Re: [dhcwg] Adam Roach's No Objection on draft-ietf-dhc-dhcp4o6-saddr-opt-06: (with COMMENT)
<ian.farrer@telekom.de> Fri, 12 October 2018 11:44 UTC
Return-Path: <ian.farrer@telekom.de>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D383130E19; Fri, 12 Oct 2018 04:44:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.756
X-Spam-Level:
X-Spam-Status: No, score=-4.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.456, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XWDRo0o340un; Fri, 12 Oct 2018 04:44:11 -0700 (PDT)
Received: from MAILOUT21.telekom.de (MAILOUT21.telekom.de [80.149.113.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02BF5130E0F; Fri, 12 Oct 2018 04:44:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1539344649; x=1570880649; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=0oHJKDvyUueekLRTXwVB3XtE/Mc1mASfKOqbRo6/xao=; b=rOO+45bD/JtNhTr9W0r+ILtveD2RObtQivkJUQEPcDYTm7XoUuplS9yZ AHBvMtnA9+6dt2i7pdsOZdrm9B3BALVGSKrdjRpo5ttiV7tK+tPokXscC rL9glLdQW8dXeLSlWC8rq5VstR3pZ+ZA3QowpapSA+tOxetL/qCIjlAvh WCj5YhYQrXkqUIB9cw/U3lvjdQAv0hsXWRVfJAzVx4W+OWzAUlcdihNea O9HixJRoBSKlBnH+Zw32Ws60Ac3QN7THZY2ECsr9yDTlLBm9IfrVsaCLE Kw/5T8rzzqtgX5Hu1UFwnRZJidbrQQHhJhOXIhZfB8wa84zFdPsjSDcRt A==;
Received: from qde9xy.de.t-internal.com ([10.171.254.32]) by MAILOUT21.telekom.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Oct 2018 13:44:04 +0200
X-IronPort-AV: E=Sophos;i="5.54,371,1534802400"; d="scan'208";a="141434542"
Received: from he199745.emea1.cds.t-internal.com ([10.169.119.53]) by QDE9Y1.de.t-internal.com with ESMTP/TLS/AES256-SHA; 12 Oct 2018 13:40:56 +0200
Received: from HE105704.EMEA1.cds.t-internal.com (10.169.119.21) by HE199745.emea1.cds.t-internal.com (10.169.119.53) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 12 Oct 2018 13:40:56 +0200
Received: from HE104163.emea1.cds.t-internal.com (10.171.40.38) by HE105704.EMEA1.cds.t-internal.com (10.169.119.21) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Fri, 12 Oct 2018 13:40:56 +0200
Received: from GER01-FRA-obe.outbound.protection.outlook.de (51.4.80.23) by O365mail05.telekom.de (172.30.0.230) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 12 Oct 2018 13:41:07 +0200
Received: from FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE (10.158.154.13) by FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE (10.158.154.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1207.28; Fri, 12 Oct 2018 11:40:55 +0000
Received: from FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE ([fe80::6de4:4cd2:cebf:df95]) by FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE ([fe80::6de4:4cd2:cebf:df95%3]) with mapi id 15.20.1207.029; Fri, 12 Oct 2018 11:40:55 +0000
From: ian.farrer@telekom.de
To: adam@nostrum.com, iesg@ietf.org
CC: draft-ietf-dhc-dhcp4o6-saddr-opt@ietf.org, volz@cisco.com, dhcwg@ietf.org, dhc-chairs@ietf.org
Thread-Topic: [dhcwg] Adam Roach's No Objection on draft-ietf-dhc-dhcp4o6-saddr-opt-06: (with COMMENT)
Thread-Index: AQHUYPWlrZ+qBQi2nEubQaDllzlJsKUbV1yA
Date: Fri, 12 Oct 2018 11:40:55 +0000
Message-ID: <37745894-CA7C-486E-811D-20117BD894CF@telekom.de>
References: <153921610191.5820.17903104275311003818.idtracker@ietfa.amsl.com>
In-Reply-To: <153921610191.5820.17903104275311003818.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.2.180910
x-originating-ip: [2003:1c09:21:c20:cdd4:4e11:5e13:7295]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; FRXPR01MB0661; 6:FSXltnip5iQxI0hEA6f9T01pkTnBtdzFAslNNJAfLJx8/ZZ8G/ZCMLuIPXNtsyJoWgf4r5LHnzDUaRprF5NayVSufMn48c1Qumo4nE+JNDMvmCtoOWRTvGLDrt28hmqyMY+HFds/PzpGt8fIXobQjAuJ4fuOwbW2Czqko6BMu1b6GNtQ5EfbiJGbJL76zp5HosMHB9QH5NcvxlKfMAsfkEVw1W0YDS3nGb7jVKCHBzxNeYruLYZARrIX8qpJWiP1Cnrsh+JHoprtafZ+hI9XgSpcBiAjxMfaXXd7F6W01s593o/AMu69e9L3Zi/LGE2tXg5MznO6+kmTsnYbGmVjD1bDtgZGnm7dCLWhsf7VEjBZspr0J/r4dABN/s8SG8/yqdX7qXlRXYCAcHO6eX3TZJsSCMFL+KIxHZwta+G2chCFNvM5F1pCpYh9yonhASRN9HSgZl85O3lE+vmjCrfeiQ==; 5:ftQOqxF0TmliSuHX6tinJw9NZvofVqk/GZl+GuO00OQX7rQbddBOPOPuqPk49CWxmSkmMOb0JTvrt3oZC1cfklPqBaHXrQlFzuoc/+/8dTWaMT8+BAHq5TcMxdD+TvTsbP6pKSKIzWMwaWE6JmX/A2zwFEcLveeZBylE+C6j+xk=; 7:A/wKe2Jq5UTX3pz4aWR1tMtqKUNUc6gXLfqwWiB45noR5AtYgSJwzTciCqZyI96E2SZ+mEi6/mV5H8ZvWsc5bCV+X2FJz4CUErkpFOc9LJGQXeed+ZQNss073ZCJz2NGqY4FKNgWNq5AGMV7h5PUO0lEOOIo7cLXudJkykbVi0+akuxnj2NJ+GsMZWbP0O6mTjKiipso6UygYpHVNqK05kDpLz64YBOq8/JUYOwEI7VFVnBRcXu2Wz8vNN9X8acA
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 3035f3f3-bc6c-4737-ed1c-08d63037920c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:FRXPR01MB0661;
x-ms-traffictypediagnostic: FRXPR01MB0661:
x-microsoft-antispam-prvs: <FRXPR01MB0661857EF50B2D78EB80E1C7FCE20@FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE>
x-exchange-antispam-report-test: UriScan:(120809045254105)(190756311086443)(158342451672863)(1591387915157);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231355)(944501410)(52105095)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(201708071742011)(7699051)(76991067); SRVR:FRXPR01MB0661; BCL:0; PCL:0; RULEID:; SRVR:FRXPR01MB0661;
x-forefront-prvs: 0823A5777B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(376002)(346002)(366004)(136003)(60444003)(54164003)(199004)(189003)(50944005)(106356001)(256004)(110136005)(8676002)(14444005)(446003)(561944003)(11346002)(86362001)(81166006)(2616005)(53936002)(2906002)(58126008)(229853002)(6306002)(46003)(81156014)(76176011)(305945005)(486006)(186003)(8936002)(54906003)(7736002)(316002)(102836004)(6116002)(68736007)(476003)(6346003)(53546011)(2900100001)(6246003)(71190400001)(478600001)(14454004)(82746002)(5250100002)(36756003)(83716004)(71200400001)(97736004)(5660300001)(52396003)(966005)(74482002)(75402003)(33656002)(4326008)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:FRXPR01MB0661; H:FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: telekom.de does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.farrer@telekom.de;
x-microsoft-antispam-message-info: rvevy+kzz+oG2mNzFo7000fE3uCTcFycoiuof25vXqunIeOWxKkhFmSqkA7DRApKpu2fwxruQLBnk7UvtyOV6x40EDs+Em5Nz6676Ae6lbssMz+I3BjON/XENH2J9DsARF6VaQsRL/lCdknHULzLHc+tQbzZiwNhc1Su2CotAzj9atT6NiCeXy9Vgw3FlEXJzdppHEvg4I6QFjtEW4H86GvjdAJ/TTNqiqznPIqSWHRZa70ztah+327Y9ZFC12fjQmNN8lpW48gStIRkViaI1a19b53iPQ/3KeA/D5XK3K9d5NF+u05e0shF2X4WxY1LoD4pEENqK0bjPGbBISyVYKPlBSRL9eGCxviZx5NMyf8=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <0DD0049DDF4FB54FA8417089A2886ED7@DEUPRD01.PROD.OUTLOOK.DE>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3035f3f3-bc6c-4737-ed1c-08d63037920c
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2018 11:40:55.0534 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bde4dffc-4b60-4cf6-8b04-a5eeb25f5c4f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FRXPR01MB0661
X-OriginatorOrg: telekom.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/G42DkTnnj_JZ3qojchrJ2v10KyM>
Subject: Re: [dhcwg] Adam Roach's No Objection on draft-ietf-dhc-dhcp4o6-saddr-opt-06: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 11:44:14 -0000
Hi Adam, Many thanks for your review. Please see inline below. Regards, Ian On 11.10.18, 02:02, "dhcwg on behalf of Adam Roach" <dhcwg-bounces@ietf.org on behalf of adam@nostrum.com> wrote: Adam Roach has entered the following ballot position for draft-ietf-dhc-dhcp4o6-saddr-opt-06: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcp4o6-saddr-opt/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks to everyone involved for the work they did on this document. I agree with Alissa's request for the addition of privacy considerations. --------------------------------------------------------------------------- §7.2.1: > the client's IPv6 will change. E.g., if there is an IPv6 re- Nit: "...the client's IPv6 address will change." [if - fixed] --------------------------------------------------------------------------- §9: > For such an attack to be effective, the attacker would need to know > both the client identifier and active IPv4 address lease currently in > use by another client. The risk of this can be reduced by using a > client identifier format which is not easily guessable, e.g., by > including a time component for when the client identifier was > generated (see [I-D.ietf-dhc-rfc3315bis] Section 11.2). I might be missing something here, but my understanding is that DHCP isn't confidential, and so attackers on the same segment might be able to observe another client's identifier and IPv4 address in the DHCP traffic itself (depending on the nature of the networking equipment). Even if this cannot be easily mitigated, I think it's worth mentioning. [if - I've re-worked this text in response to the Discuss raised by Eric Rescorla. I've Tried to address your point as well. Here's the new text proposal: " A rogue client could attempt to use the mechanism described in Section 7.2.1 to redirect IPv4 traffic intended for another client to itself. This would be performed by sending a DHCPREQUEST message for another client's active IPv4 lease containing the attacker's softwire IPv6 address in OPTION_DHCP4O6_S46_SADDR. For such an attack to be effective, the attacker would need to know both the client identifier and active IPv4 address lease currently in use by another client. This could be attempted in three ways: 1. One customer learning the active IPv4 address lease and client identifier of another customer via snooping the DHCP4o6 message flow between the client and server. The mechanism described in this document is intended for use in a typical ISP network topology with a dedicated layer-2 access network per-client, meaning that snooping of another client's traffic is not possible. If the access network is a shared medium then it provisioning softwire clients using dynamic DHCP4o6 as described here is not recommended. 2. Learning the active IPv4 address lease and client identifier via snooping the DHCP4o6 message flow between the client and server in the aggregation or core ISP network. In this case, the attacker requires a level of access to the ISP's infrastructure that means they can already intercept or interfere with traffic flows to the client. 3. An attacker could attempt to brute-force guessing the IPv4 lease address and client identifier tuple. The risk of this can be reduced by using a client identifier format which is not easily guessable, e.g., by using a UUID based client identifier (see [I- D.ietf-dhc-rfc3315bis] Section 11.5). ] --------------------------------------------------------------------------- §10: > IANA is requested to update the entry for DHCPv6 Option S46_BR (90) > in the Option Codes table at https://www.iana.org/assignments/ > dhcpv6-parameters as follows: > > Old entry: > > | 90 | S46_BR | No | No | > > New entry: > > | 90 | S46_BR | Yes | No | This is a somewhat unconventional way to represent IANA actions. This format does not make sense in a vacuum; and, more importantly, and will lose meaning in the case that the corresponding registry table is ever expanded. I also note that the name is incorrect (S46_BR instead of OPTION_S46_BR), and that the Reference column is omitted (which is relevant, as I believe the intenion is to instruct IANA to add this document to the list of references). Please consider reformatting as: Old Entry: Value: 90 Description: OPTION_S46_BR Client ORO: No Singleton Option: No Reference: [RFC7598] New Entry: Value: 90 Description: OPTION_S46_BR Client ORO: Yes Singleton Option: No Reference: [RFC7598] [RFCxxxx] > IANA is also requested to make a new entry for > OPTION_S46_BIND_IPV6_PREFIX (TBD1) in the Option Codes table at > https://www.iana.org/assignments/dhcpv6-parameters: > > | TBD1 |OPTION_S46_BIND_IPV6_PREFIX| Yes | Yes | Similarly: Value: TBD1 Description: OPTION_S64_BIND_IPV6_PREFIX Client ORO: Yes Singleton Option: Yes Reference: [RFCxxxx] [if - Updated] _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www.ietf.org/mailman/listinfo/dhcwg