IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by September 13, 2023

Ole Troan <otroan@employees.org> Mon, 25 September 2023 14:27 UTC

Return-Path: <otroan@employees.org>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 913A9C1522CD for <dhcwg@ietfa.amsl.com>; Mon, 25 Sep 2023 07:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=employees.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V1GoxbsW6gJI for <dhcwg@ietfa.amsl.com>; Mon, 25 Sep 2023 07:27:44 -0700 (PDT)
Received: from proxmox01.kjsl.com (proxmox01.kjsl.com [IPv6:2607:7c80:54:6::6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63DB7C1522AF for <dhcwg@ietf.org>; Mon, 25 Sep 2023 07:27:23 -0700 (PDT)
Received: from proxmox01.kjsl.com (localhost.localdomain [127.0.0.1]) by proxmox01.kjsl.com (Proxmox) with ESMTP id 1BB40E5D90; Mon, 25 Sep 2023 14:27:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=employees.org; h=cc:cc:content-transfer-encoding:content-type:content-type :date:from:from:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=prox2023; bh=iluf6cSTuuAICngX ycmkJWAY8lKq62Qpjww8hrbkVdY=; b=D3wmal6dXJJv8SKQLrjSzkgXPbF128db w1m2HQLo0jnaHZljDt8GC8nUCbZ7vf5LOC8cYa9qsCZlGVkeWFqBKdQZWZVwLLdz w0SR2fXhfc03x511ZNo70UEhrQBkFUMmGFc12CJ/f0i3fUju6/VGIOjlYa7qhiHQ S21WvmK70Rt+fuR0v4dy21xlGdoRgvGE3zG73lzuusngKS+QGB9YdwMUWPuBgBuw 1pV6Psw+19AO0N14FsCKiOUdDyZjMDDa7R5t951f54KvUEuHD44GOiNcX0yFv60Q wPEAT7b8jVamwkd/NNUcjZLNi9eb1LoPAxaBxxin3HMjq4Kp2sMfuA==
Received: from clarinet.employees.org (clarinet.employees.org [IPv6:2607:7c80:54:3::74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by proxmox01.kjsl.com (Proxmox) with ESMTPS id EC4ABE4BD1; Mon, 25 Sep 2023 14:27:22 +0000 (UTC)
Received: from smtpclient.apple (unknown [IPv6:2001:4650:c3ed:37a:1107:65f5:fd7e:6b6d]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 3557A4E11AF3; Mon, 25 Sep 2023 14:27:22 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <CAO42Z2yUT628xbyi9hA_adxtVNm17spgVsb=LRhVK2KXuqP=2g@mail.gmail.com>
Date: Mon, 25 Sep 2023 16:27:08 +0200
Cc: dhcwg <dhcwg@ietf.org>, Ted Lemon <mellon@fugue.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <42B88277-2A0B-402E-8F85-474C61C30220@employees.org>
References: <CAJgLMKvATJP78ONPc8f6kG2eNWq83XCTSdvRLVGKWB26JGrANQ@mail.gmail.com> <1E185C09-B45E-4B1E-81F8-3CB6141B9881@employees.org> <CAJgLMKtYy2U1vScQoW4eWD3sLipeUTak7BqkELXZ61=6_cKJDQ@mail.gmail.com> <1418C8C0-DBCA-4222-B1C4-604E4B389DEA@employees.org> <CAO42Z2yUT628xbyi9hA_adxtVNm17spgVsb=LRhVK2KXuqP=2g@mail.gmail.com>
To: Mark Smith <markzzzsmith@gmail.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/8KoNTYwUQlL85DiNT1EReKwInZ8>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by September 13, 2023
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2023 14:27:48 -0000

Mark,

> On Mon, 25 Sept 2023, 23:55 Ole Troan, <otroan=40employees.org@dmarc.ietf.org> wrote:
> > We have had some operators' interests in this solution over scrapping switches and routers.   I think it would be helpful to hear from network operators or DHCPv6 server solutions about how viable and deployable this solution is. 
> 
> I hope we are not suggesting scrapping all switches and routers.
> Wouldn’t be much of a network then! :-D
> 
> It would be useful to hear from enterprise network operators indeed.
> We need to make it clear to them that this mechanism depends on hosts (voluntarily) notifying the DHCP server about it’s addresses. And unless that’s also enforced through the network in other ways, the information given is “just another datapoint with some probability of being correct”).
> 
> “Scraping” of routers and switches isn’t the direct alternative to DHCP address notification. Although some level of first hop security functions is likely required. I would think DHCPv6 address assignment is the obvious solution instead of this.
> 
> DHCPv6 isn't a solution when you think about what the security requirements are.

It’s a significant building block.

> The Stateful DHCPv6 Myth. No, it doesn't record IPv6 addresses in use. Neither does DHCPv4.
> https://ipv6tao.blogspot.com/2021/09/the-stateful-dhcpv6-myth-no-it-doesnt.html?m=1

That was a dreadfully opinionated blogpost…

DHCPv6 would give the network enough information to enforce which addresses a host is permitted to use. Using mechanisms like FHS (first-hop security) / SAVI.

With SLAAC there isn’t an equally robust mechanism available. And I’m not sure this helps.
As an DHCPv6 address assignment alternative the ARO option might have been better.

To emphasise, this is for the use case of a network operator requires control of addresses in use by which device. Allowing IPv6 to support that use case does not mean there are many other use cases where SLAAC is perfectly fine.

O.

v2.23.0 | Report a Bug | By Email