Re: [dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-dhcp4o6-saddr-opt-06: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Mon, 15 October 2018 14:28 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97DE2130E9B; Mon, 15 Oct 2018 07:28:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h7w_8Rsck3Wx; Mon, 15 Oct 2018 07:28:01 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9ED67130EBB; Mon, 15 Oct 2018 07:28:00 -0700 (PDT)
X-AuditID: 1209190c-dbfff70000004ed1-9d-5bc4a3ee4f2a
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id F8.FD.20177.FE3A4CB5; Mon, 15 Oct 2018 10:27:59 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w9FERuCZ002506; Mon, 15 Oct 2018 10:27:57 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w9FERqV3030410 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 15 Oct 2018 10:27:55 -0400
Date: Mon, 15 Oct 2018 09:27:52 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: ian.farrer@telekom.de
Cc: iesg@ietf.org, draft-ietf-dhc-dhcp4o6-saddr-opt@ietf.org, volz@cisco.com, dhcwg@ietf.org, dhc-chairs@ietf.org
Message-ID: <20181015142751.GD19309@kduck.kaduk.org>
References: <153918359096.5791.17237672018576211772.idtracker@ietfa.amsl.com> <89BC3D41-8108-4E9F-B5CF-3AAD69D4E35E@telekom.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <89BC3D41-8108-4E9F-B5CF-3AAD69D4E35E@telekom.de>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrCKsWRmVeSWpSXmKPExsUixCmqrPt+8ZFog1tHhSzmdO9msrjb0cJo 8e1mO4vF1fln2C1m/JnIbLF8hqYDm8eU3xtZPZYs+cnk0fZSIYA5issmJTUnsyy1SN8ugStj 8pIOxoINchX7diQ1MH4X62Lk5JAQMJE4v2IhUxcjF4eQwGImiaefDrGAJIQENjJKXOwLh7Cv Mkn0bQ8EsVkEVCU+r38DVsMmoCLR0H2ZGcQWEZCU2LalHyzOLFAlseXcNzBbWCBbov38cXYQ mxdo2aypy5khljUySky7t4MFIiEocXLmE6hmdYk/8y4BFXEA2dISy/9xQITlJZq3zgbbxSlg J7Hn4AawclEBZYm9fYfYJzAKzkIyaRaSSbMQJs1CMmkBI8sqRtmU3Crd3MTMnOLUZN3i5MS8 vNQiXUO93MwSvdSU0k2M4AiQ5NnBeOaN1yFGAQ5GJR7eDL4j0UKsiWXFlbmHGCU5mJREeed7 AoX4kvJTKjMSizPii0pzUosPMUpwMCuJ8EqEHIoW4k1JrKxKLcqHSUlzsCiJ805oWRwtJJCe WJKanZpakFoEk5Xh4FCS4H28CGioYFFqempFWmZOCUKaiYMTZDgP0PDjIDW8xQWJucWZ6RD5 U4y6HG1Pr89gFmLJy89LlRLnnQ9SJABSlFGaBzcHlLgksvfXvGIUB3pLmFcfmMaEeIBJD27S K6AlTEBL3G3BlpQkIqSkGhiXVgrI64Vptqbu/X2dQShQ09Ay8/5GOc05r/Y1/33loL3xkedv M+dO01dbmpjeTWLiyhGdaKHMW6d1eOXbD1eeqLNrP+So/lPjWpPONvHNVuONYpIn/gnrJUQt SRVlDt59J2Xl1R8Vd/Le/V3SdLIzzPxgb6bR9Dr/tl9fc6IqPKPECxrZdiixFGckGmoxFxUn AgDhbrqeNwMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/K1Di8P_VxNvRfano-KOoVXEUQS8>
Subject: Re: [dhcwg] Benjamin Kaduk's No Objection on draft-ietf-dhc-dhcp4o6-saddr-opt-06: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Oct 2018 14:28:09 -0000
Hi Ian, On Fri, Oct 12, 2018 at 07:19:27AM +0000, ian.farrer@telekom.de wrote: > Hi Benjamin, > > Thanks for the comments. Please see inline below. > > Regards, > Ian > > On 10.10.18, 17:00, "dhcwg on behalf of Benjamin Kaduk" <dhcwg-bounces@ietf.org on behalf of kaduk@mit.edu> wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-dhc-dhcp4o6-saddr-opt-06: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcp4o6-saddr-opt/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Section 7 > > It is also a prerequisite that the client has already learned a > suitable IPv6 prefix to use for its local softwire endpoint using > DHCPv6, RA/PIO or another mechanism. > > I think I'm confused. Is the OPTION_S46_BIND_IPV6_PREFIX option a way to > obtain the "suitable IPv6 prefix" above? If so, then "prerequisite" may > not be the best word to use here. > > [if - OPTION_S46_BIND_IPV6_PREFIX is supplied to ensure the client can > select the right prefix to use as the softwire endpoint > from previously configured prefixes via a longest-prefix match > (e.g. to use a routable 2001:: address instead of a ULA). > > What about the following re-wording of the paragraph to clear this up?: > > Before the dynamic softwire configuration process can commence, > the client MUST be configured with a suitable IPv6 prefix to be used > as the local softwire endpoint. This could be obtained using > DHCPv6, RA/PIO or another mechanism. > ] That helps, thank you. > Section 7.2.1 > > Across the lifetime of the leased IPv4 address, it is possible that > the client's IPv6 will change. E.g., if there is an IPv6 re- > numbering event. > > nit: The last sentence is a sentence fragment. > > [if - re-worded to: > > Across the lifetime of the leased IPv4 address, it is possible that > the client's IPv6 will change, e.g., if there is an IPv6 re- > numbering event. > ] > > > Section 9 > > With address-binding mechanisms such as these we also try to consider the > possibility of binding an unexpected address to an unsuspecting recipient, > e.g., to direct a large flow of traffic to a victim unable to process it > all. I did not see an immediate way for an attacker to do this, since it > would seem like it would either require DHCPv4 to assign the same address > twice or allow a duplicate v6/v4 softwire binding, but I am not sure I have > the full picture in my head yet. It would be good to include some text on > this class of attacks, even if it is just "redirecting existing flows to an > unsuspecting victim is not possible because <reason>". > > [if - What about the following new paragraph in Section 9: > > An attacker could attempt to redirect existing flows to a client unable to > process the traffic. This type of attack can be prevented by implementing > [BCP38] network ingress filtering in conjunction with the BR source address > validation processes described in [RFC7596] Section 5.2 and > [RFC7597] Section 8.1. > ] I think that helps; thank you! -Benjamin
- [dhcwg] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk
- Re: [dhcwg] Benjamin Kaduk's No Objection on draf… ian.farrer
- Re: [dhcwg] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk