Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation - src LL vs GUA
Alexandre Petrescu <alexandre.petrescu@gmail.com> Wed, 18 October 2017 20:08 UTC
Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C47BF13432C for <dhcwg@ietfa.amsl.com>; Wed, 18 Oct 2017 13:08:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0KjXrpz69DlH for <dhcwg@ietfa.amsl.com>; Wed, 18 Oct 2017 13:08:26 -0700 (PDT)
Received: from cirse-smtp-out.extra.cea.fr (cirse-smtp-out.extra.cea.fr [132.167.192.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D502F13308A for <dhcwg@ietf.org>; Wed, 18 Oct 2017 13:08:25 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by cirse-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id v9IK8Mrn036069; Wed, 18 Oct 2017 22:08:22 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 07960206A75; Wed, 18 Oct 2017 22:08:22 +0200 (CEST)
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (Postfix) with ESMTP id EDA26206789; Wed, 18 Oct 2017 22:08:21 +0200 (CEST)
Received: from [132.166.84.78] ([132.166.84.78]) by muguet1.intra.cea.fr (8.15.2/8.15.2/CEAnet-Intranet-out-1.4) with ESMTP id v9IK8L2a028116; Wed, 18 Oct 2017 22:08:21 +0200
To: "Bernie Volz (volz)" <volz@cisco.com>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
References: <149869621720.6575.278128190348174876@ietfa.amsl.com> <08e4e953-3a68-d6cb-6066-f60514ef0ac5@gmail.com> <3285281858d043649d507b6bda7b8646@XCH-ALN-003.cisco.com> <1f94b780-59c1-42ce-936d-0c8a71143444@gmail.com> <37917a26062f4e4c9715d324604e4d01@XCH-ALN-003.cisco.com> <d944ac55-d67d-d7d4-8eeb-f60438fdda2d@gmail.com> <35558A79-C176-4D71-9E91-4BDB19DDD006@cisco.com> <67ba54d2-d53f-82bf-93c9-1b92631ef4e8@gmail.com> <86409a9acb7846ddbdff42c58328e7d6@XCH-ALN-003.cisco.com> <eccd5dd2-3542-fdbc-89a2-7d13d563163d@gmail.com> <2fbc8325961c49a1944e3ee216fcb032@XCH-ALN-003.cisco.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <a3f9cd45-403a-c6f6-6e9a-98a9b651a339@gmail.com>
Date: Wed, 18 Oct 2017 22:08:19 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <2fbc8325961c49a1944e3ee216fcb032@XCH-ALN-003.cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/C0Bw_f7bWrI-MsXAgQ2Bk1TotH0>
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation - src LL vs GUA
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2017 20:08:29 -0000
Le 18/10/2017 à 20:13, Bernie Volz (volz) a écrit : >> But I need guidance to the following question: if the Client sends >> a Solicit with a LL in src, MUST the Server reply to it? (yes/no >> is the needed guidance). > > A server may not respond to a client for a variety of reasons, but > we'll assume none of those apply here (hence "MUST" is dangerous). > > I don't see why a server would drop a Solicit just because there is a > LL in src -- I would think that would be the NORMAL case and hence > the server would respond. (Of course, we assume that LL is valid here > and can be used.) Again, the NORMAL case for this particular Server, is to show GUA-in-src, not LL-in-src. It is a simulator from a large equipment manufacturer. That simulator is pretended to work accordingly to the real network. > I could see that if a client used a GLA and the server was the first > hop (no relay), it could drop it if the GLA address as it could mean > it has no configuration for that "location". Remember the text from > 13.1: > >> * If the server receives the message directly from the client and >> the source address in the IP datagram in which the message was >> received is not a link-local address, then the client is on the >> link identified by the source address in the IP datagram (note that >> this situation can occur only if the server has enabled the use of >> unicast message delivery by the client and the client has sent a >> message for which unicast delivery is allowed). > > Also, some servers could respond with Use Multicast unless > server-unicast option has been configured. It may be that they use > the source address to determine this (rather than the destination > address, which as you say really should be used when server receives > packet directly)? > > > I'm confused as I think you are saying in: > >> I explain why: about 4 distinct clients use LL in src. If I want >> these clients to use GUA then I must delete the LL from the >> interface. > > That you actually want the global unicast address to be used by the > client, not the link-local? I want to not modify the Clients. The 4 Clients all use LL-in-src. But the Server examples use GUA-in-src. A Server example is a packet trace executed on a simulator that pretends to be like in reality. That simulator uses GUA-in-src. So, I am told, if I want to be interoperable to that Server, I must do what that simulator does: put GUA-in-src. So I delete the LL from the interface on the Client. Do you think it is normal to delete the LL from the interface? > For what it is worth, the server I work on doesn't care what the > client's source address is. We monitor the destination address (when > packet is received). "Does not care" - ok. But does it accept a Solicit with LL-in-src? Alex > > - Bernie > > -----Original Message----- From: Alexandre Petrescu > [mailto:alexandre.petrescu@gmail.com] Sent: Wednesday, October 18, > 2017 1:42 PM To: Bernie Volz (volz) <volz@cisco.com> Cc: > dhcwg@ietf.org Subject: Re: [dhcwg] I-D Action: > draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix > Delegation - src LL vs GUA > > > > Le 18/10/2017 à 18:31, Bernie Volz (volz) a écrit : >> Actually, the guidance is already there? See section 13.1. >> >> * If the server receives the message directly from the client and >> the source address in the IP datagram in which the message was >> received is a link-local address, then the client is on the same >> link to which the interface over which the message was received is >> attached. >> >> * If the server receives the message directly from the client and >> the source address in the IP datagram in which the message was >> received is not a link-local address, then the client is on the >> link identified by the source address in the IP datagram (note that >> this situation can occur only if the server has enabled the use of >> unicast message delivery by the client and the client has sent a >> message for which unicast delivery is allowed). > > That is useful guidance if the question was about on which link this > Client was. In my case the link involves GTP, UDPv4 and IPv6. > > But I need guidance to the following question: if the Client sends a > Solicit with a LL in src, MUST the Server reply to it? (yes/no is > the needed guidance). > > I explain why: about 4 distinct clients use LL in src. If I want > these clients to use GUA then I must delete the LL from the > interface. > > Alex > >> >> In the relay case, the client's source address doesn't really come >> into play at all. So, in the case technically the client could use >> either. But since the client has no idea whether a relay will be >> present, it should follow these rules. >> >> The document has been submitted to the AD for publication. If you >> have concerns or issues, you can always make the AD aware of these >> or await the IETF Last-Call period to raise your issues. >> >> - Bernie >> >> -----Original Message----- From: Alexandre Petrescu >> [mailto:alexandre.petrescu@gmail.com] Sent: Wednesday, October 18, >> 2017 12:01 PM To: Bernie Volz (volz) <volz@cisco.com> Cc: >> dhcwg@ietf.org Subject: Re: [dhcwg] I-D Action: >> draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix >> Delegation - src LL vs GUA >> >> >> >> Le 18/10/2017 à 16:25, Bernie Volz (volz) a écrit : >>> Hi Alex: >>> >>> Does it really matter what the Client’s source address >> >> Yes it is guidance that I need. >> >> Alex >> >> is as long as >>> the client can receive packets sent to that address (by a relay >>> or server that is on that link)? These are link-local packets and >>> so no router should be involved in them (that’s what the relay >>> agent is there for – to forward the packets to servers not on the >>> local link). >>> >>> - Bernie >>> >>> On 10/18/17, 10:06 AM, "Alexandre Petrescu" >>> <alexandre.petrescu@gmail.com> wrote: >>> >>> Bernie, >>> >>> Le 13/07/2017 à 19:38, Bernie Volz (volz) a écrit : [...] >>> >>>> Regarding Link Local vs GLA in Solicit, I think following the >>>> specification would be recommended. Use link-local. >>> >>> But the I-D 3315bis says this: >>>> Clients and servers exchange DHCP messages using UDP >>>> [RFC0768]. The client uses a link-local address or addresses >>>> determined through other mechanisms for transmitting and >>>> receiving DHCP messages. >>> ^^^^^^^^^^^^^^^^ >>> >>> This "other mechanisms" means that a GUA generated with SLAAC >>> could be used as an src in a DHCPv6 Solicit. >>> >>> >>> [...] >>>> Note also that section 13.1 (for the unicast, GLA case) >>>> assumes the message was not multicast (section 18.4 about >>>> UseMulticast Status talks about "Reception of Unicast >>>> Messages"). >>> >>> Hm, that lokks like a relatively less explicit if not outright >>> silent assumption(?) Or maybe I did not look well enough in the >>> I-D? >>> >>> There is a particular equipment manufacturer's simulator >>> software, and potentially real hardware, that uses GUA in src and >>> dst multicast with link scope ff02::1:2.547, in the DHCPv6 >>> Solicit. >>> >>> If this behaviour is standard (src GUA and dst ff02::1:2) then >>> it should be in the draft. If it's not standard: it should get >>> corrected in the simulated and in the real implementation. >>> >>> Because other software than the one from the particular >>> equipment manufacturer uses src LL and dst ff02::1:2. >>> >>> Side note: >>> >>>> I think section 13.1 was written with the assumption that >>>> determining the destination address of a packet is harder than >>>> obtaining the source address; hence the assumption is that if a >>>> GLA is used as the source address, it was not a multicast [to >>>> the link-local multicast address]. Today, kernels typically >>>> provide the ability to get the destination address, not just >>>> the source address (though it takes a bit more code to do so). >>> >>> The picture may be different on point-to-point links like >>> cellular links. It's multicast, but it's just two nodes and they >>> are always seeing each other. Besides, one of the nodes >>> allocates an address to the other node by other means than SLAAC, >>> and it knows it. >>> >>> Alex >>> >>>> >>>> >>>>> I can say e.g. some (I believe Cisco) client puts a GUA in >>>>> the src of aDHCPv6 Solicit. >>>> >>>> That's a bit of a broad statement as Cisco has many different >>>> devices (and many different operating systems and versions) >>>> ... perhaps if you could indicate which device(s) and software >>>> versions you've found this to be the behavior on, I can perhaps >>>> follow up. >>>> >>>> I will also add that in many cases when devices are doing >>>> DHCPv6, they will only have a LL so it may also depend on the >>>> network configuration. >>>> >>>> - Bernie >>>> >>>> -----Original Message----- From: Alexandre Petrescu >>>> [mailto:alexandre.petrescu@gmail.com] Sent: Thursday, July 13, >>>> 2017 12:01 PM To: Bernie Volz (volz) <volz@cisco.com> Cc: >>>> dhcwg@ietf.org Subject: Re: [dhcwg] I-D Action: >>>> draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit >>>> Prefix Delegation >>>> >>>> Bernie, >>>> >>>> Le 12/07/2017 à 23:33, Bernie Volz (volz) a écrit : >>>>> Hi: >>>>> >>>>>> What is the Hop Limit that a Solicit should contain in the >>>>>> IPv6 header? >>>>> >>>>> ND uses hop limit of 255 so the destination can check that it >>>>> is 255 on receipt (whereas 1 could have been anything and >>>>> forwarded many times). >>>>> >>>>> But I'm not sure if that is a the best practice when you >>>>> don't want the packet forwarded. I would think that if the >>>>> destination is a link-local multicast, it really doesn't >>>>> matter as nothing should forward the packet (and if something >>>>> is misconfigured to forward the packet, you're probably in >>>>> deeper trouble than just with DHCPv6). >>>>> >>>>> RFC 4861 has: >>>>> >>>>> 11.2. Securing Neighbor Discovery Messages >>>>> >>>>> The protocol reduces the exposure to the above threats in >>>>> the absence of authentication by ignoring ND packets received >>>>> from off-link senders. The Hop Limit field of all received >>>>> packets is verified to contain 255, the maximum legal value. >>>>> Because routers decrement the Hop Limit on all packets they >>>>> forward, received packets containing a Hop Limit of 255 must >>>>> have originated from a neighbor. >>>>> >>>>> I don't know off hand if there's any place this is >>>>> documented (what to use for hop limit with link-local). >>>> >>>> I think your explanation makes sense about ND. >>>> >>>> But, about DHCP, I need to know whether a DHCP Solicit with >>>> HopLimit 1 is valid or not. >>>> >>>> As I said earlier, some DHCP clients set it at 255 whereas >>>> others at 1. >>>> >>>> In some setting, the DHCP Solicit is encapsulated in IPv4. >>>> Some of the decapsulation RFCs say that the HopLimit is >>>> decremented. >>>> >>>> In that setting, it is not clear whether decrementing the hop >>>> limit happens, or not. >>>> >>>> But I want to make sure the client which sets HopLimit at 1 >>>> (odhcp6c) is the right way to do. >>>> >>>> I think a good place to clarify this is in the DHCP spec. >>>> >>>> The spec could say that the HopLimit has some preferred value. >>>> >>>>>> Is IA_NA with empty fields a valid option in a Prefix >>>>>> Delegation Solicit, or must IA_NA be absent altogether? >>>>>> (the intention is to only request the Prefix, because the >>>>>> address comes from RA). >>>>> >>>>> Not sure what an "empty" IA_NA is. Whether you include an >>>>> IA_NA or not with IA_PD is the client's choice. If it what's >>>>> an address (such as for management) on the upstream link, >>>>> than it should include an IA_NA. This is covered in the text >>>>> in 6.3 (IA_PD only) vs 6.4 (IA_PD and IA_NA, typically). >>>> >>>> Noted. >>>> >>>>>> Is ORO with empty fields illegal in a Prefix Delegation >>>>>> Solicit? (the intention is to get the DNS server from RA, >>>>>> but some client puts an empty ORO there). >>>>> >>>>> An empty ORO is fine (it should not cause problems, but is >>>>> obviously useless). Though if they are following the >>>>> rfc3315bis and doing what they should, there would not be an >>>>> empty ORO. >>>> >>>> Noted. >>>> >>>>>> Is it ok to use a GUA in the src address of a Solicit >>>>>> Prefix Delegation? >>>>> >>>>> See 13.1 of draft-ietf-dhc-rfc3315bis-09 ... the source >>>>> address here should be link-local. >>>> >>>> Well, that contradicts some trial. >>>> >>>> I can say e.g. some (I believe Cisco) client puts a GUA in the >>>> src of a DHCPv6 Solicit. Other DHCP clients have this optional >>>> between LLA or GUA. The operator I work with wants it to be a >>>> GUA. >>>> >>>> As such, I dont know what is the way forward: should the spec >>>> get updated? shoudl the operator change? should the Cisco >>>> implementation change? >>>> >>>> Alex >>>> >>> >>>
- [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.… internet-drafts
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Templin, Fred L
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Vízdal Aleš
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Vízdal Aleš
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Vízdal Aleš
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Vízdal Aleš
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… 神明達哉
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… 神明達哉
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Alexandre Petrescu
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Templin, Fred L
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Templin, Fred L
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Roy Marples
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Roy Marples
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Bernie Volz (volz)
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Roy Marples
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… Ted Lemon
- Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis… mohamed.boucadair