Re: [dhcwg] [v6ops] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements

"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Thu, 08 October 2020 21:54 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4EAC3A0E7F; Thu, 8 Oct 2020 14:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1fwnt8km6HDF; Thu, 8 Oct 2020 14:54:44 -0700 (PDT)
Received: from clt-mbsout-02.mbs.boeing.net (clt-mbsout-02.mbs.boeing.net [130.76.144.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B11C73A0E4B; Thu, 8 Oct 2020 14:54:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 098LseRo025985; Thu, 8 Oct 2020 17:54:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1602194083; bh=Z28rkMXwBQtnPt9F48YZWbk3Q52VlXlE+Djx8k7MGxA=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=W5h121wDIjNqT9pYHqOj6MwQx3/agIOt/iwEEM6q+x8EhGvJfDfCg9Pn5nT9RqrYm FP08dQKl853CaJtKnKLZAJ9XubrIIC8gbGhX/EFel9mytfDkpWwW81T0sm2HXI1Og0 hMiKJzYZGIztISJx0PR29qmcKJqyVoaRWvh/78vnRvEIi7lA4BfEo2hsdLd2NBmy6r 4Oh0jOtS6+W3HIkPtM1FclrnYfeRNv+xbe45/MVE5MdjQ5D0dDDMtRRb3c93mwf8B+ u+K16vCmTCs1zcIr16T+GQFgtxS/Nyh7TfdvwQ+nd+kX8P/rfhPwDsqdBY4LQxF+rm E45ijujEqJ26w==
Received: from XCH16-07-07.nos.boeing.com (xch16-07-07.nos.boeing.com [144.115.66.109]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 098LsXvq025651 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Thu, 8 Oct 2020 17:54:33 -0400
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-07.nos.boeing.com (144.115.66.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.2044.4; Thu, 8 Oct 2020 14:54:32 -0700
Received: from XCH16-07-10.nos.boeing.com ([fe80::e065:4e77:ac47:d9a8]) by XCH16-07-10.nos.boeing.com ([fe80::e065:4e77:ac47:d9a8%2]) with mapi id 15.01.2044.004; Thu, 8 Oct 2020 14:54:32 -0700
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: "Bernie Volz (volz)" <volz@cisco.com>, "ianfarrer@gmx.com" <ianfarrer@gmx.com>
CC: dhcwg <dhcwg@ietf.org>, 6man <ipv6@ietf.org>, v6ops list <v6ops@ietf.org>
Thread-Topic: [v6ops] [EXTERNAL] Re: [dhcwg] Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements
Thread-Index: AQHWnRHm524iPz3PtEmCznTLyJxcLqmONFtwgAAJLjA=
Date: Thu, 8 Oct 2020 21:54:32 +0000
Message-ID: <ff36a6d9f0834b5bbf331c6c40df16b8@boeing.com>
References: <5F6947F2-F7DF-4907-8DD5-28C2B20A91DE@gmx.com> <CAFU7BAT87uhUKZM-G9MjCgtmGbdCwXorP3SfMJm7_Ax7pvwDjg@mail.gmail.com> <f2a9e0188cd84f52adce279cfb04cbcc@boeing.com> <D259F559-8528-428A-A9DF-0D9FB07E6BE4@gmx.com> <BN7PR11MB2547029C572CB32F3C593AD7CF0B0@BN7PR11MB2547.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB2547029C572CB32F3C593AD7CF0B0@BN7PR11MB2547.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: 26504EF9C1F1CFE14608028B54EBA4933616F180CEF16C0BF2B6CDAD59DAF1012000:8
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/8bBc2KTmhQXlrnzzg2nBl38f27o>
Subject: Re: [dhcwg] [v6ops] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2020 21:54:47 -0000

Bernie,

Let's say two clients A and B are connected to a switch which is then connected to
relay R. Clients A and B receive PDs from the DHCPv6 service that are relayed by
R, and R establishes routes for the delegated prefixes A and B. A and B both regard
R as a default router.

Now, suppose two things:

- client B discovers through some means (e.g., DNS) the IP address of a service
   endpoint within prefix A
- client A somehow "forgets" that it received the prefix delegation A

Now, client B sends packets destined to an address in A to R, and R forwards the
packets to client A since it still has a route for A. When the packets arrive at A,
however, A forwards them back to R since it has "forgotten" that it holds the
prefix A. When R receives the packets from A with destination address also
from prefix A, it must drop them instead of forwarding them back to A to
avoid looping.

Note: If R had sent a Redirect to B, the same scenario would play out except
that B would send its subsequent packets directly to A. But then, A would again
still forward them to R which must drop instead of forwarding back to A.

Fred

> -----Original Message-----
> From: Bernie Volz (volz) [mailto:volz@cisco.com]
> Sent: Thursday, October 08, 2020 2:19 PM
> To: ianfarrer@gmx.com; Templin (US), Fred L <Fred.L.Templin@boeing.com>
> Cc: dhcwg <dhcwg@ietf.org>rg>; 6man <ipv6@ietf.org>rg>; v6ops list <v6ops@ietf.org>
> Subject: RE: [v6ops] [EXTERNAL] Re: [dhcwg] Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-
> requirements
> 
> 
> Is this a model where in your Figure 1, you have a switch between the PD Client and Delegating Relay and you might have other
> devices off that switch?
> 
> In that case, why would any of the devices off that switch be using the prefix given the PD Client? How would they learn this? I don't
> think the PD Client nor Delegating Relay should be doing RAs with the PD prefix in them (or a sub-prefix).
> 
> If the PD Client is doing that, then any devices off the switch would be using it as the default router for that prefix and not the
> delegating relay? And, hence no traffic should be doing to the delegating relay with the PD destination address.
> 
> Or, do I have this model wrong?
> 
> - Bernie
> 
> -----Original Message-----
> From: v6ops <v6ops-bounces@ietf.org> On Behalf Of ianfarrer@gmx.com
> Sent: Thursday, October 8, 2020 12:16 PM
> To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
> Cc: dhcwg <dhcwg@ietf.org>rg>; 6man <ipv6@ietf.org>rg>; v6ops list <v6ops@ietf.org>
> Subject: Re: [v6ops] [EXTERNAL] Re: [dhcwg] Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-
> requirements
> 
> Hi Fred / Jen
> 
> Please see inline below.
> 
> Thanks,
> Ian
> 
> > On 8. Oct 2020, at 17:51, Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote:
> >
> > Jen,
> >
> >> What would happen if the *second* device sends traffic towards the
> >> delegated prefix? As that device is usig the relay as its default
> >> gateway, the traffic would be sent there.
> >> If I read the draft correctly, instead of forwarding the traffic and
> >> maybe sending the redirect, the relay is expected to drop it?
> >
> > The way that I interpret it, when the second device sends the traffic
> > to the relay, the relay would still forward the traffic to the client,
> > which would then forward the traffic back to the relay, then at that
> > point the relay would drop the traffic. Unless the second node somehow
> > has a way of knowing that the client has entered into an amnesiac
> > state and then does a malicious "flood-ping", we can expect
> > applications to quickly learn that the IP addresses of the client are
> > no longer reachable. Plus, these amnesiac conditions can be expected
> > to be rare and transient; not steady-state.
> >
> > Fred
> 
> [if - If I understand Jen’s question correctly, it’s related to the ‘working’ case.
> i.e. the client has completed PD, installed the routes and the relay has the relevant lease info/routes.
> 
> When the second device sends via the default route with a destination address in the delegated prefix, R-4 in it’s current form would
> cause the traffic to be dropped.
> As the relay doesn’t forward the packet, it can’t send a redirect (per RFC4681), so the second device can’t forward.
> 
> Looking at this, I think there are deployment scenarios where R-4 isn’t going to work.
> 
> My suggestion would be to make R-4 disable-able.]
> 
> 
> 
> >
> >
> >> -----Original Message-----
> >> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Jen Linkova
> >> Sent: Wednesday, October 07, 2020 6:25 PM
> >> To: ianfarrer@gmx.com
> >> Cc: dhcwg <dhcwg@ietf.org>rg>; v6ops list <v6ops@ietf.org>rg>; 6man
> >> <ipv6@ietf.org>
> >> Subject: [EXTERNAL] Re: [dhcwg] Question to DHCPv6 Relay Implementors
> >> regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements
> >>
> >> This message was sent from outside of Boeing. Please do not click
> >> links or open attachments unless you recognize the sender and know that the content is safe.
> >>
> >>
> >> On Wed, Oct 7, 2020 at 9:25 PM <ianfarrer@gmx.com> wrote:
> >>> We are currently finishing WGLC for this draft. It describes
> >>> requirements for a 'DHCPv6 Delegating Relay' - this is a router
> >>> functioning
> >> as the L3 edge and DHCPv6 relay (only) with prefix delegation. This
> >> is a common deployment scenario, but RFC3633/8415 only really
> >> describes PD using a Delegating Router - i.e the L3 edge also
> >> functions as a DHCPv6 server with no relay. When the relay and server
> >> functions are performed by separate devices a number of problems with
> >> how relays behave have
> >>> been observed, so this document addresses them.
> >>>
> >>> During WGLC for this, Ole raised a comment related to one of the routing requirements:
> >>>
> >>> R-4:    If the relay has learned a route for a delegated prefix via a
> >>>           given interface, and receives traffic on this interface with
> >>>           a destination address within the delegated prefix (that is
> >>>           not an on-link prefix for the relay), then it MUST be
> >>>           dropped.  This is to prevent routing loops.  An ICMPv6 Type
> >>>           1, Code 6 (Destination Unreachable, reject route to
> >>>           destination) error message MAY be sent back to the client.
> >>>           The ICMP policy SHOULD be configurable.
> >>>
> >>> The problem that this is trying to solve is:
> >>>
> >>> 3.5.  Forwarding Loops between Client and Relay
> >>
> >> I might be missing smth but...
> >> Let's say I have a relay and it's 'south' (client-facing) interface
> >> is connected to a switch. The client AND second device (another
> >> router or a host) are connected to the same segment.
> >> The client gets a prefix, the relay 'learned' (or shall we call it
> >> 'install'?) the route for the delegated prefix pointing to its 'south'
> >> interface with the client address as a next-hop.
> >> What would happen if the *second* device sends traffic towards the
> >> delegated prefix? As that device is usig the relay as its default
> >> gateway, the traffic would be sent there.
> >> If I read the draft correctly, instead of forwarding the traffic and
> >> maybe sending the redirect, the relay is expected to drop it?
> >>
> >> --
> >> SY, Jen Linkova aka Furry
> >>
> >> --------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> --------------------------------------------------------------------
> >
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops