?  In fact, draft-venaas-dhc-lifetime-01.txt,
which is expected to be a proposal to address the renumbering issue,
has the following security concern:

   An attacker could send a fake DHCP reply with a very low lifetime
   value.  This could make a client request new data almost immediately.
   The value is however not kept when the next request is made.

Regarding the clarity, I'm not sure by this consideration if an
additional security concern is not added.

Regarding the reality, I guess it is likely to see some security
concerns in actual proposals, since the proposals would be a protocol
extension that affects a core part of the base specification.

I don't think this comment is a technical issue though.  This is
probably a matter of wording.

					JINMEI, Tatuya
					Communication Platform Lab.
					Corporate R&D Center, Toshiba
Corp.
					jinmei@isl.rdc.toshiba.co.jp

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email