Re: [dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-dhcpv6-pd-relay-requirements-04: (with COMMENT)
ianfarrer@gmx.com Thu, 17 December 2020 12:26 UTC
Return-Path: <ianfarrer@gmx.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1907A3A03EE; Thu, 17 Dec 2020 04:26:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYyVLijazx-7; Thu, 17 Dec 2020 04:26:38 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B9273A0332; Thu, 17 Dec 2020 04:26:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1608207988; bh=mEiFpFBQkYzpN6TlgThdMSbWTuXLiiAquVVpA9JuOdI=; h=X-UI-Sender-Class:From:Subject:Date:In-Reply-To:Cc:To:References; b=ZsDCwUmYKbwUhzGtRWE/1/eC2jB+dT096h4L9L4tc0jtyu87dGRYbnK3g/WGhlFne jOkXQStcg5TVqmU2WuEhyX9repxgQoQIAAzqesYsnm4DIwehoDQvH1WTpQNIxXgBuN 1SDOITUZdO902TIvy/7aNpq8Ydf1H5RZe2Mo41UQ=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from mbp-big-sur.fritz.box ([78.35.186.37]) by mail.gmx.com (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MqJqD-1kKRPj1IUl-00nOYl; Thu, 17 Dec 2020 13:26:28 +0100
From: ianfarrer@gmx.com
Message-Id: <7A1F2ECE-ADCA-45C2-9346-0284C4D9BD69@gmx.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_80DE3EE8-18C7-46B3-9150-7BEE72CFE66C"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\))
Date: Thu, 17 Dec 2020 13:26:26 +0100
In-Reply-To: <160815537932.15316.13512777611575892764@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dhc-dhcpv6-pd-relay-requirements@ietf.org, dhc-chairs@ietf.org, Bernie Volz <volz@cisco.com>, dhcwg@ietf.org
To: Benjamin Kaduk <kaduk@mit.edu>
References: <160815537932.15316.13512777611575892764@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3654.40.0.2.32)
X-Provags-ID: V03:K1:EmJc6lIue4R5DnjBs4ntbrdhE/hDMeFfHMh0bVIoZOQVzT9sLFd YhlEmfr3JG4NPa7SFzHgAjqMS/WiXbdqnSh17C4ubinJqRUUmgkMiDDwVF3q8opQjFPUNv0 hZKuKqgx97GAasc0loJUYGjYdWQvmt/Y/1eMfcXk/+qCzxsM5mvdXvq9Eq9y/10HexIpAOR JyRVs+J1ch2QhBtc93naQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:IOjZG0i/+GM=:l9moHNNX4j5+WDFMbKw3x1 +wbMVGkS+RHSdf2wogSukfrKTDt4v5oU7PB2qZVTLTTrED4kgpARbFgDfgqOK9/IMlG9E0xi5 M1/fyB72P/o037ukkD9mIUCCfxf8k9BVr/LZzcSbii6NdZssamBOjbmGC5o7ymfWEYhTs9Eff 8+t0f+YgBZZPpwp5+38u6ME11BAEzcs8jD/fnXNiJEkcJtoHcRMiQqPmb+gpzdKok9Q9+IYle xaqYjDqNXWltoQRYqfQrDcDxg2Vdvxk3vnd/LnLkVtjF50Fi5WA9r67W5hOazk2uHrdvWzh2l 3XLk1Sv7LKRlPzcC9+stMCQzZKpyz5Ng+Jn1R8GjX0gq7fkInvRa7fm3VENxwx/5RnztUgpAK +9sa12bkEqwbl+kSNpIbV/ZOfBCUBDNfpwf66r4d6pC710GHl5fwUvAIkF9X5cr9i6ZmE62hj iM408TzXQEpK1oe4qUaCCuJ8ccEEuFZA2NIhv5oY4knL/GzZqez9N5RhuTN6lx1AGK1Hi0MEr fIRDCh4HoWiBMpOuiiY+V+FIaYs/t+MZgNYiHPdrCDH6xJ0X4F79JeyCAGNr1jdqIkgCZtCPv qwoKI9LKW2FEC/nQhy7rMVAaok42ywJsg9pBDt4nvEUZM2S3+59QXbGdYuPE2mgQWxB+QgkpX s98bZose6hy2JtflkAmFUDnCGeaw/ZOujiwt/iJE42Mj1h++Hw6T+YC9S16TDf0U7skgnm/xJ zO2mOv7vl/0rW4CQohjC1zQd8x/Cs6i135MhU22DuNehPihR5I0T7v1C8ZSFLZ7PMG7sVbo+M P+HAKBPsk0cLZYCvM/BOS7I7aivfQZweFmkZduthGc06d8CY9V9x1y4+/a7qqSq5i0cmkZjGK xTi/7sqSkb12hRDJtJ5w==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/FoZYSeU7yMUVZQlQjej0E2HV4Gg>
Subject: Re: [dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-dhcpv6-pd-relay-requirements-04: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2020 12:26:43 -0000
Hi Benjamin, Many thanks for your comments. Please see inline below. Ian > On 16. Dec 2020, at 22:49, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-dhc-dhcpv6-pd-relay-requirements-04: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv6-pd-relay-requirements/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks to Christian Huitema for the secdir review and to all for the > ensuing discussion (even though this draft is agreed to not be the right > place to address the topic of securing the DHCP client/DHCP relay > communications). > > Thanks for this document; it's good to see this type of functional > requirements get written out clearly. That said, I'm not sure I > understand why this document is aiming for Proposed Standard status. It > seems to make normative requirements for DHCPv6 relay behavior, but does > not have an "Updates:" relationship with RFC 8415 to indicate that > additional requirements are present. On the other hand, there are no > new protocol mechanisms to indicate that it is a protocol that would be > implemented on its own. Is it intended to play the role of an > Applicability Statement? > > Section 1 > > The mechanisms for a relay to inject routes (including aggregated > ones), on its network-facing interface based on prefixes learned from > a server via DHCP-PD are out of scope of the document. > > Just to check my understanding: the context suggests that the > "network-facing interface" here is the one on the DHCPv6 client side of > the relay, vs the server side. Is that correct? (Is the > "network-facing" terminology a term of art?) > > Delegating relay A delegating relay acts as an intermediate device, > forwarding DHCPv6 messages containing IA_PD/IAPREFIX > > (I agree with Murray that clarification is in order here.) [if - copied from my reply to Murray: It’s both - the IA_PD option is a contain one or more IAPREFIX options (that hold prefix itself). Suggest changing to: “… forwarding DHCPv6 messages containing IA_PD and IAPREFIX …” ] > > Section 3.4 > > It is an operational reality that client devices with duplicate MAC > addresses and/or DUIDs exist and have been deployed. In this > situation, the operational costs of locating and swapping out such > devices are prohibitive. > [...] > It should be noted that in some access networks, the MAC address and/ > or DUID are used as part of device identification and authentication. > In such networks, enforcing MAC address/DUID uniqueness is a > necessary function and not considered a problem. > > It's not entirely clear to me that these two statements are entirely > consistent with each other -- are the costs prohibitive, or not a > problem? (Putting a caveat on the first statement that it also only > applies to "some" networks, would resolve the apparent disparity.) [if - Suggested reword: OLD: "In this situation, the operational costs of locating and swapping out such devices are prohibitive." NEW: "In some networks, the operational costs of locating and swapping out such devices are prohibitive." > > Section 3.5 > > [that loop sounds pretty nasty; I look forward to seeing how it's > resolved] [if - R-5 is intended to solve this] > > Section 4.1 > > G-6: The relay MUST implement a mechanism to limit the maximum > number of active prefix delegations on a single port for all > client identifiers and IA_PDs. This value MUST be > configurable. > > This mechanism is important as a security/anti-DoS mechanism; I hope we > note that somewhere. [if - Suggest that the following paragraph is added to the Security Considerations “Failure to implement requirement G-6 may have specific security implications, such as a resource depletion attack on the relay." > > G-8: The delegating relay MUST update the lease lifetimes based on > the Client Reply messages it forwards to the client and only > expire the delegated prefixes when the valid lifetime has > elapsed. > > (The string "Client Reply" does not appear in RFC 8415; I'm not sure why > it's capitalized as if it's a term of art.) [if - reworded to “client’s reply”] > > Section 4.2 > > R-2: The delegating relay's routing entry MUST use the same prefix > length for the delegated prefix as given in the IA_PD. > > Could this requirement ever interfere with an aggregation scenario? > (What is it trying to prevent?) [if - The main problem is where a relay breaks a shorter delegated prefix into multiple /64s wasting its own routing table resources (this Has been observed). Should we add a problem description for this? Given where the delegating relay is in the network topology, I don’t see any aggregation problems here.] > > R-3: The relay MUST provide a mechanism to dynamically update > ingress filters permitting ingress traffic sourced from > client delegated leases and blocking packets from invalid > source prefixes. This is to implement anti-spoofing as > described in [BCP38]. The delegating relay's ingress filter > entry MUST use the same prefix length for the delegated > prefix as given in the IA_PD. > > Is this imposing a more stringent requirement than BCP38 itself (which, > as far as I can tell, restricts itself to "all providers of Internet > connectivity are urged to implement filtering described in this > document" with no normative requirement. (To be clear, I'm not opposed > to this trend, just wondering if we should note the change more > prominently.) [if - BCP38 describes a problem and proposes anti-spoofing as a solution to this problem. The ‘all providers of Internet…’ is a plea to the ISPs to implement this solution as a policy. The text above says that the device must be capable of dynamically learning the delegated prefixes and applying filters based on those learnt prefixes so it is possible and operationally manageable to implement a BCP38 filtering policy, but does not say ‘you MUST implement BCP38’ (which I don’t think is in scope for this document). So, I think this isn’t more stringent - the really must be capable of providing dynamic prefix filtering and you are still urged to turn the function on as Per BCP38] > > Section 4.4 > > O-1: The relay SHOULD implement an interface allowing the operator > to view the active delegated prefixes. This SHOULD provide > information about the delegated lease and client details such > as client identifier, next-hop address, connected interface, > and remaining lifetimes. > > Is this something that draft-ietf-dhc-dhcpv6-yang would provide (and > thus merit an informative reference)? [if - draft-ietf-dhc-dhcpv6-yang does have state data for prefix delegation Information, but you could also potentially access this via CLI, web interface, SNMP, TR-69 etc., So I don’t think that the yang module needs a special mention.] > > Section 7 > > This document does not add any new security considerations beyond > those mentioned in Section 22 of [RFC8213]. > > Thanks for queuing up the reference fix per the secdir review. > I guess both Section 22 of RFC 8415 and all of RFC 8213 are relevant? > Though perhaps the las paragraph of the section is intended to provide > the needed RFC 8213 reference... [if - We can use the following wording, as the security considerations for RFC8213 are also applicable: This document does not add any new security considerations beyond those mentioned in Section 4 of [RFC8213] and Section 22 of [RFC8415]. ] > > [RFC8213] describes a method for securing traffic between the relay > agent and server by sending DHCP messages over an IPsec tunnel. In > this case the IPsec tunnel is functionally the server-facing > interface and DHCPv6 message snooping can be carried out as > described. It is RECOMMENDED that this is implemented by the > delegating relay. > > I do not see any reference to message snooping in RFC 8213; please > clearify. [If - Now I reread this, I don’t think the second sentence is needed at all: "[RFC8213] describes a method for securing traffic between the relay agent and server by sending DHCP messages over an IPsec tunnel. It is RECOMMENDED that this is implemented by the delegating relay." > > Section 8.2 > > The discussion at > https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/ > combined with the way in which RFC 4443 is referenced ("An ICMPv6 Type > 1, Code 6 (Destination Unreachable, reject route to destination) error > message MAY be sent as per [RFC4443], section 3.1." suggest that RFC > 4443 would be more properly classified as a normative reference. [if - Done] > > > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [dhcwg] Benjamin Kaduk's No Objection on draf… ianfarrer
- Re: [dhcwg] Benjamin Kaduk's No Objection on draf… Ms. Li HUANG