IETF Logo Mail Archive

Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem

Bernie Volz <bevolz@gmail.com> Sat, 13 August 2022 16:04 UTC

Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07EE9C147920 for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 09:04:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9ozhyj2eq67 for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 09:04:03 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04041C14F744 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 09:04:02 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id h4so2812642qtj.11 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 09:04:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc; bh=vskWfLR7RbIatJH5U9GcGnle/0dwPh+lIg7+floEA0M=; b=ON6cCN0qm34AwEYvM9s6NOQ4I2zER7oAnvqOwKiIL61ZFC9dTK9W2hnjwaagv37QOx n9D8QH+bc996XIrrimRBpzBYdRee4vBLtVtupyhYX12boDkDh6YVr8G0lZSP/mejD7YD J/uCRDFDo03YLvH77eJe3zjI+jUgMdkH3muidXRzVH3fWD6BIfwef98Gik6po7kX4Xpx zqOg6LDxWu7k2GLaGtfhV+Y6FFXmdvnewoxYWKLoBJ/AwIgnJmzd/JWqM2r7OWjeLoMP twNac/LAvQSCknP9opdGgT1JVhwX/pC7KAm2Vy4lqTGTx4E6+oXlkFHN2Yvc0alJvA0c twxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc; bh=vskWfLR7RbIatJH5U9GcGnle/0dwPh+lIg7+floEA0M=; b=7PDpL4fUfDFVHf6X12E18fK47Z07xXc92QeJJA5db4yYFlkD6nOnI+nzRYnER/NZeR kTI4qQwa+ZZbAyvQEHtvAjG6EFv2q+kRwlrEqrInE6BiWw2xSCQMPyvuFhoJ/WHcxyWp LXp+dL2VCJwrt/xoKRaf8KU/AMs+197VMswpjOu0JuoaN/Ubmfqjvbd/VaK88h7WVWVE Adjjo5yIHxJ72XANddqFhQ3XcpOx0a+vNrTmmiMIlMHHcutq5fPbzdCJZqXRHNdW2Q6K CBlzHiUgFWCtfITCD2JZLh3Le5MufvDNm+eNtWrFeSM5fySjk6Frv7K5PyctmLDmdoQy /ghg==
X-Gm-Message-State: ACgBeo0yy8wtA8+DOuvlo5BzpyQehpPFschg6mkx3yEwXFza4XviDhHd 0UOibDhMbmuK8I+aNonLJ2rf+6hSzg==
X-Google-Smtp-Source: AA6agR7uLLXlyFXUx8yxvilYLfzR0G9XmR3Tc4vDxbgxJQ5tSHJXH3NVKxZtGKIHGM1oKnTdJbKPAg==
X-Received: by 2002:a05:622a:20e:b0:343:7345:36cc with SMTP id b14-20020a05622a020e00b00343734536ccmr6699448qtx.669.1660406641485; Sat, 13 Aug 2022 09:04:01 -0700 (PDT)
Received: from smtpclient.apple (d-24-233-121-124.nh.cpe.atlanticbb.net. [24.233.121.124]) by smtp.gmail.com with ESMTPSA id h5-20020a05620a400500b006b615cd8c13sm3902164qko.106.2022.08.13.09.04.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Aug 2022 09:04:00 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-8FF0F075-D159-47EA-ADFE-D3AA0A7EEC34"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 13 Aug 2022 12:03:59 -0400
Message-Id: <A2E3E000-7AAD-45BF-BDF5-C124EA3736CE@gmail.com>
References: <6C6A01B5-3FDB-4500-A3F2-5C15A8F2D322@fugue.com>
Cc: Michael Richardson <mcr@sandelman.ca>, dhcwg@ietf.org
In-Reply-To: <6C6A01B5-3FDB-4500-A3F2-5C15A8F2D322@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: iPad Mail (19G71)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/9FSgCuMHaOK8VzZAG3IWYyi4q98>
Subject: Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 16:04:04 -0000

Also …

Cable deployments already confirm that a single address is not being used - a prefix is delegated. There is no need for the CM and Router address to be stable (these are assigned via DHCPV6 IA_NA) and as indicated later, the stability depends on whether they remain connected and the server’s policy. There is generally a good reason for prefix assigned to a subscriber to remain stable.

What other deployments may decide is unknown, but I doubt that it will be a single address.

And, whether a server will keep giving the same client the same address is really a matter of server policy, and whether the client stays connected or not. It may also be part of the client’s policy in how it generates a DUID and whether it persists that value and for how long.

Certainly in public wifi and similar deployments, remembering each client seen is probably not scalable as lots will be one time or very infrequent visitors. Sure, you could have a server remember it for a period of time.

DHCPv6 gives the network administrator much of the control whereas SLAAC places most of the control in clients.

Also, I’m not really sure why we are arguing these points (we have both SLAAC and DHCPv6) as the draft of question is about whether clients should have the ability to notify about the address they generated via SLAAC. As Michael points out that’s building a lot of infrastructure and what benefit is there for lots of client implementations to change to do this? Having network elements that are already involved in “recording” this data (router ND caches) reporting it would seem like a far better way to go and leaves the policy where it should be - with the network administrator if they require this data - and with the assurance that it is equally recorded or not (i.e., not dependent on the client).

I know you would prefer to depreciate IA_NA, but we already discussed that (see RFC8415 bis discussion) and why it is a bad idea given its wide deployment and the desire for some.

- Bernie

> On Aug 13, 2022, at 10:25 AM, Ted Lemon <mellon@fugue.com> wrote:
> 
> The reason that DHCPv6 IA_NA has not gotten full implementation in clients is because it can be used to force clients to use a single stable address. I know you’ve heard this said before, Bernie.
> 
> This is why I would argue for deprecating IA_NA—it threatens the whole IPv6 addressing architecture and makes it more likely that homes will wind up having single addresses as is currently the case with IPv4.
> 
> IOW this is a compromise position: people have said they want DHCPv6 address assignment because they want to track clients, not because they want to constrain them to single addresses. If that’s so, then having clients implement this behavior would address that problem without throwing the baby out with the bathwater.
> 
> On the other hand, maybe that was never the issue in the first place, in which case this proposal will force people to advocate for what they really want, and force us to have the addressing architecture discussion.
> 
> It’s really unfortunate that DHCPv6 has found itself in the position of being the place in which this battle has been fought for lo these many years, but there’s not much we can do to change that, unfortunately.
> 
> Sent from my iPad
> 
>>> On Aug 13, 2022, at 10:21 AM, Bernie Volz <bevolz@gmail.com> wrote:
>>> 
>> I understand this “control” difference. But why should a client care whether it gets address A or B? If there is a requirement to provide a client a specific address, DHCPv6 servers support reservations (typically based on client id, DUID, but there are other possibilities). And clients can suggest addresses, and a server generally could allow that address to be used unless there is a specific conflict?
>> 
>> - Bernie
>> 
>>>> On Aug 13, 2022, at 10:14 AM, Ted Lemon <mellon@fugue.com> wrote:
>>>> 
>>> If a client wants to do DNS registration, the DNSSD service registration protocol might be a good option: https://datatracker.ietf.org/doc/draft-ietf-dnssd-srp/
>>> 
>>> As to why not use DHCPv6 IA_NA, the answer is that this allows the DHCP server to control the client’s address, whereas registering the address doesn’t give the DHCP server that sort of control. This is a significant difference, and is why a client implementation might choose to include registration, but not IA_NA allocation.
>>> 
>>> Sent from my iPad
>>> 
>>>>> On Aug 13, 2022, at 7:43 AM, Bernie Volz <bevolz@gmail.com> wrote:
>>>>> 
>>>> 
>>>> These are great points Michael.
>>>> 
>>>> For the earlier (circa 2014) draft that was similar, draft-ietf-dhc-addr-registration, the reason a client would have implemented it was to get its information in DNS (as there would presumably be a reason it needed this, such as to allow other devices to communicate with it). With this new draft, there is really zero benefit to the client. I’m not promoting a shift to this DNS registration as that had its own issues.
>>>> 
>>>> If you want “notification”, why not just require DHCPv6 for address assignments? If you don’t care or are using other tools, use SLAAC. Do we really need something in between?
>>>> 
>>>> - Bernie Volz
>>>> 
>>>>>> On Aug 12, 2022, at 9:03 PM, Michael Richardson <mcr@sandelman.ca> wrote:
>>>>>> 
>>>>> 
>>>>> This document seems to require many changes to many systems.
>>>>> Do I hear that Google is willing to do this for Android?
>>>>> I am very enthusiastic about having better information.
>>>>> 
>>>>> It works only if all the devices implement it, it's not that useful until all
>>>>> the devices do it.  Until that happens, then it's completely useless to the
>>>>> helpdesk.
>>>>> It requires updates to DHCPv6 server, assuming that there is one, which if
>>>>> you are using SLAAC... you probably don't even have one.
>>>>> It does not require updates to the core routers, which is the only
>>>>> interesting part.  {But, in homes and small offices, and remotely supported
>>>>> small offices with a b2b ISP..., that's all the same openwrt box.}
>>>>> 
>>>>> It seems that if one already had an SNMP or YANG/NETCONF feed from the
>>>>> routers for the Neighbor Entry Cache, that feeding that into the "database"
>>>>> would be good.
>>>>> 
>>>>> Warren eventually says that he thinks this would be *more* complicated, and I
>>>>> read his slide 10.... and come-on.   You hacked up something that needs to be
>>>>> clearly coded correctly in the router.  Yes, it's chatty, but it doesn't need
>>>>> to tell about every state transition.
>>>>> BUT, even if it did, who cares if you can't read it scrolling on your screen.
>>>>> That's what the networking monitoring system is for.  Actually, I think you
>>>>> just proved how easily this could be done even without code changes to the routers.
>>>>> 
>>>>> So, I don't think that I agree at all.  The best part about linking it to the NCE
>>>>> is that if the NCE is bad, overwhelmed or has been forged, then the client
>>>>> machine probably doesn't get connectivity anyway.  There is some fate sharing here.
>>>>> 
>>>>> Another way would be to send the proposed DHCPv6 message along the DHCPv6-relay
>>>>> path.  This is very much akin to the Accounting records that radius sends.
>>>>> Doing it this way links the v6 address more directly to the MAC address,
>>>>> while not requiring the host to actually know what it is doing.
>>>>> 
>>>>> As Lorenzo says in the chat, it needs to be tied in "whatever" L2 security
>>>>> mechanisms they already have, but I'm not really sure how this should involve
>>>>> the client system.
>>>>> 
>>>>> And...if I was going to upload all the source code, the first thing I'd do is send
>>>>> one of these messages saying that I'm either the CEO, or the new hire, and then do it.
>>>>> 
>>>>> --
>>>>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>>>>           Sandelman Software Works Inc, Ottawa and Worldwide
>>>>> _______________________________________________
>>>>> dhcwg mailing list
>>>>> dhcwg@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dhcwg
> 
>>>> _______________________________________________
>>>> dhcwg mailing list
>>>> dhcwg@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email