Re: [dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-dhcpv6-pd-relay-requirements-04: (with COMMENT)
"Ms. Li HUANG" <bleuoisou@gmail.com> Wed, 06 January 2021 01:52 UTC
Return-Path: <bleuoisou@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41A013A10BE; Tue, 5 Jan 2021 17:52:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrpsCBor5eyy; Tue, 5 Jan 2021 17:52:24 -0800 (PST)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE6C93A0C87; Tue, 5 Jan 2021 17:52:21 -0800 (PST)
Received: by mail-il1-x12c.google.com with SMTP id u12so1716091ilv.3; Tue, 05 Jan 2021 17:52:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/eMeg6j4ua26ugRApBpMbs87G8KT8PuK0u3txWeK6UQ=; b=Bql/RNiDnkzmtN88/6UCf+NN8ARthhaAeTBQwIjy8RRo9bYBb/wbGyXi3mhNWq0510 CpC98/9aSGNGIo09OJp8KfsackkRNJ4Dpg852XIjDKSAavNUXlvQqsScFc0e32gEXtig N7jac4NOSRIq1U+7Uc2uTvWG6d4l5FQ65DfwNGBhRU+v5cFq5AtVnSxRY+y8U5ND7fxT VmBLIW2ugfkZsjN3bRGV2fra4CIZwoIkMBZgeyhKq1QUF1JW8Z3+ucmkgh9CuxmS9p/T aiVmsezuDd7KpFy143lwLH82wfSuJM1T0U3C2Gbhq5TBcMnFKj5+oDFIx0kDDXJ1VJng Nr0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/eMeg6j4ua26ugRApBpMbs87G8KT8PuK0u3txWeK6UQ=; b=ES/uFtJ75749ydW4oqtUtCbh69OHihbEBQJ4/fj9p0lmEK07YXZjvbkJUTZrcuHZcJ PpsOsOUz2VbPPBviyuPp3t1IgSPSFiMGxKcIb05yVgBfoEvqyx2Slz7t+iduXL/KmJaS 9EanTSNrn32PF0F2MOoUAfGnUZrwZYqKTRx7ujfu9mDCvgFumHUJEd3sl82paXmkJrX2 h+qDsijZ6ZKNLnKsAsZAbfHdRSiNj5VvWX2yoGhx9ldqRHrWcn9ciHzkVlnzXyb/qE3R dborjgrZLtI1NbqAmm5eVOLUldhjRlBq/csWOJpU3RowQPp1LnU83PIBqeRplOA7h+qH CQVQ==
X-Gm-Message-State: AOAM533xnkGxgPZm+5SWdF5XQvNWlQV9h60sRddjoJUedalP85I6lbRN PBusR1N6mPtkUAhz2/L1gMQDfoiPUFchKxSo2yCG0nTSdZjq/w==
X-Google-Smtp-Source: ABdhPJzB8hW/jz9p1gKNal2PZmesf0Ef7KKaJONLSCncv+v2r2H12gViYNORX7Fjzpl5TtkjGOLIGRlamGkf6PeYlhI=
X-Received: by 2002:a92:1e08:: with SMTP id e8mr2270819ile.16.1609897941082; Tue, 05 Jan 2021 17:52:21 -0800 (PST)
MIME-Version: 1.0
References: <160815537932.15316.13512777611575892764@ietfa.amsl.com> <7A1F2ECE-ADCA-45C2-9346-0284C4D9BD69@gmx.com>
In-Reply-To: <7A1F2ECE-ADCA-45C2-9346-0284C4D9BD69@gmx.com>
From: "Ms. Li HUANG" <bleuoisou@gmail.com>
Date: Wed, 06 Jan 2021 09:52:08 +0800
Message-ID: <CAGGiuEY+c1W8Wh_2t=Ly2o5wR4wsZJJiA2_WbDQqYA+vEmBBMQ@mail.gmail.com>
To: ianfarrer@gmx.com
Cc: Benjamin Kaduk <kaduk@mit.edu>, draft-ietf-dhc-dhcpv6-pd-relay-requirements@ietf.org, dhc-chairs@ietf.org, The IESG <iesg@ietf.org>, dhcwg@ietf.org, Bernie Volz <volz@cisco.com>
Content-Type: multipart/alternative; boundary="000000000000e7255f05b8319257"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/ALGkJgs7QrciIlxJ363mwd3GGaA>
Subject: Re: [dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-dhcpv6-pd-relay-requirements-04: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 01:52:27 -0000
09:48.hk S8 Jan 06 2021
Good Day,
DUID as manufacture unique is no longer for sure :
- PC machines can be copied in Dhcpv6DUID
- Switch, Router can be copied mac on the same model brands ?
- Mobile new S10 instance, has function the hidden secure the
mac today.
Sincerely
Li HUANG
On Thu, Dec 17, 2020, 20:26 <ianfarrer@gmx.com> wrote:
> Hi Benjamin,
>
> Many thanks for your comments. Please see inline below.
>
> Ian
>
>
> On 16. Dec 2020, at 22:49, Benjamin Kaduk via Datatracker <
> noreply@ietf.org> wrote:
>
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-dhc-dhcpv6-pd-relay-requirements-04: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
>
> https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv6-pd-relay-requirements/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thanks to Christian Huitema for the secdir review and to all for the
> ensuing discussion (even though this draft is agreed to not be the right
> place to address the topic of securing the DHCP client/DHCP relay
> communications).
>
> Thanks for this document; it's good to see this type of functional
> requirements get written out clearly. That said, I'm not sure I
> understand why this document is aiming for Proposed Standard status. It
> seems to make normative requirements for DHCPv6 relay behavior, but does
> not have an "Updates:" relationship with RFC 8415 to indicate that
> additional requirements are present. On the other hand, there are no
> new protocol mechanisms to indicate that it is a protocol that would be
> implemented on its own. Is it intended to play the role of an
> Applicability Statement?
>
> Section 1
>
> The mechanisms for a relay to inject routes (including aggregated
> ones), on its network-facing interface based on prefixes learned from
> a server via DHCP-PD are out of scope of the document.
>
> Just to check my understanding: the context suggests that the
> "network-facing interface" here is the one on the DHCPv6 client side of
> the relay, vs the server side. Is that correct? (Is the
> "network-facing" terminology a term of art?)
>
> Delegating relay A delegating relay acts as an intermediate device,
> forwarding DHCPv6 messages containing IA_PD/IAPREFIX
>
> (I agree with Murray that clarification is in order here.)
>
>
> [if - copied from my reply to Murray:
>
> It’s both - the IA_PD option is a contain one or more IAPREFIX options
> (that hold prefix itself).
> Suggest changing to:
>
> “… forwarding DHCPv6 messages containing IA_PD and IAPREFIX …”
> ]
>
>
> Section 3.4
>
> It is an operational reality that client devices with duplicate MAC
> addresses and/or DUIDs exist and have been deployed. In this
> situation, the operational costs of locating and swapping out such
> devices are prohibitive.
> [...]
> It should be noted that in some access networks, the MAC address and/
> or DUID are used as part of device identification and authentication.
> In such networks, enforcing MAC address/DUID uniqueness is a
> necessary function and not considered a problem.
>
> It's not entirely clear to me that these two statements are entirely
> consistent with each other -- are the costs prohibitive, or not a
> problem? (Putting a caveat on the first statement that it also only
> applies to "some" networks, would resolve the apparent disparity.)
>
>
> [if - Suggested reword:
>
> OLD:
> "In this situation, the operational costs of locating and swapping out such
> devices are prohibitive."
>
> NEW:
> "In some networks, the operational costs of locating and swapping out
> such devices are prohibitive."
>
>
> Section 3.5
>
> [that loop sounds pretty nasty; I look forward to seeing how it's
> resolved]
>
>
> [if - R-5 is intended to solve this]
>
>
> Section 4.1
>
> G-6: The relay MUST implement a mechanism to limit the maximum
> number of active prefix delegations on a single port for all
> client identifiers and IA_PDs. This value MUST be
> configurable.
>
> This mechanism is important as a security/anti-DoS mechanism; I hope we
> note that somewhere.
>
>
> [if - Suggest that the following paragraph is added to the Security
> Considerations
>
> “Failure to implement requirement G-6 may have specific security
> implications, such
> as a resource depletion attack on the relay."
>
>
> G-8: The delegating relay MUST update the lease lifetimes based on
> the Client Reply messages it forwards to the client and only
> expire the delegated prefixes when the valid lifetime has
> elapsed.
>
> (The string "Client Reply" does not appear in RFC 8415; I'm not sure why
> it's capitalized as if it's a term of art.)
>
>
> [if - reworded to “client’s reply”]
>
>
> Section 4.2
>
> R-2: The delegating relay's routing entry MUST use the same prefix
> length for the delegated prefix as given in the IA_PD.
>
> Could this requirement ever interfere with an aggregation scenario?
> (What is it trying to prevent?)
>
>
> [if - The main problem is where a relay breaks a shorter delegated prefix
> into multiple /64s wasting its own routing table resources (this
> Has been observed). Should we add a problem description for this?
>
> Given where the delegating relay is in the network topology, I don’t see
> any aggregation problems here.]
>
>
> R-3: The relay MUST provide a mechanism to dynamically update
> ingress filters permitting ingress traffic sourced from
> client delegated leases and blocking packets from invalid
> source prefixes. This is to implement anti-spoofing as
> described in [BCP38]. The delegating relay's ingress filter
> entry MUST use the same prefix length for the delegated
> prefix as given in the IA_PD.
>
> Is this imposing a more stringent requirement than BCP38 itself (which,
> as far as I can tell, restricts itself to "all providers of Internet
> connectivity are urged to implement filtering described in this
> document" with no normative requirement. (To be clear, I'm not opposed
> to this trend, just wondering if we should note the change more
> prominently.)
>
>
> [if - BCP38 describes a problem and proposes anti-spoofing
> as a solution to this problem. The ‘all providers of Internet…’ is a plea
> to
> the ISPs to implement this solution as a policy.
>
> The text above says that the device must be capable of dynamically learning
> the delegated prefixes and applying filters based on those learnt prefixes
> so
> it is possible and operationally manageable to implement a BCP38 filtering
> policy, but does not say ‘you MUST implement BCP38’ (which I don’t think
> is in scope for this document).
>
> So, I think this isn’t more stringent - the really must be capable of
> providing
> dynamic prefix filtering and you are still urged to turn the function on
> as
> Per BCP38]
>
>
> Section 4.4
>
> O-1: The relay SHOULD implement an interface allowing the operator
> to view the active delegated prefixes. This SHOULD provide
> information about the delegated lease and client details such
> as client identifier, next-hop address, connected interface,
> and remaining lifetimes.
>
> Is this something that draft-ietf-dhc-dhcpv6-yang would provide (and
> thus merit an informative reference)?
>
>
> [if - draft-ietf-dhc-dhcpv6-yang does have state data for prefix delegation
> Information, but you could also potentially access this via CLI, web
> interface, SNMP, TR-69 etc.,
> So I don’t think that the yang module needs a special mention.]
>
>
> Section 7
>
> This document does not add any new security considerations beyond
> those mentioned in Section 22 of [RFC8213].
>
> Thanks for queuing up the reference fix per the secdir review.
> I guess both Section 22 of RFC 8415 and all of RFC 8213 are relevant?
> Though perhaps the las paragraph of the section is intended to provide
> the needed RFC 8213 reference...
>
>
> [if - We can use the following wording, as the security considerations for
> RFC8213 are also applicable:
>
> This document does not add any new security considerations beyond
> those mentioned in Section 4 of [RFC8213] and Section 22 of [RFC8415].
> ]
>
>
> [RFC8213] describes a method for securing traffic between the relay
> agent and server by sending DHCP messages over an IPsec tunnel. In
> this case the IPsec tunnel is functionally the server-facing
> interface and DHCPv6 message snooping can be carried out as
> described. It is RECOMMENDED that this is implemented by the
> delegating relay.
>
> I do not see any reference to message snooping in RFC 8213; please
> clearify.
>
>
> [If - Now I reread this, I don’t think the second sentence is needed at
> all:
>
> "[RFC8213] describes a method for securing traffic between the relay
> agent and server by sending DHCP messages over an IPsec tunnel.
> It is RECOMMENDED that this is implemented by the
> delegating relay."
>
>
> Section 8.2
>
> The discussion at
>
> https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
> combined with the way in which RFC 4443 is referenced ("An ICMPv6 Type
> 1, Code 6 (Destination Unreachable, reject route to destination) error
> message MAY be sent as per [RFC4443], section 3.1." suggest that RFC
> 4443 would be more properly classified as a normative reference.
>
>
> [if - Done]
>
>
>
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>
- [dhcwg] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [dhcwg] Benjamin Kaduk's No Objection on draf… ianfarrer
- Re: [dhcwg] Benjamin Kaduk's No Objection on draf… Ms. Li HUANG