IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by September 13, 2023

Mark Smith <markzzzsmith@gmail.com> Mon, 25 September 2023 14:07 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0263EC14CF1D for <dhcwg@ietfa.amsl.com>; Mon, 25 Sep 2023 07:07:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.593
X-Spam-Level:
X-Spam-Status: No, score=-6.593 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pR_jtgMGu0VR for <dhcwg@ietfa.amsl.com>; Mon, 25 Sep 2023 07:07:42 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CF7BC1522AF for <dhcwg@ietf.org>; Mon, 25 Sep 2023 07:07:42 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-9a9cd066db5so862633866b.0 for <dhcwg@ietf.org>; Mon, 25 Sep 2023 07:07:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695650860; x=1696255660; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/bZ2zk5qmCV9qi97vendcgZ3o1wO0+gJsWSKfuXDPsE=; b=maR3coxfJ4vIn0T6evtA1h8wdrHgzB2tqhsEuw2u/p7wrz5C2L/TRg0LoGX5iK8XQp PeLFYuOoSBKcDCBixaTAv/Tz6gQaf8tsPg8homlG5ChTgoAFCfRpAfZjR5papYWXziF1 ZuahimKFb9ddzI6T9b6l69NakuKPGT/pIZdSgratMf1t5Qb/ery0Y7bFtSxrX01vN4FD yHZFJ754z0k3Eew2AUu/slFjV0MuyHtzM4iNRlL0bvG2KdRgOTUAb0C64Oo3tCACWZHl s82xmpzI+IpoD6seYEXibph1Xy431B0UM+T/Wki+p1EWbsSFoe5AXzrsVrcVZzIbRzsn WAHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695650860; x=1696255660; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/bZ2zk5qmCV9qi97vendcgZ3o1wO0+gJsWSKfuXDPsE=; b=WwtbfRU9S+/jWTOowBDlMgTHx6q2Iob45WGfQW+jppBVpYUo78g5MQp7goRgrHmiZd vZLUyrLjcj5zVGZ/xpfG1UMIGbWW7A0kSSW5h0c9xwjCxHynuXC6Gm37PZX8kP1z3HM5 s6f+dkrOlA22PWOpW0LmIojFPOEsnSPvrUEm6y60THd+fzwjIhaQfpfqAcv5/54CtcwY PxgPM/IRXrEkNrQw3+QMHwEpVMD6k7jBCrjRAJuovypt+WCyKURB2yaYlz6nUi70F0HI qxyQzMmlsKrq24APVj/b0EaEp6tZE/RFow9QkaZAU9aw18wZ2hWyRb28ZP1GEeVM7sYX gFlg==
X-Gm-Message-State: AOJu0YyrmR12+hUMz4BcOO6Usb2jSRogsEcy4LMYfA8ZnvGkYijSvLPw sixKOlt9ATmifRmgXHSwQTcvTFMXzBNr4fyiNMI=
X-Google-Smtp-Source: AGHT+IGx39pM7yoxZqPXHDBQBpqI3lNmxHrOHzOi2bktYPuBlYjZJLWfOgpv++31PfSKv036DY2eFM1M1tBl7mOHQc4=
X-Received: by 2002:a17:906:220f:b0:9ae:65e5:497d with SMTP id s15-20020a170906220f00b009ae65e5497dmr6847746ejs.59.1695650860229; Mon, 25 Sep 2023 07:07:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAJgLMKvATJP78ONPc8f6kG2eNWq83XCTSdvRLVGKWB26JGrANQ@mail.gmail.com> <1E185C09-B45E-4B1E-81F8-3CB6141B9881@employees.org> <CAJgLMKtYy2U1vScQoW4eWD3sLipeUTak7BqkELXZ61=6_cKJDQ@mail.gmail.com> <1418C8C0-DBCA-4222-B1C4-604E4B389DEA@employees.org>
In-Reply-To: <1418C8C0-DBCA-4222-B1C4-604E4B389DEA@employees.org>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Tue, 26 Sep 2023 00:07:30 +1000
Message-ID: <CAO42Z2yUT628xbyi9hA_adxtVNm17spgVsb=LRhVK2KXuqP=2g@mail.gmail.com>
To: Ole Troan <otroan=40employees.org@dmarc.ietf.org>
Cc: Timothy Winters <tim@qacafe.com>, dhcwg <dhcwg@ietf.org>, Ted Lemon <mellon@fugue.com>
Content-Type: multipart/alternative; boundary="0000000000002fe96c06062f7bfd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/N5t1pCK2qggmPY5qNGrHyZdG5YA>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by September 13, 2023
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2023 14:07:47 -0000

On Mon, 25 Sept 2023, 23:55 Ole Troan, <otroan=
40employees.org@dmarc.ietf.org> wrote:

> > We have had some operators' interests in this solution over scrapping
> switches and routers.   I think it would be helpful to hear from network
> operators or DHCPv6 server solutions about how viable and deployable this
> solution is.
>
> I hope we are not suggesting scrapping all switches and routers.
> Wouldn’t be much of a network then! :-D
>
> It would be useful to hear from enterprise network operators indeed.
> We need to make it clear to them that this mechanism depends on hosts
> (voluntarily) notifying the DHCP server about it’s addresses. And unless
> that’s also enforced through the network in other ways, the information
> given is “just another datapoint with some probability of being correct”).
>
> “Scraping” of routers and switches isn’t the direct alternative to DHCP
> address notification. Although some level of first hop security functions
> is likely required. I would think DHCPv6 address assignment is the obvious
> solution instead of this.
>

DHCPv6 isn't a solution when you think about what the security requirements
are.

The Stateful DHCPv6 Myth. No, it doesn't record IPv6 addresses in use.
Neither does DHCPv4.
https://ipv6tao.blogspot.com/2021/09/the-stateful-dhcpv6-myth-no-it-doesnt.html?m=1


> O.
>
>
> >
> > ~Tim
> >
> > On Sat, Sep 23, 2023 at 4:08 AM Ole Trøan <otroan@employees.org> wrote:
> > Thanks Tim,
> >
> > I do wonder if it’s not worth doing a complete retake of this proposal.
> >
> > If the operator requirement is to know which address has been in use in
> the network by which device at any point in time, then that cannot be
> guaranteed with this mechanism. Existing first-hop security mechanisms in
> switches and routers would be much more robust.
> >
> > O.
> >
> >> On 22 Sep 2023, at 22:22, Timothy Winters <tim@qacafe.com> wrote:
> >>
> >> Hi Everyone,
> >>
> >> The working group had some great discussion about this document during
> the WGLC.    Based on the discussion it didn't pass WGLC at this time.  It
> will mostly need another round of discussion and potentially a revision
> based on those discussions.
> >>
> >> Additionally, Bernie and I discussed and think it's a good idea to wait
> to ask IANA for a early code points until we have passed WGLC.
> >>
> >> Regards,
> >> Tim
> >>
> >> On Thu, Sep 14, 2023 at 3:16 PM Bernie Volz <bevolz@gmail.com> wrote:
> >> An interesting question may be do we need new messages at all? Using
> Information Request / Reply with new option is perhaps cleanest?
> >> - existing clients can do what they do today
> >> - existing servers (and relays or other snoopers) will not know option
> so ignore (hopefully silently)
> >> - existing servers only see “more” Information-Request for clients not
> supporting this new work when enabling O-bit to request address
> registrations
> >> - “new” clients that do SLAAC when O-bit set and did support
> Information-Request can do initial registration in first message (or send
> when address assigned) and do periodic updates (perhaps even ask for other
> options via ORO to refresh information) … they may actually have no more
> messages than today (well, except if they have multiple SLAAC addresses as
> need to use a separate Information-Request for each) … they could also
> decouple previous and new behavior at increase in traffic.
> >> - registration only clients that did not use Information-Request
> previously add new traffic … which is exactly what we want
> >>
> >> The only downside is it kind of overloads Information-Request as it is
> now also a client to server communication. Though the client already can
> send information to server in Information-Request (user class, vendor
> class, vendor information, …). And, we could say the client is asking
> whether the server supports registration (by getting new option in Reply).
> >>
> >> Note: It may be worth thinking about making use of the new
> “registration address” option’s encapsulated options field if client wants
> to send other information (such as fqdn). This isn’t really bad as this is
> likely address specific and any server that wanted to do something with
> this data needs updating anyway. This keeps all of the registration
> information hidden from those devices that don’t that registration option.
> >>
> >> Anyway, this is now a very good reason to hold off on early assignment
> for message types (and likely say WGLC failed).
> >>
> >> - Bernie (from iPad)
> >>
> >>> On Sep 14, 2023, at 2:32 PM, Bernie Volz <bevolz@gmail.com> wrote:
> >>>
> >>> Hi:
> >>>
> >>> (Just catching up and responding to this as was asked
> specifically…there could have been more I haven’t yet read.)
> >>>
> >>> 8415bis only prohibits IA options in Information-Request
> >>>
> >>> 16.12. Information-request Message
> >>>
> >>> Clients MUST discard any received Information-request messages.
> >>>
> >>> Servers MUST discard any received Information-request message that
> >>> meets any of the following conditions:
> >>>
> >>> * the message includes a Server Identifier option (see
> >>> Section 21.3), and the DUID in the option does not match the
> >>> server's DUID.
> >>>
> >>> * the message includes an IA option.
> >>>
> >>> I wonder however if having an Address Registration option specifically
> would be better (the Information-Request and new registration request could
> use this instead of IA_Addr option). This might avoid an overly aggressive
> server or relay that checks the Information-Request or its Reply for
> options from doing odd things if it sees the IAAddr. If we’re trying to
> make things safe, this may be best. Note also that it may help other
> devices in the path that may want to snoop for this data. (But it could
> have downside if any “options” are developed as then those specifications
> would need to determine if they are also allowed in this new address
> option).
> >>>
> >>>
> >>> On a separate note, one issue the current draft may need to document
> and is a consideration is that when O-bit (RA) and A-bit (PIO) is set, a
> registration only server should really support Information-Request as it
> will also get lots of those from clients that support DHCPv6 - it may just
> send back a pretty empty Reply.
> >>>
> >>> By using Ted’s suggestion of using Information-Request, it would be
> natural for registration only to be implemented at least sufficiently to
> send a well formed Reply even when not address registration request.
> >>>
> >>> It seems like a clever idea to use Information-Request at least for
> initial determination of support.
> >>> - it avoids extra packets.
> >>> - client could honor server’s INF_MAX_RT to reduce frequency of
> probing (likely periodic probing is not a bad idea).
> >>>
> >>>
> >>> - Bernie (from iPad)
> >>>
> >>>> On Sep 14, 2023, at 11:29 AM, Lorenzo Colitti <lorenzo@google.com>
> wrote:
> >>>>
> >>>> On Fri, Sep 15, 2023 at 12:22 AM Ted Lemon <mellon@fugue.com> wrote:
> >>>> What I think would be most expedient (if we must use DHCP to probe
> for support of address registration) would be to do the first address
> registration as an information request with the additional information in
> the information request, using the source address being registered. If the
> reply that comes back confirms the address registration, then all
> subsequent address registrations on this link would be sent as address
> registrations.
> >>>>
> >>>> Well, but if we can come up with a reasonable way to represent an
> address registration using an information-request packet, then why not make
> all registrations be information-request packets?
> >>>>
> >>>> +Bernie Volz any thoughts on using information-request and reply
> messages, instead of the new addr-reg-inform and addr-reg-reply messages
> currently defined in the draft?
> >> _______________________________________________
> >> dhcwg mailing list
> >> dhcwg@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dhcwg
> >> _______________________________________________
> >> dhcwg mailing list
> >> dhcwg@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dhcwg
>
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>

v2.23.0 | Report a Bug | By Email