[dhcwg] 3315bis question: Changing default DUID to DUID-LL?

Tomek Mrugalski <tomasz.mrugalski@gmail.com> Mon, 23 May 2016 20:01 UTC

Return-Path: <tomasz.mrugalski@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8F9F12DAE3 for <dhcwg@ietfa.amsl.com>; Mon, 23 May 2016 13:01:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xTRxHZq8icS8 for <dhcwg@ietfa.amsl.com>; Mon, 23 May 2016 13:01:50 -0700 (PDT)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 339DB12DAEE for <dhcwg@ietf.org>; Mon, 23 May 2016 13:01:45 -0700 (PDT)
Received: by mail-lf0-x22f.google.com with SMTP id k98so18659214lfi.1 for <dhcwg@ietf.org>; Mon, 23 May 2016 13:01:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=WCI17bXChIQbGh/RJ1BujnnKnc8lLnM2TrstBwrCNoA=; b=LkqwkgXokJZlZJawBiGyjXKiIKnoZ2NG54mBNfnGBmlIePF60TJmKc/wLKaGJHIIIY nuiT9l218b4M8FhskpsEJ77bL7X7gb+w6ILmpX4zkvc8Jwr2o+wdT7yQlaLd75yvgp0g ir7asCcDbRpeTQfjPSLliatHe+cjjyoG8Hm+MPcnK8z9PXqb5ZpyzvlncwkRPOL2pkC8 WbMmGSWYeAg9uRbFIV/sj9VfcOmj9ijN6MDPG3GdmVIoV3s1L2QoPoRTiLULbiqKzbYC 0nTegt9nd/5C6ecs0L7ftJ3ozDVuAZsQHKP+EEQDXcfy4Ba/wQK2lzPj+gTe3T2CqF5n GIbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=WCI17bXChIQbGh/RJ1BujnnKnc8lLnM2TrstBwrCNoA=; b=Gex2SdgOrFvkPDOinrtQY0j8UHQmUFfz26ZILtr6CCShm2bEmutAPPrxdLC+qpvY+e J/fku3EgIHgcCSIOmbnmgT+iyDdJlGv3m8TScLPusIEwgHCXAZMh8yn8iDvwRDfnbcNj eZbc7sz4M0dJMrPIFL+nK5sb4e+rCaQxAKuXy7rqOPi78d8gA4IzlMU4XCOLvQMlSZ/o T/XelERPBBfE7NSPIfQBbsGLZxRZIZ1LFFlEsRuqktsuKgunbwl1vj2NHK8ka2knSGj3 j8JzjairIHPm9VpSLIpeRkANn1clc5EGSIzNJqAC7J1+rQqJQfSEaW0Ij4SNUCY5K2VK PP8A==
X-Gm-Message-State: ALyK8tIdlBnVhpJhU71cV1/31EvfAPHV8AOv9RKQmVRG1NjbNFE5K7AqE9oCKVnJ0ov5YQ==
X-Received: by 10.25.214.92 with SMTP id n89mr4917218lfg.162.1464033703155; Mon, 23 May 2016 13:01:43 -0700 (PDT)
Received: from [10.0.0.100] (088156132194.dynamic-ww-4.vectranet.pl. [88.156.132.194]) by smtp.googlemail.com with ESMTPSA id uh4sm6011959lbb.46.2016.05.23.13.01.41 for <dhcwg@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Mon, 23 May 2016 13:01:42 -0700 (PDT)
References: <574093A8.5040300@gmail.com>
To: dhcwg <dhcwg@ietf.org>
From: Tomek Mrugalski <tomasz.mrugalski@gmail.com>
X-Enigmail-Draft-Status: N1110
X-Forwarded-Message-Id: <574093A8.5040300@gmail.com>
Message-ID: <574361A4.9040907@gmail.com>
Date: Mon, 23 May 2016 22:01:40 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <574093A8.5040300@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/KEo5wG3C1Q2xsVmhijTmeHPaWDs>
Subject: [dhcwg] 3315bis question: Changing default DUID to DUID-LL?
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 May 2016 20:01:52 -0000

Hi,

People (in particular those people that run actual networks, but never
come to IETF) complained about DHCPv6 being difficult to use, because
DUIDs of new devices are unknown until the device is booted up. This is
opposed to MAC addresses that are typically printed on the devices. This
information could be used directly if the clients used DUID-LL rather
than DUID-LLT by default. See forwarded email below for more details.

The proposal is tweak existing text in RFC3315bis to explicitly say that
DUID-LL is the default (existing text suggested that DUID-LLT is the
default if device has clock and a stable storage and that's how it was
interpreted by most vendors).

Recently we discussed this on dhcpv6bis list. The responses were
favorable, but there's strong agreement that change of this scope
requires consensus in DHC WG. You can review the previous discussion on
dhcpv6bis here:
https://mailarchive.ietf.org/arch/msg/dhcpv6bis/0r50PZd_oGBtkzP3L3wRkBEqNUg

Two technical points were made:

1. Bernie pointed out that Cable labs already requires using DUID-LL for
cable modems.

2. Ted pointed out that DUID-LL does not reveal anything more than
DUID-LLT already does, so there's no problem from privacy perspective.

So, what's your opinion on this?

Tomek

-------- Forwarded Message --------
Subject: Changing default DUID to DUID-LL?
Date: Sat, 21 May 2016 18:58:16 +0200
From: Tomek Mrugalski <tomasz.mrugalski@gmail.com>
To: dhcpv6bis@ietf.org <dhcpv6bis@ietf.org>

I recall we did talk about this briefly, but I can't find anything
specific posted to dhcpv6bis.

Once in a while sysadmins keep asking why DHCPv6 is using DUID-LLT as
default, rather than just LL. Here's an example of such question asked
last week:
https://www.facebook.com/groups/2234775539/permalink/10154080188010540/
(if you don't have facebook account, you can still see the discussion by
clicking X comments link).

The details vary, but the general objection is still the same. There's a
large enterprise or similar organization and the sysadmin would like to
know DUIDs of the devices he's about to plug into his network to do host
reservation, access control or provide some options on a per host basis.
He can't do that without powering up every device and letting it
generate its LLT duid.

There are several twists to this. First, some people claim it's
difficult to extract generated DUIDs from many operating systems, so
cases where users themselves are expected to provide their DUID, even if
the device was booted up already, are problematic for users to handle.

Another objection is that most hardware these days have MAC address
printed on it. Vendors can't really print DUIDs as they are not known
during manufacturing phase.

As I understand it, the original rationale for using LLT rather than LL
as default was to avoid cases when switching faulty NIC would make the
client to change its DUID. This is very 1990s. If you disagree with
this, when was the last time you replaced faulty interface card? Also,
the mechanism we have right now - generate the DUID and store it -
effectively solves the concern.

So, what's your opinion on making the DUID-LL the default for regular
devices (i.e. those with clocks and stable storage for generated DUIDs)?

Tomek