[dhcwg] Re: Intdir telechat review of draft-ietf-dhc-addr-notification-11
Bernie Volz <bevolz@gmail.com> Tue, 14 May 2024 10:16 UTC
Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9364FC14F6A9; Tue, 14 May 2024 03:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.205
X-Spam-Level:
X-Spam-Status: No, score=-1.205 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QfLTQ8AgNa6i; Tue, 14 May 2024 03:16:31 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 865DEC14F69F; Tue, 14 May 2024 03:16:31 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id af79cd13be357-78f05341128so423519485a.0; Tue, 14 May 2024 03:16:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715681789; x=1716286589; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=+UsXFs+IWOQggPoEUtRTMOA/Xbm0rR+GX2cpIFOcIVE=; b=NcjnqgxOXVbAtogr1iIgQW8anPPBU/dCScxptSD9StXaffeNAA087zSaq+dHEBzO6F MqIzdqrmce3gt0LcTJaSx6ONaGJnO3wdD01PStj2HGjhljkQAlXU2cHAg0Ewv5FOOJHD 9dJfw6VGVtTTw+xERo7VEQt/oIDok+ku+dQfFqGB9Fpe7nJxnwc+4eBL6Woa52Yl1ta2 1oH9uR5a3Y4mPU8lAwL9u2LonPLmOw2uJb1K4vq7SYu6L33B8jiuW4m35zsLrZDOb6+Q 3JPVPOwErCA9fLnUsWzhMzMk9zJ6BmfdeLXrHr1UUYc8W84XNJ5ruMsDO4KXyWqa/Mlc X1Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715681789; x=1716286589; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+UsXFs+IWOQggPoEUtRTMOA/Xbm0rR+GX2cpIFOcIVE=; b=VKHP54buNf/yVNHXKKFajQ+dcV+SEHztjiIcWSF8/tDrGaEjjv1I+UKtz6mV9avQzQ 9MeM1MoH7T8V+YU3+XoayWPdV91/GxXg1D1v6zROD4C8a1ZhiPqPf8PXrQPOSiquioXs Fzyvvoq9z20kWRkicatq+cZTH/BiEs4y3jemrz0gNB204fSEnuzb34532kUGrM8KfoVN yJMshPvrpKAHxAlK/fm6sGoIctOFY5pzR239GQzoMReQzPJK19FS/XDRoX4PpjYdP+st fgMklm5PFBXKOcnBplH2j57LZjgYbaSobeu4CR+nFP8igNNIxY76+bwzigb/MWzLlIua QczA==
X-Forwarded-Encrypted: i=1; AJvYcCXLrdOiAdRmbORFaiW5CAd5JWh4JiYeAfUNX0UqDmm5E43kOZYywbch2VFA1ZENiN76lOLRuppkJFZZB1ThOeSEHJE8pGMqVPxeyx2iXLC6q59rQAryYSWLZZz04SyfU0O77uiw1077deDk1S1xBYv+XKOe/cMC1Yvn6R8Lj2oPBbA=
X-Gm-Message-State: AOJu0YywR4Wvq2TpBAK2m/gp04S7LtzVjo0blcEugiJxhUpKasbLpXiv QkRY5MssmPogFOGDEy6pwSMpaJiqpX/Fnd8jZsSiGla1uV7cmwQr+t7H
X-Google-Smtp-Source: AGHT+IGa2Kwi6ApOayI2ldlV3LCzgoH0HqQWeKweAPDOCNjaGPexjCks9hyeP9SSPyis0lKxzmHiGQ==
X-Received: by 2002:a05:620a:450f:b0:792:de9e:a462 with SMTP id af79cd13be357-792de9ea546mr775434585a.68.1715681789343; Tue, 14 May 2024 03:16:29 -0700 (PDT)
Received: from smtpclient.apple (d-69-161-122-95.nh.cpe.atlanticbb.net. [69.161.122.95]) by smtp.gmail.com with ESMTPSA id af79cd13be357-792da262d60sm254839185a.24.2024.05.14.03.16.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 May 2024 03:16:28 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-C4E31D47-DA8E-40F0-B9D5-CC33E61FBC73"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 14 May 2024 06:16:17 -0400
Message-Id: <1C7C07C3-E7D3-4142-8B61-72DDA60C0452@gmail.com>
References: <CALypLp_+pSHye07wToKGwciO9C5cY6cwX1M=zGSrpg2Mc3Jsvg@mail.gmail.com>
In-Reply-To: <CALypLp_+pSHye07wToKGwciO9C5cY6cwX1M=zGSrpg2Mc3Jsvg@mail.gmail.com>
To: CARLOS JESUS BERNARDOS CANO <cjbc@it.uc3m.es>, Jen Linkova <furry13@gmail.com>
X-Mailer: iPad Mail (21E236)
Message-ID-Hash: IT6QTEFE4SGEH6HKYWY2BOFAV53TGSHG
X-Message-ID-Hash: IT6QTEFE4SGEH6HKYWY2BOFAV53TGSHG
X-MailFrom: bevolz@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dhcwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: int-dir@ietf.org, dhcwg@ietf.org, draft-ietf-dhc-addr-notification.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [dhcwg] Re: Intdir telechat review of draft-ietf-dhc-addr-notification-11
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/F0ZUkMZzeswXt6hmZMby9CF2M1w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Owner: <mailto:dhcwg-owner@ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Subscribe: <mailto:dhcwg-join@ietf.org>
List-Unsubscribe: <mailto:dhcwg-leave@ietf.org>
On May 14, 2024, at 6:11 AM, CARLOS JESUS BERNARDOS CANO <cjbc@it.uc3m.es> wrote:
Hi Jen,Thanks for the updates. Some quick comments inline below.Hi Carlos,
On Fri, May 10, 2024 at 7:51 AM Carlos Jesús Bernardos via Datatracker
<noreply@ietf.org> wrote:
> Based on my review, if I was on the IESG I would ballot this document as YES.
Thank you! ;)
> - At the end of section 1, it is mentioned that the mechanism described in the
> document provides parity with IPv4, by allowing a device to inform the DHCPv6
> server about a self-configured or statically configured address. Apologies for
> my ignorance on this in advance, but, is there a mechanism in IPv4 to do so for
> statically configured addresses? If so, I think adding a reference would be
> useful. If not, maybe the text can be rewritten a bit, as I would find it a bit
> unclear.
We've just submitted -12 which now says:
"This operational practice relies on the DHCP server knowing the IP
address assignments. This works quite well for IPv4 addresses, as most
addresses are either assigned by DHCP [RFC2131] or statically
configured by the network operator. For IPv6, however, this practice
is much harder to implement, as devices often self-configure IPv6
addresses via SLAAC [RFC4862].
This document provides a mechanism for a device to inform the DHCPv6
server that the device has a self-configured IPv6 address (or has a
statically configured address), and thus provides parity with IPv4, by
making DHCPv6 infrastructure aware of self-assigned IPv6 addresses."
I hope it's more clear now, pls let us know if you think further
improvements are needed.[Carlos] Fine with me, thanks!
> - It is mentioned that the client MUST include the Client Identifier option in
> the ADDRESS-REG-INFORM messages. I think this might deserve some text regarding
> how this might imply (or not) a potential privacy issue for hosts implementing
> some kind of MAC address randomization and rotation of IPv6 self-assigned
> addresses, as an observer could easily track the addresses being used and match
> those to the same device.
We don’t think this is a concern, because on-link attackers do not
need to use the client identifier to match self-assigned addresses to
devices, they can use the MAC address for that purpose.
Privacy-sensitive clients that randomize their MAC addresses should
obviously randomize their DHCPv6 Client Identifiers too. We’re not
sure this document is the right place to say so, though?[Carlos] While I agree that this is not the document to specify how to use DHCPv6 Client Identifiers, I think adding notifications that can allow an on-link attacker to match a MAC-changing device with the addresses it might be using would deserve at least a reference to the documents that have tackled the privacy issues in the past (I think there is one specifically tackling the aspects of DHCPv6).
> - It is not completely clear to me if the spec requires a client to use the
> mechanism on ALL interfaces. I mean, can a client use it just on some
> interfaces, but not all, by having configuration policies indicating on which
> ones to use it? As I read the document, it seems to imply that if it is used on
> one interface, it MUST be used on all of them.
Oh very good point, I didn't realize we are not making that part
clear. No, as the registration messame must be sent from the address
being registered (section 4.2 does say that), and the registration
support is network-specific, the client should (must) enable this on
per-interface basis.
We have added the following text to Section 4.4:
"A client with multiple interfaces MUST discover address registration
support for each interface independently. The client MUST NOT send
address registration messages on a given interface unless the client
has discovered that the interface is connected to a network which
supports address registration."[Carlos] Great, thanks!
> - Minor nit (or maybe just nothing at it is just that I’m not a native English
> speaker): “to specify the address to being registered” -> I guess the “to”
> should be removed.
Yeah, a typo, fixed![Carlos] Thanks!
--
Cheers, Jen Linkova
- [dhcwg] Re: Intdir telechat review of draft-ietf-… Bernie Volz
- [dhcwg] Intdir telechat review of draft-ietf-dhc-… Carlos Jesús Bernardos via Datatracker
- [dhcwg] Re: Intdir telechat review of draft-ietf-… Jen Linkova
- [dhcwg] Re: Intdir telechat review of draft-ietf-… CARLOS JESUS BERNARDOS CANO
- [dhcwg] Re: Intdir telechat review of draft-ietf-… CARLOS JESUS BERNARDOS CANO
- [dhcwg] Re: Intdir telechat review of draft-ietf-… Jen Linkova
- [dhcwg] Re: Intdir telechat review of draft-ietf-… CARLOS JESUS BERNARDOS CANO