IETF Logo Mail Archive

Re: [dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-dhcpv6-pd-relay-requirements-04: (with COMMENT)

"Ms. Li HUANG" <bleuoisou@gmail.com> Wed, 06 January 2021 01:52 UTC

Return-Path: <bleuoisou@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41A013A10BE; Tue, 5 Jan 2021 17:52:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrpsCBor5eyy; Tue, 5 Jan 2021 17:52:24 -0800 (PST)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE6C93A0C87; Tue, 5 Jan 2021 17:52:21 -0800 (PST)
Received: by mail-il1-x12c.google.com with SMTP id u12so1716091ilv.3; Tue, 05 Jan 2021 17:52:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/eMeg6j4ua26ugRApBpMbs87G8KT8PuK0u3txWeK6UQ=; b=Bql/RNiDnkzmtN88/6UCf+NN8ARthhaAeTBQwIjy8RRo9bYBb/wbGyXi3mhNWq0510 CpC98/9aSGNGIo09OJp8KfsackkRNJ4Dpg852XIjDKSAavNUXlvQqsScFc0e32gEXtig N7jac4NOSRIq1U+7Uc2uTvWG6d4l5FQ65DfwNGBhRU+v5cFq5AtVnSxRY+y8U5ND7fxT VmBLIW2ugfkZsjN3bRGV2fra4CIZwoIkMBZgeyhKq1QUF1JW8Z3+ucmkgh9CuxmS9p/T aiVmsezuDd7KpFy143lwLH82wfSuJM1T0U3C2Gbhq5TBcMnFKj5+oDFIx0kDDXJ1VJng Nr0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/eMeg6j4ua26ugRApBpMbs87G8KT8PuK0u3txWeK6UQ=; b=ES/uFtJ75749ydW4oqtUtCbh69OHihbEBQJ4/fj9p0lmEK07YXZjvbkJUTZrcuHZcJ PpsOsOUz2VbPPBviyuPp3t1IgSPSFiMGxKcIb05yVgBfoEvqyx2Slz7t+iduXL/KmJaS 9EanTSNrn32PF0F2MOoUAfGnUZrwZYqKTRx7ujfu9mDCvgFumHUJEd3sl82paXmkJrX2 h+qDsijZ6ZKNLnKsAsZAbfHdRSiNj5VvWX2yoGhx9ldqRHrWcn9ciHzkVlnzXyb/qE3R dborjgrZLtI1NbqAmm5eVOLUldhjRlBq/csWOJpU3RowQPp1LnU83PIBqeRplOA7h+qH CQVQ==
X-Gm-Message-State: AOAM533xnkGxgPZm+5SWdF5XQvNWlQV9h60sRddjoJUedalP85I6lbRN PBusR1N6mPtkUAhz2/L1gMQDfoiPUFchKxSo2yCG0nTSdZjq/w==
X-Google-Smtp-Source: ABdhPJzB8hW/jz9p1gKNal2PZmesf0Ef7KKaJONLSCncv+v2r2H12gViYNORX7Fjzpl5TtkjGOLIGRlamGkf6PeYlhI=
X-Received: by 2002:a92:1e08:: with SMTP id e8mr2270819ile.16.1609897941082; Tue, 05 Jan 2021 17:52:21 -0800 (PST)
MIME-Version: 1.0
References: <160815537932.15316.13512777611575892764@ietfa.amsl.com> <7A1F2ECE-ADCA-45C2-9346-0284C4D9BD69@gmx.com>
In-Reply-To: <7A1F2ECE-ADCA-45C2-9346-0284C4D9BD69@gmx.com>
From: "Ms. Li HUANG" <bleuoisou@gmail.com>
Date: Wed, 6 Jan 2021 09:52:08 +0800
Message-ID: <CAGGiuEY+c1W8Wh_2t=Ly2o5wR4wsZJJiA2_WbDQqYA+vEmBBMQ@mail.gmail.com>
To: ianfarrer@gmx.com
Cc: Benjamin Kaduk <kaduk@mit.edu>, draft-ietf-dhc-dhcpv6-pd-relay-requirements@ietf.org, dhc-chairs@ietf.org, The IESG <iesg@ietf.org>, dhcwg@ietf.org, Bernie Volz <volz@cisco.com>
Content-Type: multipart/alternative; boundary="000000000000e7255f05b8319257"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/ALGkJgs7QrciIlxJ363mwd3GGaA>
Subject: Re: [dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-dhcpv6-pd-relay-requirements-04: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 01:52:27 -0000

09:48.hk S8 Jan 06 2021



Good Day,


DUID as manufacture unique is no longer for sure :

        -    PC machines can be copied in Dhcpv6DUID

        -     Switch, Router can be copied mac on the same model brands ?

        -      Mobile new S10 instance, has function the hidden secure the
mac today.



Sincerely
Li HUANG

On Thu, Dec 17, 2020, 20:26 <ianfarrer@gmx.com> wrote:

> Hi Benjamin,
>
> Many thanks for your comments. Please see inline below.
>
> Ian
>
>
> On 16. Dec 2020, at 22:49, Benjamin Kaduk via Datatracker <
> noreply@ietf.org> wrote:
>
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-dhc-dhcpv6-pd-relay-requirements-04: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
>
> https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv6-pd-relay-requirements/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thanks to Christian Huitema for the secdir review and to all for the
> ensuing discussion (even though this draft is agreed to not be the right
> place to address the topic of securing the DHCP client/DHCP relay
> communications).
>
> Thanks for this document; it's good to see this type of functional
> requirements get written out clearly.  That said, I'm not sure I
> understand why this document is aiming for Proposed Standard status.  It
> seems to make normative requirements for DHCPv6 relay behavior, but does
> not have an "Updates:" relationship with RFC 8415 to indicate that
> additional requirements are present.  On the other hand, there are no
> new protocol mechanisms to indicate that it is a protocol that would be
> implemented on its own.  Is it intended to play the role of an
> Applicability Statement?
>
> Section 1
>
>   The mechanisms for a relay to inject routes (including aggregated
>   ones), on its network-facing interface based on prefixes learned from
>   a server via DHCP-PD are out of scope of the document.
>
> Just to check my understanding: the context suggests that the
> "network-facing interface" here is the one on the DHCPv6 client side of
> the relay, vs the server side.  Is that correct?  (Is the
> "network-facing" terminology a term of art?)
>
>   Delegating relay A delegating relay acts as an intermediate device,
>                    forwarding DHCPv6 messages containing IA_PD/IAPREFIX
>
> (I agree with Murray that clarification is in order here.)
>
>
> [if - copied from my reply to Murray:
>
> It’s both - the IA_PD option is a contain one or more IAPREFIX options
> (that hold prefix itself).
> Suggest changing to:
>
> “… forwarding DHCPv6 messages containing IA_PD and IAPREFIX …”
> ]
>
>
> Section 3.4
>
>   It is an operational reality that client devices with duplicate MAC
>   addresses and/or DUIDs exist and have been deployed.  In this
>   situation, the operational costs of locating and swapping out such
>   devices are prohibitive.
>   [...]
>   It should be noted that in some access networks, the MAC address and/
>   or DUID are used as part of device identification and authentication.
>   In such networks, enforcing MAC address/DUID uniqueness is a
>   necessary function and not considered a problem.
>
> It's not entirely clear to me that these two statements are entirely
> consistent with each other -- are the costs prohibitive, or not a
> problem?  (Putting a caveat on the first statement that it also only
> applies to "some" networks, would resolve the apparent disparity.)
>
>
> [if - Suggested reword:
>
> OLD:
> "In this situation, the operational costs of locating and swapping out such
>   devices are prohibitive."
>
> NEW:
> "In some networks, the operational costs of locating and swapping out
> such devices are prohibitive."
>
>
> Section 3.5
>
> [that loop sounds pretty nasty; I look forward to seeing how it's
> resolved]
>
>
> [if - R-5 is intended to solve this]
>
>
> Section 4.1
>
>   G-6:    The relay MUST implement a mechanism to limit the maximum
>           number of active prefix delegations on a single port for all
>           client identifiers and IA_PDs.  This value MUST be
>           configurable.
>
> This mechanism is important as a security/anti-DoS mechanism; I hope we
> note that somewhere.
>
>
> [if - Suggest that the following paragraph is added to the Security
> Considerations
>
> “Failure to implement requirement G-6 may have specific security
> implications, such
> as a resource depletion attack on the relay."
>
>
>   G-8:    The delegating relay MUST update the lease lifetimes based on
>           the Client Reply messages it forwards to the client and only
>           expire the delegated prefixes when the valid lifetime has
>           elapsed.
>
> (The string "Client Reply" does not appear in RFC 8415; I'm not sure why
> it's capitalized as if it's a term of art.)
>
>
> [if - reworded to “client’s reply”]
>
>
> Section 4.2
>
>   R-2:    The delegating relay's routing entry MUST use the same prefix
>           length for the delegated prefix as given in the IA_PD.
>
> Could this requirement ever interfere with an aggregation scenario?
> (What is it trying to prevent?)
>
>
> [if - The main problem is where a relay breaks a shorter delegated prefix
> into multiple /64s wasting its own routing table resources (this
> Has been observed). Should we add a problem description for this?
>
> Given where the delegating relay is in the network topology, I don’t see
> any aggregation problems here.]
>
>
>   R-3:    The relay MUST provide a mechanism to dynamically update
>           ingress filters permitting ingress traffic sourced from
>           client delegated leases and blocking packets from invalid
>           source prefixes.  This is to implement anti-spoofing as
>           described in [BCP38].  The delegating relay's ingress filter
>           entry MUST use the same prefix length for the delegated
>           prefix as given in the IA_PD.
>
> Is this imposing a more stringent requirement than BCP38 itself (which,
> as far as I can tell, restricts itself to "all providers of Internet
> connectivity are urged to implement filtering described in this
> document" with no normative requirement.  (To be clear, I'm not opposed
> to this trend, just wondering if we should note the change more
> prominently.)
>
>
> [if - BCP38 describes a problem and proposes anti-spoofing
> as a solution to this problem. The ‘all providers of Internet…’ is a plea
> to
> the ISPs to implement this solution as a policy.
>
> The text above says that the device must be capable of dynamically learning
> the delegated prefixes and applying filters based on those learnt prefixes
> so
> it is possible and operationally manageable to implement a BCP38 filtering
> policy, but does not say ‘you MUST implement BCP38’ (which I don’t think
> is in scope for this document).
>
> So, I think this isn’t more stringent - the really must be capable of
> providing
> dynamic prefix filtering and you are still urged to turn the function on
> as
> Per BCP38]
>
>
> Section 4.4
>
>   O-1:    The relay SHOULD implement an interface allowing the operator
>           to view the active delegated prefixes.  This SHOULD provide
>           information about the delegated lease and client details such
>           as client identifier, next-hop address, connected interface,
>           and remaining lifetimes.
>
> Is this something that draft-ietf-dhc-dhcpv6-yang would provide (and
> thus merit an informative reference)?
>
>
> [if - draft-ietf-dhc-dhcpv6-yang does have state data for prefix delegation
> Information, but you could also potentially access this via CLI, web
> interface, SNMP, TR-69 etc.,
> So I don’t think that the yang module needs a special mention.]
>
>
> Section 7
>
>   This document does not add any new security considerations beyond
>   those mentioned in Section 22 of [RFC8213].
>
> Thanks for queuing up the reference fix per the secdir review.
> I guess both Section 22 of RFC 8415 and all of RFC 8213 are relevant?
> Though perhaps the las paragraph of the section is intended to provide
> the needed RFC 8213 reference...
>
>
> [if - We can use the following wording, as the security considerations for
> RFC8213 are also applicable:
>
> This document does not add any new security considerations beyond
>  those mentioned in Section 4 of [RFC8213] and Section 22 of [RFC8415].
> ]
>
>
>   [RFC8213] describes a method for securing traffic between the relay
>   agent and server by sending DHCP messages over an IPsec tunnel.  In
>   this case the IPsec tunnel is functionally the server-facing
>   interface and DHCPv6 message snooping can be carried out as
>   described.  It is RECOMMENDED that this is implemented by the
>   delegating relay.
>
> I do not see any reference to message snooping in RFC 8213; please
> clearify.
>
>
> [If - Now I reread this, I don’t think the second sentence is needed at
> all:
>
>   "[RFC8213] describes a method for securing traffic between the relay
>   agent and server by sending DHCP messages over an IPsec tunnel.
>   It is RECOMMENDED that this is implemented by the
>   delegating relay."
>
>
> Section 8.2
>
> The discussion at
>
> https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
> combined with the way in which RFC 4443 is referenced ("An ICMPv6 Type
> 1, Code 6 (Destination Unreachable, reject route to destination) error
> message MAY be sent as per [RFC4443], section 3.1." suggest that RFC
> 4443 would be more properly classified as a normative reference.
>
>
> [if - Done]
>
>
>
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>

v2.8.7 | Report a Bug | By Email