Re: [dhcwg] Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)

[Warren Kumari <warren@kumari.net>]

On Wed, May 27, 2020 at 4:56 PM Bernie Volz (volz) <volz@cisco.com> wrote:
>
> Hi Warren:
>
> Regarding the DISCUSS, that may be an item to point out in the draft (that in some cases a change in mac-address may have issues as it may be administratively prohibited to restricted). Perhaps adding an additional paragraph such as the following in Section 4.2 (Direct client mode scenario) would address this?
>
>         Also, a client that operates as above may run into issues if the switch is
>         is connected to prohibits or restricts link-layer address changes. This may
>         limit where this capability can be used, or it may require the administrator
>         to adjust the configuration of the switch(es) to allow a change in address.


Thanks, that would be perfect!

>
> Thanks for finding this, no one else (as far as I recall) pointed out this issue during the documents development.
>
> For the comment regarding limits, we usually do avoid them as we consider those server policy. But perhaps adding the following to Section 13 (Security Considerations) would be useful:
>
>         Server implementations SHOULD consider configuration of the maximum number
>         of addresses to allocate (both in a single request and in total for a client).
>         However, note that this does not prevent a bad client actor from pretending to
>         be many different clients and consuming all available addresses.

Yup, that would make me a happy camper!

Thank you!
W



>
> And, thanks for the " Thank you for writing this -- I *do* like this document, and agree that it solves a real problem." It was Ralph Droms and Russ Housley that originally suggested some of us work on this as part of the IEEE/IETF liaison activity as IEEE was looking for a solution. Tomek (co-author) and I did present to an IEEE RAN meeting and they were supportive of this work.
>
> - Bernie
>
> -----Original Message-----
> From: Warren Kumari via Datatracker <noreply@ietf.org>
> Sent: Wednesday, May 27, 2020 4:26 PM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-dhc-mac-assign@ietf.org; dhc-chairs@ietf.org; dhcwg@ietf.org; Tomek Mrugalski <tomasz.mrugalski@gmail.com>; Ian Farrer <ianfarrer@gmx.com>; ianfarrer@gmx.com
> Subject: Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)
>
> Warren Kumari has entered the following ballot position for
> draft-ietf-dhc-mac-assign-06: Discuss
>
> When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dhc-mac-assign/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Be ye not afraid -- these should be easy to address.
>
> I have some concerns about this document -- much of my unease isn't specifically about the document itself, but rather the impact that deploying this on a wide scale may create. Much of my concerns can probably be addressed by sprinkling on some weasel-words / "you could shoot yourself in the foot if not careful" language.
>
> Unless I've horribly misunderstood, in the direct client mode, a device comes up, connects to a switch and then changes its MAC address to the DHCP assigned one. This may interact poorly with: a: switches with small CAM tables (sometimes deployed in DCs) b: devices with configured maximum MACs per port, common in enterprises (e.g:
> https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/l2/switchport-port-security-maximum.html
> ) c: 802.1X (which is often configured to only allow a single MAC per interface / VLAN) d: switches which do things like DHCP snooping. Again, I do realize that most of these issues are not directly the result of this technique, but implementing / deploying this makes it more likely that devices will come up with a temp address and then pivot to an assigned one, and I'd like to see some operational warnings...
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thank you for writing this -- I *do* like this document, and agree that it solves a real problem (e.g:
> http://grouper.ieee.org/groups/802/PrivRecsg/email/msg00164.html ), but would like to make sure that it is deployable without causing sadness...
>
> I think it would be useful to also add some text around policy limits / DoS.
> As examples, would you expect that this would be enabled on "regular" user interfaces (e.g at my local coffee shop), or is it more designed for datacenters and IoT VLANs? Either way, should a device be able to ask for
> 00:00:00:00:00:01 and 2^48-2 addresses? The document does say things like: "In particular, the server may send a different starting address than requested, or grant a smaller number of addresses than requested.", but it might be nice to also include something like "implementations should allow configuration of the maximum number of addresses to allocate" or something similar (yes, an attacker could keep coming back and looking like a new device, but...)
>
>
>


--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf