IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by September 13, 2023

Ole Troan <otroan@employees.org> Mon, 25 September 2023 13:55 UTC

Return-Path: <otroan@employees.org>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4708C1519BE for <dhcwg@ietfa.amsl.com>; Mon, 25 Sep 2023 06:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=employees.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnOGO5CuaNw9 for <dhcwg@ietfa.amsl.com>; Mon, 25 Sep 2023 06:55:20 -0700 (PDT)
Received: from proxmox01.kjsl.com (proxmox01.kjsl.com [204.87.183.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05673C1519B7 for <dhcwg@ietf.org>; Mon, 25 Sep 2023 06:55:19 -0700 (PDT)
Received: from proxmox01.kjsl.com (localhost.localdomain [127.0.0.1]) by proxmox01.kjsl.com (Proxmox) with ESMTP id A030CE5CA3; Mon, 25 Sep 2023 13:55:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=employees.org; h=cc:cc:content-transfer-encoding:content-type:content-type :date:from:from:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=prox2023; bh=+q21EP7FJue5UaON DLeI0lceoiM2zj9YlY0B/f84nXw=; b=YWiYZZ2/DkaxzAmQM5g8YRFvt2uwRTaW wlGyPjEv13+1JPHNRBiSs6kzxVJhgxFzAj4bi9Jn+hjaNQlhFc+6wwyqCTFkrGid t088bvM6IT3clmDK9yL1JYVYJqP8oFwCgKWV/YbCy8VsQGwwFY6GfpEjDqpOmWNs SuecpprJj0WmLwySXpbLMUJ/D2+uUOUZCiGFqzKZa8gDJNrNsaPnWI2L3HTg1qEb qjDiNyqXGjy0Hth/jskPtAIAUWvIZcDYsadNFqZP67Ct3NF9ihd3OEIZuJ/QOlnm FKyQUeJZhm1yK2C2iUTUtNy9ydei4WLrQd9gm9fcUR+wCjVfcbNLxg==
Received: from clarinet.employees.org (clarinet.employees.org [198.137.202.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by proxmox01.kjsl.com (Proxmox) with ESMTPS id 7DF7BE5C9F; Mon, 25 Sep 2023 13:55:19 +0000 (UTC)
Received: from smtpclient.apple (unknown [IPv6:2001:4650:c3ed:37a:1107:65f5:fd7e:6b6d]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id AAB664E11A33; Mon, 25 Sep 2023 13:55:02 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <CAJgLMKtYy2U1vScQoW4eWD3sLipeUTak7BqkELXZ61=6_cKJDQ@mail.gmail.com>
Date: Mon, 25 Sep 2023 15:54:49 +0200
Cc: Bernie Volz <bevolz@gmail.com>, dhcwg <dhcwg@ietf.org>, Ted Lemon <mellon@fugue.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1418C8C0-DBCA-4222-B1C4-604E4B389DEA@employees.org>
References: <CAJgLMKvATJP78ONPc8f6kG2eNWq83XCTSdvRLVGKWB26JGrANQ@mail.gmail.com> <1E185C09-B45E-4B1E-81F8-3CB6141B9881@employees.org> <CAJgLMKtYy2U1vScQoW4eWD3sLipeUTak7BqkELXZ61=6_cKJDQ@mail.gmail.com>
To: Timothy Winters <tim@qacafe.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/8jo_PwugJiGM0iERkxOjxEQ0FiY>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by September 13, 2023
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2023 13:55:24 -0000

> We have had some operators' interests in this solution over scrapping switches and routers.   I think it would be helpful to hear from network operators or DHCPv6 server solutions about how viable and deployable this solution is. 

I hope we are not suggesting scrapping all switches and routers.
Wouldn’t be much of a network then! :-D

It would be useful to hear from enterprise network operators indeed.
We need to make it clear to them that this mechanism depends on hosts (voluntarily) notifying the DHCP server about it’s addresses. And unless that’s also enforced through the network in other ways, the information given is “just another datapoint with some probability of being correct”).

“Scraping” of routers and switches isn’t the direct alternative to DHCP address notification. Although some level of first hop security functions is likely required. I would think DHCPv6 address assignment is the obvious solution instead of this.

O.


> 
> ~Tim
> 
> On Sat, Sep 23, 2023 at 4:08 AM Ole Trøan <otroan@employees.org> wrote:
> Thanks Tim,
> 
> I do wonder if it’s not worth doing a complete retake of this proposal.
> 
> If the operator requirement is to know which address has been in use in the network by which device at any point in time, then that cannot be guaranteed with this mechanism. Existing first-hop security mechanisms in switches and routers would be much more robust. 
> 
> O. 
> 
>> On 22 Sep 2023, at 22:22, Timothy Winters <tim@qacafe.com> wrote:
>> 
>> Hi Everyone,
>> 
>> The working group had some great discussion about this document during the WGLC.    Based on the discussion it didn't pass WGLC at this time.  It will mostly need another round of discussion and potentially a revision based on those discussions. 
>> 
>> Additionally, Bernie and I discussed and think it's a good idea to wait to ask IANA for a early code points until we have passed WGLC.
>> 
>> Regards,
>> Tim
>> 
>> On Thu, Sep 14, 2023 at 3:16 PM Bernie Volz <bevolz@gmail.com> wrote:
>> An interesting question may be do we need new messages at all? Using Information Request / Reply with new option is perhaps cleanest?
>> - existing clients can do what they do today
>> - existing servers (and relays or other snoopers) will not know option so ignore (hopefully silently)
>> - existing servers only see “more” Information-Request for clients not supporting this new work when enabling O-bit to request address registrations
>> - “new” clients that do SLAAC when O-bit set and did support Information-Request can do initial registration in first message (or send when address assigned) and do periodic updates (perhaps even ask for other options via ORO to refresh information) … they may actually have no more messages than today (well, except if they have multiple SLAAC addresses as need to use a separate Information-Request for each) … they could also decouple previous and new behavior at increase in traffic.
>> - registration only clients that did not use Information-Request previously add new traffic … which is exactly what we want
>> 
>> The only downside is it kind of overloads Information-Request as it is now also a client to server communication. Though the client already can send information to server in Information-Request (user class, vendor class, vendor information, …). And, we could say the client is asking whether the server supports registration (by getting new option in Reply).
>> 
>> Note: It may be worth thinking about making use of the new “registration address” option’s encapsulated options field if client wants to send other information (such as fqdn). This isn’t really bad as this is likely address specific and any server that wanted to do something with this data needs updating anyway. This keeps all of the registration information hidden from those devices that don’t that registration option.
>> 
>> Anyway, this is now a very good reason to hold off on early assignment for message types (and likely say WGLC failed).
>> 
>> - Bernie (from iPad)
>> 
>>> On Sep 14, 2023, at 2:32 PM, Bernie Volz <bevolz@gmail.com> wrote:
>>> 
>>> Hi:
>>> 
>>> (Just catching up and responding to this as was asked specifically…there could have been more I haven’t yet read.)
>>> 
>>> 8415bis only prohibits IA options in Information-Request
>>> 
>>> 16.12. Information-request Message
>>> 
>>> Clients MUST discard any received Information-request messages.
>>> 
>>> Servers MUST discard any received Information-request message that
>>> meets any of the following conditions:
>>> 
>>> * the message includes a Server Identifier option (see
>>> Section 21.3), and the DUID in the option does not match the
>>> server's DUID.
>>> 
>>> * the message includes an IA option.
>>> 
>>> I wonder however if having an Address Registration option specifically would be better (the Information-Request and new registration request could use this instead of IA_Addr option). This might avoid an overly aggressive server or relay that checks the Information-Request or its Reply for options from doing odd things if it sees the IAAddr. If we’re trying to make things safe, this may be best. Note also that it may help other devices in the path that may want to snoop for this data. (But it could have downside if any “options” are developed as then those specifications would need to determine if they are also allowed in this new address option).
>>> 
>>> 
>>> On a separate note, one issue the current draft may need to document and is a consideration is that when O-bit (RA) and A-bit (PIO) is set, a registration only server should really support Information-Request as it will also get lots of those from clients that support DHCPv6 - it may just send back a pretty empty Reply.
>>> 
>>> By using Ted’s suggestion of using Information-Request, it would be natural for registration only to be implemented at least sufficiently to send a well formed Reply even when not address registration request.
>>> 
>>> It seems like a clever idea to use Information-Request at least for initial determination of support.
>>> - it avoids extra packets.
>>> - client could honor server’s INF_MAX_RT to reduce frequency of probing (likely periodic probing is not a bad idea).
>>> 
>>> 
>>> - Bernie (from iPad)
>>> 
>>>> On Sep 14, 2023, at 11:29 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
>>>> 
>>>> On Fri, Sep 15, 2023 at 12:22 AM Ted Lemon <mellon@fugue.com> wrote:
>>>> What I think would be most expedient (if we must use DHCP to probe for support of address registration) would be to do the first address registration as an information request with the additional information in the information request, using the source address being registered. If the reply that comes back confirms the address registration, then all subsequent address registrations on this link would be sent as address registrations.
>>>> 
>>>> Well, but if we can come up with a reasonable way to represent an address registration using an information-request packet, then why not make all registrations be information-request packets?
>>>> 
>>>> +Bernie Volz any thoughts on using information-request and reply messages, instead of the new addr-reg-inform and addr-reg-reply messages currently defined in the draft?
>> _______________________________________________
>> dhcwg mailing list
>> dhcwg@ietf.org
>> https://www.ietf.org/mailman/listinfo/dhcwg
>> _______________________________________________
>> dhcwg mailing list
>> dhcwg@ietf.org
>> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email