Re: [dhcwg] I-D Action: draft-ietf-dhc-relay-port-01.txt

"Naiming Shen (naiming)" <naiming@cisco.com> Thu, 19 January 2017 00:24 UTC

Return-Path: <naiming@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E591C129516 for <dhcwg@ietfa.amsl.com>; Wed, 18 Jan 2017 16:24:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.72
X-Spam-Level:
X-Spam-Status: No, score=-17.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oq9DXZiGh08Y for <dhcwg@ietfa.amsl.com>; Wed, 18 Jan 2017 16:24:15 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5288512950F for <dhcwg@ietf.org>; Wed, 18 Jan 2017 16:24:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=26800; q=dns/txt; s=iport; t=1484785455; x=1485995055; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=QlR3Qs2HeX75aFKBnTSf5jMwAE3F/sWDM14moLDwjEE=; b=hxi1QcGlSzqPPzbWz5UZ5n55/cP1103p6XQSaasrfj3MVIqs+YrxgRvW SpC8+OE1HTndfWDESxKwEB0ftcDoVM8z6Q3EhcwTDg1mYO6l+3jqnWdUF Rtyea1hNG/KZ5YXhnEWrbUvTryEd2+Vh3vvPt1eTiBM/ysr7EuIseRpmy U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AzAQDBBoBY/4gNJK1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgm87DwEBAQEBH4FYEQeDSooIkWMflSyCC4YiAhqBbD8YAQIBAQE?= =?us-ascii?q?BAQEBYyiEaQEBAQQjVhACAQYCEQQBASgDAgICMBQJCAIEDgUZBohkkjqdToIli?= =?us-ascii?q?kMBAQEBAQEBAQEBAQEBAQEBAQEBAQEdiFAIgmGEM0yCUC2CMQWVM4YOAZFhgXe?= =?us-ascii?q?IW4Ybkm4BHziBRBVKAYYic4d0AYEMAQEB?=
X-IronPort-AV: E=Sophos;i="5.33,251,1477958400"; d="scan'208,217";a="196776907"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Jan 2017 00:24:14 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id v0J0ODhR019866 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <dhcwg@ietf.org>; Thu, 19 Jan 2017 00:24:13 GMT
Received: from xch-rcd-004.cisco.com (173.37.102.14) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 18 Jan 2017 18:24:12 -0600
Received: from xch-rcd-004.cisco.com ([173.37.102.14]) by XCH-RCD-004.cisco.com ([173.37.102.14]) with mapi id 15.00.1210.000; Wed, 18 Jan 2017 18:24:13 -0600
From: "Naiming Shen (naiming)" <naiming@cisco.com>
To: "Bernie Volz (volz)" <volz@cisco.com>
Thread-Topic: I-D Action: draft-ietf-dhc-relay-port-01.txt
Thread-Index: AQHSaG2j4iKFqR8HLUaBB5gDM0IMqqEsci2AgAk5dQCACYkFgIAACfsAgAAFswCAAAW9AIAAHl8A
Date: Thu, 19 Jan 2017 00:24:12 +0000
Message-ID: <134853BE-C323-4796-AD44-0520292373C8@cisco.com>
References: <148374230973.17537.14402355403407250708.idtracker@ietfa.amsl.com> <843031F0-B818-4C19-8120-78EE7D531E06@cisco.com> <4328855a5add4c3a9f044689171156f7@XCH-ALN-003.cisco.com> <15E46807-72A1-49FC-8E67-A1967243EFA0@cisco.com> <5841cbedc07e485d8499006469968bb1@XCH-ALN-003.cisco.com> <746A7C3D-B6A2-462B-91FF-1AE831715DE5@cisco.com> <31b8c717127f43928d0bcb8a5dc71aeb@XCH-ALN-003.cisco.com>
In-Reply-To: <31b8c717127f43928d0bcb8a5dc71aeb@XCH-ALN-003.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [128.107.155.79]
Content-Type: multipart/alternative; boundary="_000_134853BEC3234796AD440520292373C8ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/IEVRm8KTuD05u4xEU3Al4dzJRc8>
Cc: dhcwg <dhcwg@ietf.org>, "Enke Chen \(enkechen\)" <enkechen@cisco.com>
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-relay-port-01.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2017 00:24:25 -0000

Bernie,

If you read my example with detailed message layout for each hop,
there is nothing about one relay agent changes another relay agent’s
message. all the relay-forw messages are encapsulated ontop of previous
agent’s message at the upstream direction. Server copies those unchanged,
and each relay-reply message is deencapsulated one by one. this is
exactly as the other relay options handled.

- Naiming

On Jan 18, 2017, at 2:35 PM, Bernie Volz (volz) <volz@cisco.com<mailto:volz@cisco.com>> wrote:

I understand the v4 case as there is no relay chaining. And, in that case just having the option is sufficient (port number is not needed). (If you want relay chaining in DHCPv4, it is much more complex and you have to have a place to store a bunch of information, such as original giaddr … and then you can also store port – there is no standard for this).

For DHCPv6, things are different and I think it is very bad (and as a WG “member” would not support this) to have one relay change another Relay-Forw’s packet (we used encapsulation of messages for a reason). While we have nothing that breaks today, that doesn’t mean it won’t in the future. And if a relay is adding the option already, it can stick the port number into it (rather than 0).

If you wanted to have the target relay store it for the return (if needed), you would then need two options. The sender of a non-standard port Relay-Forw includes an option (with no value) that just tells the next hop that a non-standard port is being used and that receiving relay that stores this into a new option in the Relay-Forw it adds. But again, this seems overly complex for non-benefit. Just have the SENDING relay store the port number in the Relay-Forw. Yes, this is different than DHCPv4, but so are a lot of other things different between v4 and v6. That’s life.

Note also that you’ve made the Relay processing for DHCPv6 much more complex for the forwarding towards server. By having the sender include the option with the port, there is NOTHING the receiver (next relay) needs to do. You only need to change the code for the sending path on the relay that wants to use a non-standard port and the Relay-Reply processing (to extract the option if present and use a different port). There’s no Relay-Forw processing that needs to change.

-          Bernie

From: Naiming Shen (naiming)
Sent: Wednesday, January 18, 2017 5:15 PM
To: Bernie Volz (volz) <volz@cisco.com<mailto:volz@cisco.com>>
Cc: dhcwg <dhcwg@ietf.org<mailto:dhcwg@ietf.org>>; Enke Chen (enkechen) <enkechen@cisco.com<mailto:enkechen@cisco.com>>
Subject: Re: I-D Action: draft-ietf-dhc-relay-port-01.txt


Move them to the front.

BV> OK, while you could implement it this way -- saying that the presence of the option in the Relay's packet (with a 0 value) is an indication that the port number is not the default and therefore the RECEIVER must insert it (replace the 0 value with the non-zero value based on the source port), I think this is NOT a good idea. I think the sender (that wants to response on the non-standard port) should be the one that adds the option with the correct port number. In DHCPv6, changing some other entities message is frown upon (hence why we encapsulate). And, I think it is simpler and less work for the receiver. There's also a security mechanism that the receiver can use to CONFIRM that the port is the indicated port.

For DHCPv6, because there is cascading relays. Otherwise, this is what we
agreed on for DHCPv4 UDP PORT option, and there is no local port number
needed. For v6 it has to if the ‘downstream’ relay uses a non-standard port.

Since I’ve done some implementation now, it is really straightforward to
get the UDP port number from the dhcp packet, since the ‘upstream’ has
already got the IP address of the source, which is even a lower layer in
the network stack.



BV> I guess the ONE benefit of doing it your way is that a server COULD detect if there are relays in the mix that don't support this, as when it copies the Relay-Forw's port option to the Relay-Reply, if the value is 0 it could report that the response will not get back to the client since a relay doesn't support the return path. But I don't see that benefit to be very large (since you already require that all entities must support this feature to use it).

For this to work, any ‘upstream’ device has to support that, but not further
besides the server side has to copy the option back. I can see a case:

client — relay1(1000)——relay2——relay3——server

in this case, relay1 uses a non-standard port, and relay2 has to support
this extension. But relay3 does not have to support that. Server has to
support that, since it copies the options back in relay-reply. When it
gets to relay2, which is really the place to use this option with a non-zero
port number in the options.