IETF Logo Mail Archive

Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-relay-requirements-00.txt

"Bernie Volz (volz)" <volz@cisco.com> Thu, 26 March 2020 20:02 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12EE83A0CDE; Thu, 26 Mar 2020 13:02:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=HG/ciQ/k; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=gtj4vSc+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wZfhSgE8Uerj; Thu, 26 Mar 2020 13:02:36 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C83B43A0D5D; Thu, 26 Mar 2020 13:02:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=34649; q=dns/txt; s=iport; t=1585252955; x=1586462555; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=fHq88X7rwTVMCS1SlcuudsD5SSCPIAnpfqk2KCNbJcw=; b=HG/ciQ/ke0xURHDeISzU0dkXvNdpfUwkS1XCfaKfdNZcdIjRtUAeNNv1 +u04+ynttS2rZP4h8lBTiziYBxtOIu6Gwz4wOczT5kRt3eTwBF5ZO0N8t ZIMt3HkYJFHSRbrrL3BmstOTWsavfAEAFzqw4zR60BKTQXuHpl3/rNuum A=;
X-IPAS-Result: A0B3CADACX1e/49dJa1mHAEBAQEBBwEBEQEEBAEBgXuBJS8kLAVsWCAECyoKhBCDRQOKZoJfmB6BQoEQA1QKAQEBDAEBJQgCBAEBhEQCF4IYJDgTAgMBAQEDAgMBAQEBBQEBAQIBBQRthVYBC4VwAQEBAQMSER0BATcBDwIBCBEDAQIhCgICAjAdCAIEDgUigwQBgX5NAy4BDqJ5AoE5iGJ1gTKCfwEBBYUlGIIMAwaBOIwvGoIAgREnIIFPfj6CG0kBAQIBgS0BDAYBBwI4DYJlMoIsjXaBHoFjhXmCWodKjlEGcAqCPIdfjyodgkyILZBpjxOBUIdBkmcCBAIEBQIOAQEFgWkiZ3FwFWUBgkEJRxgNjh0MF4NQhRSFQXQCgSeLNoEyATBfAQE
IronPort-PHdr: 9a23:dUnElRcPcBj5oz7ieETc+DGjlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwKUD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFlcejNkO2QkpAcqLE0r+eeDtaz4SF8VZX1gj9Ha+YgAMQpTkalbfo2O/4XsJAhuvaVhTIeL4Us7KlcOr2uuu+prVJQJVmD66ZrA0JxKz/03at9Idhs1pLaN5xhzEuTNOfPgeyW5zJF2Vlgrxg6X45JN59iVMp/8tv9VNV6n3Zew4SqdEF3Ur
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.72,309,1580774400"; d="scan'208,217";a="442341446"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Mar 2020 20:02:34 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 02QK2YeE012841 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 26 Mar 2020 20:02:34 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 26 Mar 2020 15:02:34 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 26 Mar 2020 16:02:32 -0400
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 26 Mar 2020 15:02:32 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ho3jxLAYuHjjs3qqLJbyAzyJDMQpsiBrfOmdEqJPEzHQyh6mygSbIezXyIIKmi5kcs/XrQ8Qx7qTv5+HjsBVoMu8ZET3OMdc9ovse4BmKa7QYhre6PE+C0/sHkBLmEzZsrCXdbWLSjt1RrFh4ZI6T20JygUej+N0Xba7L6jMrHLKbBDvSrx3LUdLabrPiGJl8kqaR7EuX/bgLYHJB1jIVVBpEIVa5vNrept025xLlqpGnBh35S45YZOrnwA8EQCnZo53iuURvLk4iPM+Eygkj4BgwbCELGZ7n/h715P+WsZgSLck+ocTtJ1B3WCosN7MI49SfkySt/6KlGXpIwCHlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fHq88X7rwTVMCS1SlcuudsD5SSCPIAnpfqk2KCNbJcw=; b=IErkNW2uxKdXVmKKqMh8AASySC3QY46dBFmZmghf3oOOzl0h++PaRovIpLYWiazgwd5+Pqh0eLMm8K/594yU6N2Q0cEAf+SmX67ZZmpBPZEdwWRJ5JnQXvnoeWKhEyYO3RWbqet3tjaeucrj2i8ESgcA3VtlXmWvsJKPP1LWrDkWjrOEBkC0JbMmCFpRGabo3TT5p0rP3yUCQR+sGMobvYOjmzca4+9PsW1MIJDyWA/ZJTsdFntgDl9t79O313lU02V2n0wiKzrY/hnh+i8wvR0vBkGlUQJ1W5vGHDTzd5GKZ7huqxbWj07pvWdUmn95nwOs+PzYm/tpo8tcYhnBZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fHq88X7rwTVMCS1SlcuudsD5SSCPIAnpfqk2KCNbJcw=; b=gtj4vSc+wBlLS4B2vgCMcaD9+lNtupcf8t17e82rKXWGbzUU0lzIuKUsbLN97BIEFhDigYo6WvbdbanBOIlL8P9zK6UnKG2hh7t8QuqKr3fqY/D693Te68pVR/ORcXHmspnJCMClthJFbbiV9dzfOcwrMMCAcfcZUPcPHk/9hHY=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN7PR11MB2868.namprd11.prod.outlook.com (2603:10b6:406:a9::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.15; Thu, 26 Mar 2020 20:02:31 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::29d4:9c08:fa95:c26e]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::29d4:9c08:fa95:c26e%7]) with mapi id 15.20.2856.019; Thu, 26 Mar 2020 20:02:31 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "ianfarrer@gmx.com" <ianfarrer@gmx.com>
CC: "draft-ietf-dhc-dhcpv6-pd-relay-requirements@ietf.org" <draft-ietf-dhc-dhcpv6-pd-relay-requirements@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-relay-requirements-00.txt
Thread-Index: AQHV98bEC9/aF5Xkw028jQpGj8sRqKhDn3CQgAGc4gD//8IOgIARUXJQgANV7eCAAY4agP//65+A
Date: Thu, 26 Mar 2020 20:02:31 +0000
Message-ID: <75369E25-F0D9-47A5-A94C-EF40736656FC@cisco.com>
References: <158346050095.14620.2547383825421375669@ietfa.amsl.com> <CANFmOt=21NNyYom9KtVQ7x5mTE6rR2GAAg8DwAdaptuOWAJLrQ@mail.gmail.com> <BN7PR11MB2547E17639F673343B5210BBCFFC0@BN7PR11MB2547.namprd11.prod.outlook.com> <CANFmOtnWHJzNtw8-aj+Dqgbqh0aeDMVtXcnib0RC4Bpi+OW0eg@mail.gmail.com> <43727BCE-732F-4629-8BCD-EBCDE2507B82@cisco.com> <BN7PR11MB2547273DA5E1D5F39F26629ACFF00@BN7PR11MB2547.namprd11.prod.outlook.com> <BN7PR11MB254754D841622448F49B021ACFCE0@BN7PR11MB2547.namprd11.prod.outlook.com> <98E34F29-CAB3-4FC3-9B53-AB17AF811683@gmx.com>
In-Reply-To: <98E34F29-CAB3-4FC3-9B53-AB17AF811683@gmx.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.35.20030802
authentication-results: spf=none (sender IP is ) smtp.mailfrom=volz@cisco.com;
x-originating-ip: [24.233.121.124]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1a673b5e-2940-484b-df8e-08d7d1c09e4b
x-ms-traffictypediagnostic: BN7PR11MB2868:
x-microsoft-antispam-prvs: <BN7PR11MB28686EA8C8ED07B053664087CFCF0@BN7PR11MB2868.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0354B4BED2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(136003)(396003)(39860400002)(366004)(2616005)(6512007)(91956017)(76116006)(71200400001)(2906002)(26005)(4326008)(186003)(36756003)(6916009)(54906003)(6486002)(86362001)(81156014)(8676002)(8936002)(316002)(66946007)(478600001)(81166006)(66446008)(64756008)(66556008)(66476007)(33656002)(5660300002)(6506007)(53546011)(518174003); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2868; H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zApPRbnZicmD1D69Cy/4rNUzd1ucI7jSYilPqfPGvDpRkbHq4PapB6PmbDA77EJD2jK4c8ehwfTWo/0hYaeUOw9DPv6ebI5j+6yi/NQwfz+Wfca6aI0OQR6jEWzSsqvXxGaZyKRLQPZiPuNOVGQLGMLVl1L4/2N8f8yCUSksuDi/19QkNzUgAwNLG6Tsg7WP6yYkmADVkB6jr6H6uUGEeNeEcPSC3DM96V5YYcH3/hMMHtbHZJgft1JYMWpS7bcplPnJRy1Rvx2eF2rJH7uGONGaqF6SPHdvwO0sdeD+c+x0JJE4GNDfoMHxJa/u6l+WCEojm6McMo/6i4lyne/l81SGRn4kJevnQ6wf1KVRHgwoXlI1XMTF5jIMZf6ps4950ZNVv62nQyARI4TF3Nt775IbgV9Eo15JQUwXkgn0RrjRko+8aiTcvvwigd7pXA+LwWyJwskXJjMvR4LIh4S+T2PfUJcbppOg0QbGqKIpSSAVzVHrwKomQog7Qd6q0PWYaSO+WzgQ7RItGXfUJ7mZOpO1jnQMQlSVAAPc1KMev3QZK/V2LrjLSZR3cn5Ip65i
x-ms-exchange-antispam-messagedata: HUu2KNTlrUup8dNI0xbR+7ooq2Su/h0oM+zCsUiZkmnnheRf3KXezQp19TEwPzKFhwi67Ec+IgK09oMcxYqFyWVBAuYGMW2mZ+a6WOIQsrzg1loHpAqAYXnfmNDQIITa1n9/vcPGYxkuvU4JR3mK1A==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_75369E25F0D947A5A94CEF40736656FCciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 1a673b5e-2940-484b-df8e-08d7d1c09e4b
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2020 20:02:31.5573 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: W50KEQZD7jg3O5aOe3+qvpwOAJ35j5am6MnAvVq0Q2cM28ydAbCRoCX1VTmnl1uP
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2868
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/GXrUQUmJiRY_R1u6p3TKfcCYhk0>
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-relay-requirements-00.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2020 20:02:57 -0000

Hi:

Please see additional comments below (BV>).


  *   Bernie

From: Ian Farrer <ianfarrer@gmx.com>
Date: Thursday, March 26, 2020 at 1:12 PM
To: Bernie Volz <volz@cisco.com>
Cc: "draft-ietf-dhc-dhcpv6-pd-relay-requirements@ietf.org" <draft-ietf-dhc-dhcpv6-pd-relay-requirements@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-dhcpv6-pd-relay-requirements-00.txt

Hi Bernie,

Many thanks for your review. I’ve prepared an update which incorporates most of your suggestions (and I’ve removed them from the email below). For the remaining questions, please see inline below.

I’ve also replaced the reference to the obsoleted RFC7283 (handling unknown message types) and replaced with a ref. to RFC8415 Sec 19.
BV> Yes, good catch!!

Thanks,
Ian

3.4<https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-pd-relay-requirements-00#section-3.4>.  Dropping Messages from Devices with Duplicate MAC addresses and
      DUIDs
   It is an unfortunate operational reality that client devices with
   duplicate MAC addresses and/or DUIDs exist and have been deployed.
   In this situation, the operational costs of locating and swapping out
   such devices are prohibitive.

   Delegating relays have been observed to restrict forwarding client
   messages originating from one client DUID to a single interface.  In
   this case if the same client DUID appears from a second client on
   another interface while there is already an active lease, messages
   originating from the second client are dropped causing the second
   client to be unable to obtain a prefix delegation.
- We need to be a bit careful in this section and not sure exactly how to fix it. But in DOCSIS, for Cable Modems, often these restrictions exist to prevent theft of service (as there have been cloned devices). I think this document means the devices behind the CMs (in the case of DOCSIS) and perhaps similar environments. The complexity here is that “delegating relays” are the devices passing DHCPv6 packets and so could be interpreted to include all devices. Perhaps this will require some further discussions.
…

[if - What about adding the following sentence:

It should be noted that in some access networks, the MAC address and/or DUID are used as part of device identification and authentication. In such networks, enforcing MAC address/DUID uniqueness is a necessary function and not considered a problem.
]
BV> That sounds reasonable.

   G-5:    The relay MUST allow the same client identifier (DUID) to
           have active delegated prefix leases on more than one
           interface simultaneously.  This is to allow client devices
           with duplicate DUIDs to function on separate broadcast
           domains.
- See earlier my points in section 3.4; not sure how best to “modify” this item.

[if - What about changing to:

The relay SHOULD allow the same client identifier (DUID) to have active delegated prefix leases on more than one
interface simultaneously, unless client DUID uniqueness is necessary for the functioning or security of the network.
This is to allow client devices with duplicate DUIDs to function on separate broadcast domains.
]
BV> OK, but I guess I should have raised this earlier but what is meant by Interface? Who’s interface? Do we need “on more than one interface” in this sentence?

   G-6:    The maximum number of simultaneous prefixes delegated to a
           single client MUST be configurable.

   G-7:    The relay MUST implement a mechanism to limit the maximum
           number of active prefix delegations on a single port for all
           client identifiers and IA_PDs.  This value SHOULD be
           configurable.
- For G-6 ad G-7, are there some recommendations about what (a) a reasonable number to support is and (b) what the default should be? While it would be great to have this be “unlimited”, likely equipment manufacturers might like some guidance. For example we could say that “While allowing this to be fully configurable, delegating relays should support at least 8 per client device and use this as the default limit.” That’s just an example.

[if - This is a good question. We could add another requirement here recommending that the delegating relay supports at least X prefixes per client. The question is what value? I’ve seen 4-8 in SP edge routers, so I think 8 is a reasonable value, but I’m not sure whether this is reasonable for CMTS/BNG etc. Any insight would be appreciated here.
]
BV> Yeah – I don’t have any direct insight. I agree that 8 is a reasonable value as I would hope it would never be that many to start with.

   G-8:    The delegating relay MUST synchronize the lifetimes of active
           prefix delegation leases with server.
- I’m not sure I completely understand what this requirement means. Are you suggesting NTP or similar time synchronization be used? As lifetimes are relative (seconds remaining, not absolute time stamps) in DHCP messages, I’m not sure why NTP would be that critical. As there are 3 places lifetimes would be stored (server, delegating relay, client), unless all of these clocks were synchronized, some drift should be tolerated (i.e., not all clocks will tick at the same rate).

[if - The important thing here is the lease lifetime synchronisation between the server, delegating relay and client from the timers in the Reply messages. No suggestion that NTP should be used for that as it’s the DHCP lifetimes that matter. As this is a requirements document, we didn’t want to define how the delegating relay performs this synchronisation (like with SAVI), just that this needs to happen. Do you think that this is the wrong approach, or is the requirement text not clear as to the intention?
]
BV> I think perhaps this could be worded in a different way? Perhaps something like “The delegating relay MUST update the lifetimes based on the Client Reply messages it forwards to the client and only expire the delegated prefixes when the valid lifetime has elapsed.” Isn’t that really what you are after?
BV> I also wonder whether there is some value in pointing out that “snooping” Client Reply Messages cannot capture which delegated prefixes have been released; Client Release messages must be monitored instead. (While it was something I had noted but for some reason failed to bring up during the RFC8415 discussion, it would have been a nice change to allow a Server to send back the “released” leases in the Reply to the respond with the IA_*/IA* options containing 0 lifetimes. This would have made snooping a bit simpler as I think then it would have been possible to just snoop the Reply messages.

v2.23.0 | Report a Bug | By Email