IETF Logo Mail Archive

Re: [dhcwg] DHCPv6 RAAN options

"Templin, Fred L" <Fred.L.Templin@boeing.com> Fri, 15 August 2014 20:46 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3359D1A0545 for <dhcwg@ietfa.amsl.com>; Fri, 15 Aug 2014 13:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.869
X-Spam-Level:
X-Spam-Status: No, score=-4.869 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ar0GMSI-7MUK for <dhcwg@ietfa.amsl.com>; Fri, 15 Aug 2014 13:45:59 -0700 (PDT)
Received: from slb-mbsout-02.boeing.com (slb-mbsout-02.boeing.com [130.76.64.129]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 597D51A050E for <dhcwg@ietf.org>; Fri, 15 Aug 2014 13:45:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id s7FKjx7Y027218; Fri, 15 Aug 2014 13:45:59 -0700
Received: from XCH-BLV-508.nw.nos.boeing.com (xch-blv-508.nw.nos.boeing.com [130.247.25.198]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id s7FKjlHx026713 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK); Fri, 15 Aug 2014 13:45:48 -0700
Received: from XCH-BLV-407.nw.nos.boeing.com (2002:82f7:19a5::82f7:19a5) by XCH-BLV-508.nw.nos.boeing.com (2002:82f7:19c6::82f7:19c6) with Microsoft SMTP Server (TLS) id 14.3.181.6; Fri, 15 Aug 2014 13:45:47 -0700
Received: from XCH-BLV-504.nw.nos.boeing.com ([169.254.4.6]) by XCH-BLV-407.nw.nos.boeing.com ([169.254.7.129]) with mapi id 14.03.0181.006; Fri, 15 Aug 2014 13:45:47 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: "Bernie Volz (volz)" <volz@cisco.com>, Ted Lemon <ted.lemon@nominum.com>
Thread-Topic: [dhcwg] DHCPv6 RAAN options
Thread-Index: Ac+yf+stS7sJIaihTkKQdnTDfuT8QwAPkPgAAA579MD//5LdgIAAdPIw//+RDACAAHTV8IAA4dxQ//67BgD//2x8wAAnctNw///+rmD//4QYAP//fRpg//6AaAD//XWcsP/vOK6A/97gIwA=
Date: Fri, 15 Aug 2014 20:45:47 +0000
Message-ID: <2134F8430051B64F815C691A62D9831832CF25D2@XCH-BLV-504.nw.nos.boeing.com>
References: <2134F8430051B64F815C691A62D9831832CECA61@XCH-BLV-504.nw.nos.boeing.com> <83E91E35-3F30-4659-B4AE-58DD11E74DB6@nominum.com> <2134F8430051B64F815C691A62D9831832CECB68@XCH-BLV-504.nw.nos.boeing.com> <075FB3EE-EA09-4CBD-AFE9-CF14E77ED007@nominum.com> <2134F8430051B64F815C691A62D9831832CECBF5@XCH-BLV-504.nw.nos.boeing.com> <9C369D15-88ED-4E1E-8138-A538760C6FDE@nominum.com> <2134F8430051B64F815C691A62D9831832CECC7B@XCH-BLV-504.nw.nos.boeing.com> <2134F8430051B64F815C691A62D9831832CECD1A@XCH-BLV-504.nw.nos.boeing.com> <35F4F6CF-7CBC-4935-9E9F-2EC946D7EBB7@nominum.com> <2134F8430051B64F815C691A62D9831832CED2CD@XCH-BLV-504.nw.nos.boeing.com> <65C2A9BF-B153-4BD0-89EF-6D7D8FE459B3@nominum.com> <E5A9495C-DC3F-4CA3-8448-F6F510DA587E@gmail.com> <2134F8430051B64F815C691A62D9831832CED559@XCH-BLV-504.nw.nos.boeing.com> <DA0A1AF1-9E75-4509-A14F-8E0161F409BF@nominum.com> <2134F8430051B64F815C691A62D9831832CED5E7@XCH-BLV-504.nw.nos.boeing.com> <F14EC75C-D91C-47F5-A988-4E33A22D35A7@nominum.com> <2134F8430051B64F815C691A62D9831832CED674@XCH-BLV-504.nw.nos.boeing.com> <489D13FBFA9B3E41812EA89F188F018E1B6568D8@xmb-rcd-x04.cisco.com>
In-Reply-To: <489D13FBFA9B3E41812EA89F188F018E1B6568D8@xmb-rcd-x04.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/N4i5AvmIfhOaD1SmUy8jDi-Ebu4
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, Ralph Droms <rdroms.ietf@gmail.com>
Subject: Re: [dhcwg] DHCPv6 RAAN options
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 20:46:01 -0000

Hi Bernie,

> -----Original Message-----
> From: Bernie Volz (volz) [mailto:volz@cisco.com]
> Sent: Friday, August 15, 2014 1:13 PM
> To: Templin, Fred L; Ted Lemon
> Cc: dhcwg@ietf.org; Ralph Droms
> Subject: RE: [dhcwg] DHCPv6 RAAN options
> 
> Fred:
> 
> How about a 3rd option ...
> 
> Perhaps you should look at the Active Leasequery work as that might be a better option for the Relay
> tracking what the server has?
> 
> See http://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-active-leasequery.

Thanks - will have a look.

> One issue for RAAN and even Relay gleaming the Reply is that the Reply message might be lost and never
> get to the Relay. The client may not retry (or all Releases suffer from this issue) - it is suggested
> that the client retry, not a requirement.
> 
>    Because Release messages may be lost, the client should retransmit
>    the Release if no Reply is received.  However, there are scenarios
>    where the client may not wish to wait for the normal retransmission
>    timeout before giving up (e.g., on power down).
> 
> (I guess we could argue here that 3315 should say "Because Release or Reply messages may be lost ...".
> Perhaps another 3315bis item if we haven't caught this already? No, at least not as of the bis 02
> document.)

I think the client not retrying the Release is probably something else
to be concerned about, yes.

> On the other hand, I'm also not sure how serious this issue is. The Relay is probably keeping some
> state about what addresses/prefixes are in use by what clients. So, when a Release is received, it can
> at least validate that the client has this lease and remove it. If a rouge client did the Release,
> what happens?

A rogue client is exactly the case of concern. I have a link on which
rogue nodes can easily masquerade and attempt to cancel the leases of
legitimate clients. For that, I am depending on DHCP authentication.
But, if the relay agent can't inspect IAs in the Reply coming back
from the server it has no way of knowing *what* (if anything) has
been released.

> I guess that depends on what the Relay is doing with this information. If the Relay is
> also acting as a router or network traffic cop, such as in DOCSIS CMTS, when a unknown addresses is
> seen, the Relay does a Leasequery to the server to ask it who is using this address. If it gets back
> information, it updates it state tables and all is well. (Note that PD leases can be recovered - as
> the Leasequery will return the PD lease containing the address). The only bad thing when the Relay
> removes the lease early is that if it was injecting the PD into the routing table, that would
> obviously stop and potentially be a problem.

Relay acting as a router, e.g., for PD is the case I am considering.
 
> Note that Bulk LQ might also be needed by the Relay to recover state if the relay loses stable
> storage? Hence, using Active LQ may not be such a stretch to avoid these security holes.

I'll look at active LQ. Per my earlier messages today, however, I am
also looking at ways I can get relay agents out of the picture and
just have direct client<->server transactions so that we don't have
to go through the gleaning headaches. I will post something on this
soon.

Thanks - Fred
fred.l.templin@boeing.com 

> - Bernie
> 
> -----Original Message-----
> From: dhcwg [mailto:dhcwg-bounces@ietf.org] On Behalf Of Templin, Fred L
> Sent: Friday, August 08, 2014 12:48 PM
> To: Ted Lemon
> Cc: dhcwg@ietf.org; Ralph Droms
> Subject: Re: [dhcwg] DHCPv6 RAAN options
> 
> Hi Ted,
> 
> > -----Original Message-----
> > From: Ted Lemon [mailto:ted.lemon@nominum.com]
> > Sent: Friday, August 08, 2014 9:34 AM
> > To: Templin, Fred L
> > Cc: Ralph Droms; dhcwg@ietf.org
> > Subject: Re: [dhcwg] DHCPv6 RAAN options
> >
> > On Aug 8, 2014, at 12:24 PM, Templin, Fred L <Fred.L.Templin@boeing.com> wrote:
> > > It is a link-layer consideration that occurs below the IPv6 layer.
> > > So, yes it is DHCPv6 over a specific link layer.
> >
> > Right, I don't think this makes sense as an Internet standard unless
> > there's some broad applicability, in which case that would have to be documented as a DHCP extension
> first.
> >
> > > If that is still troubling, then please also consider the case of a
> > > link that is physically constrained to have only a single
> > > DHCPv6 relay.
> >
> > A special extension to DHCP just to account for this use case seems like the wrong approach when you
> > consider the general applicability of the DHCP protocol.   ISTM that either solution we've talked
> > about would work for you as a private hack, but the question is which
> > one (if any) makes sense as a standard extension to DHCP.
> 
> Just so we can be clear on the alternatives, the first one we talked about was to ask the server to
> include in its Reply message any IAs that were released as a result of the client's Release message
> and with lifetimes set to 0. The second alternative was to resurrect RAAN options somehow.
> 
> If I am understanding this correctly, then the RAAN option provides a convenient way of relay agent
> gleaning. But, option 1 would still allow for a slightly less convenient means for gleaning.
> 
> Thanks - Fred
> fred.l.templin@boeing.com
> 
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email