Re: [dhcwg] Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)

Warren Kumari <warren@kumari.net> Wed, 27 May 2020 21:36 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AAD3A07B1 for <dhcwg@ietfa.amsl.com>; Wed, 27 May 2020 14:36:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-lNbj8mh-zy for <dhcwg@ietfa.amsl.com>; Wed, 27 May 2020 14:36:16 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A1833A0C89 for <dhcwg@ietf.org>; Wed, 27 May 2020 14:36:16 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id g25so763836otp.13 for <dhcwg@ietf.org>; Wed, 27 May 2020 14:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=WdCXLxbBP02lYyH6zcSom2J8E4sOVNf1qYydMesh9bc=; b=RVcqNaNkKhth/MXwtxv+KRXq2XHjeMwpeHo2GmgMwplQyO/Ddij9rBN0kwi5XgQago Us/7o3gV0DJhf81uN4ElJGG447q9ASvWFvc0Sol8pj89ZAlKYM1uTGI0SVA49bVFDCzl rYZzz9ZxngOSnEe5F99Ib9AWsto3fFqOQZmlP1pwr05hj/ydMF6vnp6bc97E86GAwTtZ VXVQfm5UjkMGAOIOS9cB2zQrmXX4AaeC8pV5weJsCKOQrZS3vejOPQOZjyyG9eRdmy3P 5U0xKmAUygZnN2znF9XyUavPk+QFNDHmbXKgKeGI9rA+xoVFjysOvGry1vtjZxtGePMy AQGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=WdCXLxbBP02lYyH6zcSom2J8E4sOVNf1qYydMesh9bc=; b=a9k9kh/f5KSA5LfqbisvM3EI8jbLS9YK3YxScpfTZCnR37HBffOmbslH3Kx6UAwZcd DOkDG+Z392PEkWGW100FQsR0UlY5regm08wkkGeWBXsL04rZE1RNJalVgkJ9+Ez5o67k ixigvrEhCEA03XxgeEHnGznuK+orcXE/UNb7JTflRvnX1Dys5077HEgx3bLCBOUU95oV pjSSzOJuS5rws6Gk0XwSDNs8CABGE6PJisjGHvc2dBZeCIq8PCQWKlFycYYHH5Bd/jMf WXDHIvS9wdBJKAbDWzjO3s90k7JIXyxpauGzZLehJ2CxSnJ10gdL9YSlrQlbxRJcOUTY heQg==
X-Gm-Message-State: AOAM532YjRGS7qAGhRCQwCgb0/QJb8dr7sHYwdCWE1PoEflT7ZZfoSp7 M+tbqyVn5qCafXzr4rWGW2A8Tv4iKYE0LNSu1+UN13inPsY=
X-Google-Smtp-Source: ABdhPJx/X+54Q1ARdNsVC5KUcvRidEhqe+ht9VrF9vKB3z/2e7qKSbzf/Hfvik/kjfTLa1EtSQxu97dZzjxNZG7ZPgY=
X-Received: by 2002:a05:6830:2006:: with SMTP id e6mr49292otp.357.1590615375271; Wed, 27 May 2020 14:36:15 -0700 (PDT)
MIME-Version: 1.0
References: <159061117184.12588.3496366666468663429@ietfa.amsl.com> <BN7PR11MB254753F131F4298595002766CFB10@BN7PR11MB2547.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB254753F131F4298595002766CFB10@BN7PR11MB2547.namprd11.prod.outlook.com>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 27 May 2020 17:35:38 -0400
Message-ID: <CAHw9_iKkMor=AJ9x5ob7xnD1T4dCbfPcafhYCgAPKCeN3XP-iw@mail.gmail.com>
To: "Bernie Volz (volz)" <volz@cisco.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-dhc-mac-assign@ietf.org" <draft-ietf-dhc-mac-assign@ietf.org>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>, Tomek Mrugalski <tomasz.mrugalski@gmail.com>, Ian Farrer <ianfarrer@gmx.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/JrRmzEh1-YJOg3C9f08xnNArLmY>
Subject: Re: [dhcwg] Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 21:36:21 -0000

On Wed, May 27, 2020 at 4:56 PM Bernie Volz (volz) <volz@cisco.com> wrote:
>
> Hi Warren:
>
> Regarding the DISCUSS, that may be an item to point out in the draft (that in some cases a change in mac-address may have issues as it may be administratively prohibited to restricted). Perhaps adding an additional paragraph such as the following in Section 4.2 (Direct client mode scenario) would address this?
>
>         Also, a client that operates as above may run into issues if the switch is
>         is connected to prohibits or restricts link-layer address changes. This may
>         limit where this capability can be used, or it may require the administrator
>         to adjust the configuration of the switch(es) to allow a change in address.


Thanks, that would be perfect!

>
> Thanks for finding this, no one else (as far as I recall) pointed out this issue during the documents development.
>
> For the comment regarding limits, we usually do avoid them as we consider those server policy. But perhaps adding the following to Section 13 (Security Considerations) would be useful:
>
>         Server implementations SHOULD consider configuration of the maximum number
>         of addresses to allocate (both in a single request and in total for a client).
>         However, note that this does not prevent a bad client actor from pretending to
>         be many different clients and consuming all available addresses.

Yup, that would make me a happy camper!

Thank you!
W



>
> And, thanks for the " Thank you for writing this -- I *do* like this document, and agree that it solves a real problem." It was Ralph Droms and Russ Housley that originally suggested some of us work on this as part of the IEEE/IETF liaison activity as IEEE was looking for a solution. Tomek (co-author) and I did present to an IEEE RAN meeting and they were supportive of this work.
>
> - Bernie
>
> -----Original Message-----
> From: Warren Kumari via Datatracker <noreply@ietf.org>
> Sent: Wednesday, May 27, 2020 4:26 PM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-dhc-mac-assign@ietf.org; dhc-chairs@ietf.org; dhcwg@ietf.org; Tomek Mrugalski <tomasz.mrugalski@gmail.com>om>; Ian Farrer <ianfarrer@gmx.com>om>; ianfarrer@gmx.com
> Subject: Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)
>
> Warren Kumari has entered the following ballot position for
> draft-ietf-dhc-mac-assign-06: Discuss
>
> When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dhc-mac-assign/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Be ye not afraid -- these should be easy to address.
>
> I have some concerns about this document -- much of my unease isn't specifically about the document itself, but rather the impact that deploying this on a wide scale may create. Much of my concerns can probably be addressed by sprinkling on some weasel-words / "you could shoot yourself in the foot if not careful" language.
>
> Unless I've horribly misunderstood, in the direct client mode, a device comes up, connects to a switch and then changes its MAC address to the DHCP assigned one. This may interact poorly with: a: switches with small CAM tables (sometimes deployed in DCs) b: devices with configured maximum MACs per port, common in enterprises (e.g:
> https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/l2/switchport-port-security-maximum.html
> ) c: 802.1X (which is often configured to only allow a single MAC per interface / VLAN) d: switches which do things like DHCP snooping. Again, I do realize that most of these issues are not directly the result of this technique, but implementing / deploying this makes it more likely that devices will come up with a temp address and then pivot to an assigned one, and I'd like to see some operational warnings...
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thank you for writing this -- I *do* like this document, and agree that it solves a real problem (e.g:
> http://grouper.ieee.org/groups/802/PrivRecsg/email/msg00164.html ), but would like to make sure that it is deployable without causing sadness...
>
> I think it would be useful to also add some text around policy limits / DoS.
> As examples, would you expect that this would be enabled on "regular" user interfaces (e.g at my local coffee shop), or is it more designed for datacenters and IoT VLANs? Either way, should a device be able to ask for
> 00:00:00:00:00:01 and 2^48-2 addresses? The document does say things like: "In particular, the server may send a different starting address than requested, or grant a smaller number of addresses than requested.", but it might be nice to also include something like "implementations should allow configuration of the maximum number of addresses to allocate" or something similar (yes, an attacker could keep coming back and looking like a new device, but...)
>
>
>


--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf