IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by December 11, 2023

Daryll Swer <contact@daryllswer.com> Sun, 24 December 2023 07:48 UTC

Return-Path: <contact@daryllswer.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EAB1C14F60F for <dhcwg@ietfa.amsl.com>; Sat, 23 Dec 2023 23:48:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=daryllswer.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnu49KDoGu3F for <dhcwg@ietfa.amsl.com>; Sat, 23 Dec 2023 23:48:06 -0800 (PST)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63CEDC14F60D for <dhcwg@ietf.org>; Sat, 23 Dec 2023 23:48:05 -0800 (PST)
Received: by mail-io1-xd2d.google.com with SMTP id ca18e2360f4ac-7b7fdde8b26so137107939f.1 for <dhcwg@ietf.org>; Sat, 23 Dec 2023 23:48:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daryllswer.com; s=google; t=1703404084; x=1704008884; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CgQ2tCSkhqFQW+XUgWJKHOSXrgiL7qVU+sZdGy2mRrQ=; b=g5DIBqTfFxIV3hhHJ8zVkUIYghH5CVr5mkrnZZWu3bdFRrEWoXNgMFqum4S8Xjq3mo 70ZnC0BdveZheEOSvzBOTPwrOctnp7cV6BP4U2HudU7gXpQru2KSDYREQy66VsJyu2Zi bZZrKOLykQI83iFC2UJGzGfGecRk5ofpQ+1e3QSGhOd++a8kKgdPpzXdh1lZQKQAANQe XOhVN3gvfNQ3p5Cx/dppTRwD3zmLJndZF5SpOCpGJhqa/X2BDp3BV6SGG5NSMfq6DqbA nd5mRD0EW2i4azhFTXMSuIZqWbWQu3ZwBlTIZkSqejj71okG2lxFeyDh+ncV4IpfrZwF MMtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703404084; x=1704008884; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CgQ2tCSkhqFQW+XUgWJKHOSXrgiL7qVU+sZdGy2mRrQ=; b=YcizEGCI8B3PuqrkM17qPtc895hIE5XLfqCCZGg1GyFUnvVA2MyXMd+v+1i5FVBsE8 C6AKsXqcm66dDL54irguydK3mb+j7HpTdkjCh2dPosZHQRM2NOZCNSnLyCmq8SzjAI20 Q4JXmQbggz6UDZGNBwyx0vfzFPSqBE+Ymt0BJBpnmJogUX7vHUbHLu3vzG2JIZOwVaoA onjYSOSwWzDlPvFecjwoCjvdZa6F/WWWh09FLtIKyt1B153zzO9QTAVuNXkbP4/cMa2J GiAK3qwWGJWEsm/3tdzp9lJPCOE70A2SMEftNmLmhW5ZktC+N+kLPG89d8w46gd0XQ08 5gog==
X-Gm-Message-State: AOJu0YxwYP/Rvm9q5tZSEAn1MwSA8qom285D2Q2DTse8KcMxfnQ3gyOY K8qdVl3YVYWDfbuKmXR/U6U4kZU1/OVUoQO71be/DLsLIdptoTcc
X-Google-Smtp-Source: AGHT+IH1mjWEFci60s+Zgrq2NkboGVKm/IoknTaMFD8z4XEqNjC3Rsdl2QENNkVKfefn5jETE6EmDg==
X-Received: by 2002:a05:6602:55:b0:7ba:7db5:1e62 with SMTP id z21-20020a056602005500b007ba7db51e62mr4827758ioz.14.1703404084128; Sat, 23 Dec 2023 23:48:04 -0800 (PST)
Received: from mail-il1-f173.google.com (mail-il1-f173.google.com. [209.85.166.173]) by smtp.gmail.com with ESMTPSA id fr11-20020a056638658b00b004300eca209csm1944263jab.112.2023.12.23.23.48.03 for <dhcwg@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 23 Dec 2023 23:48:03 -0800 (PST)
Received: by mail-il1-f173.google.com with SMTP id e9e14a558f8ab-35fd04ede25so13427905ab.0 for <dhcwg@ietf.org>; Sat, 23 Dec 2023 23:48:03 -0800 (PST)
X-Received: by 2002:a05:6e02:1c4a:b0:35f:cb85:7773 with SMTP id d10-20020a056e021c4a00b0035fcb857773mr6828351ilg.32.1703404083357; Sat, 23 Dec 2023 23:48:03 -0800 (PST)
MIME-Version: 1.0
References: <CACyFTPE0+aV35JgVCL62T3NKL_tFkxuvM=Wfq0xpcw5_Ra-u_A@mail.gmail.com> <CAKD1Yr1MDZWKdpb_afqCP4B8SaG9Bx5A3RqWqZ4t_WZHtuFwow@mail.gmail.com>
In-Reply-To: <CAKD1Yr1MDZWKdpb_afqCP4B8SaG9Bx5A3RqWqZ4t_WZHtuFwow@mail.gmail.com>
From: Daryll Swer <contact@daryllswer.com>
Date: Sun, 24 Dec 2023 13:17:24 +0530
X-Gmail-Original-Message-ID: <CACyFTPF=LG8UJAesoOONAYYY=tQrrgdcW+yR97e7OroPJV+XDA@mail.gmail.com>
Message-ID: <CACyFTPF=LG8UJAesoOONAYYY=tQrrgdcW+yR97e7OroPJV+XDA@mail.gmail.com>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
Cc: Daryll Swer <contact=40daryllswer.com@dmarc.ietf.org>, dhcwg@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004c322b060d3cabe1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/G1l9y5Fms2flmvCbqlJ4tr27mbo>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by December 11, 2023
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Dec 2023 07:48:09 -0000

> The intent was that the client is not required to do so, but it could
choose to do so. For example, consider the deployment model in
draft-ietf-v6ops-dhcp-pd-per-device. The client would get a prefix from the
network and could form addresses from it. But the network wouldn't
necessarily know which addresses the client is using. So it cannot reach
the client, add a DNS record for it, etc. The client could inform the
server of these addresses using the address notification mechanism defined
in this document.

Ah okay, that does make perfect sense. Perhaps, in the draft it may be
beneficial (for future revision), to clarify on that particular line, with
the explanation you provided above, I feel the original line is a bit
ambiguous and could potentially lead to "open for interpretation"
issue with vendors if
they try to implement this document in the future.

Another query:
> If a network is using FCFS SAVI [RFC6620], then the DHCPv6 server can
trust that the ADDR-REG-INFORM message was sent by the legitimate holder of
the address. This prevents a host from registering an address owned by
another host.

>From what I can gather, it appears there's not a lot of vendor support
for RFC6620, currently. Is there anything that can be done through
the addr-notification document to mitigate (to a small extent) the
described potential attack vector?

>  An attacker may attempt to register a large number of addresses in quick
succession in order to overwhelm the address registration server and / or
fill up log files.

Perhaps, we can allow a configurable rate-limit variable for the DHCPv6
server to limit the number of "accepted" ADDR-REG-INFORM on a per-MAC
basis? For example, if we had an ADDR-REG-INFORM-LIMIT variable, and we set
it to 20, then this would mean a client (from a specific MAC address)
sending more than 20 ADDR-REG-INFORM messages (containing more than 20
addresses) will be deemed invalid exceeding the first initial 20 addresses,
so any "addresses" past the configured limit will be rejected. At least for
the purpose of non-PD (I can see such a variable, may potentially become a
problem in the case of PD).

*--*
Best Regards
Daryll Swer
Website: daryllswer.com
<https://mailtrack.io/link/f4c2d00a5afe436cbbe2efb2e4079e0c912339d4?url=https%3A%2F%2Fwww.daryllswer.com&userId=2153471&signature=89f0d2b7992a71b9>


On Sun, 24 Dec 2023 at 12:52, Lorenzo Colitti <lorenzo=
40google.com@dmarc.ietf.org> wrote:

> On Sun, Dec 24, 2023 at 2:28 PM Daryll Swer <contact=
> 40daryllswer.com@dmarc.ietf.org> wrote:
>
>> Does this imply that, if for example, I have a DHCPv6 server running on a
>> VLAN, and on this particular VLAN, I delegate via ia_pd to my client, a
>> /56, the client needs to inform back to my DHCPv6 server
>> through ADDR-REG-INFORM, whenever the client uses some addresses out of the
>> delegated /56? If the implication is yes, then would this not make it a
>> redundant functionality? As the DHCPv6 server will, anyway, already have
>> knowledge of which client received which ia_pd prefix, therefore if we do
>> need to identify a particular /128 IPv6 address client origin, we can do so
>> by looking at the ia_pd pools.
>>
>
> The intent was that the client is not required to do so, but it could
> choose to do so. For example, consider the deployment model in
> draft-ietf-v6ops-dhcp-pd-per-device
> <https://datatracker.ietf.org/doc/draft-ietf-v6ops-dhcp-pd-per-device/>.
> The client would get a prefix from the network and could form addresses
> from it. But the network wouldn't necessarily know which addresses the
> client is using. So it cannot reach the client, add a DNS record for it,
> etc. The client could inform the server of these addresses using the
> address notification mechanism defined in this document.
>
> Does that match your reading of the doc?
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>

v2.23.0 | Report a Bug | By Email