Re: [dhcwg] [homenet] PPP, DHCPv6 and Prefix Delegation

Roberta Maglione <robmgl.ietf@gmail.com> Fri, 15 November 2013 18:32 UTC

Return-Path: <robmgl.ietf@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42B7211E8234; Fri, 15 Nov 2013 10:32:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.349
X-Spam-Level:
X-Spam-Status: No, score=-1.349 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_32=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pdGOri28Zi8O; Fri, 15 Nov 2013 10:32:47 -0800 (PST)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) by ietfa.amsl.com (Postfix) with ESMTP id D1F7211E8152; Fri, 15 Nov 2013 10:32:45 -0800 (PST)
Received: by mail-lb0-f181.google.com with SMTP id q8so1832722lbi.12 for <multiple recipients>; Fri, 15 Nov 2013 10:32:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Hqh30GkOYDERXH0bYNYgB58UYk11X7tq5dFzY6D75x8=; b=e1m819OPJbd27g8pwdK9Fcb2DVjjQoLoS94VQbkCy2BmNsrFyZn+YJAWHxaqgoBbBP OQu1kVGJTxEEbPGIrQWbFft6zXOEbIb0gCT5v+6MPpEzRNKsEHWgmHaVH79IPQeetkkg H/cy09H5D6UOOOSfx9JtyNE1cRfV7Pzb42J3JiBqSQonjVz7fIIgpH0YHgFBPoZ2e92v ka8AsoWu2HmbS1xLZIhOcIBTDY6slih03Jb6Mp1c9JI/fpHkvWH1B4Azcf3igp7mtgei SF6hD63q7fmNP0JJdsC4Az4M0wXxKi67YsMMd2LUOvFwA0VPOmyHYSoE0nyXJUD0LyK2 xoCQ==
MIME-Version: 1.0
X-Received: by 10.112.167.3 with SMTP id zk3mr4701210lbb.23.1384540364346; Fri, 15 Nov 2013 10:32:44 -0800 (PST)
Received: by 10.112.159.3 with HTTP; Fri, 15 Nov 2013 10:32:44 -0800 (PST)
In-Reply-To: <3135C2851EB6764BACEF35D8B495596806FB78DF8E@MOPESMBX01.eu.thmulti.com>
References: <11836.1384276281@sandelman.ca> <CAKOT5Ko2OO=U_0jADb6R88JiFh59BLDSe4P0haqgaBr2M7HobA@mail.gmail.com> <3673.1384528283@sandelman.ca> <3135C2851EB6764BACEF35D8B495596806FB78DF8E@MOPESMBX01.eu.thmulti.com>
Date: Fri, 15 Nov 2013 13:32:44 -0500
Message-ID: <CAKOT5KrC1LH-BR9c7T4TKKZ7Bz4zhxCS+QKQ2f8eyto=8BSObg@mail.gmail.com>
From: Roberta Maglione <robmgl.ietf@gmail.com>
To: Wuyts Carl <Carl.Wuyts@technicolor.com>
Content-Type: multipart/alternative; boundary=001a11c264a4981b7f04eb3b6c56
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "homenet@ietf.org" <homenet@ietf.org>, "robmgl@cisco.com" <robmgl@cisco.com>, "radext@ietf.org" <radext@ietf.org>, "dhcwg@ietf.org WG" <dhcwg@ietf.org>
Subject: Re: [dhcwg] [homenet] PPP, DHCPv6 and Prefix Delegation
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Nov 2013 18:32:49 -0000

Please see comments inline [RM]
Thanks
Roberta

On Fri, Nov 15, 2013 at 10:28 AM, Wuyts Carl <Carl.Wuyts@technicolor.com>wrote;wrote:

> All, some feedback from a CPE-vendor, feel free to ignore of course.
>
> 1. Wan links don't NEED global IP address.  This will depend on different
> factors and used protocols.  E.g. a PPP does not need a global IP for sure,
> however, what if you want to run remote management on it through IPv6 ?
>  It's very unlikely to be on the same link, hence link-local might not be
> sufficient.
>
[RM] agree. Remote management was one of the use cases brought up at the
BBF in order to support the numbered model. Somebody argued saying that you
could leave the WAN unnumbered and use the loopback with a prefix taking by
the delegated prefix, but some operators prefer to have a separate single
IPv6 prefix for managing all the RG's.


>
> 2. if the CPE sends an RS, the BNG doesn't have to translate this as
> "please number my link", strange assumption I'd say.
>
> 3. the statement   "After IPV6CP negotiation, the CPE initiates a prefix
> delegation request."  makes sense that DHCPv6 is indeed the local next step
> after PPP IPv6 is "up", however, potentially, manual config is possible, so
> to have this "automatically' in place might be the wrong conclusion
>
> 4. the statement " Further, if the WAN link is numbered as a /64 from
> within the prefix that (will be) delegated, that also would seem to make
> the CPE's firewall even more complex, so I'd rather number it outside the
> PD if it needs to be numbered at all."  Agree that firewall config might be
> more difficult, but don't forget that it saves address space +, more
> important, injects less administration for the ISP to keep track of
> prefixes.
>
[RM] As I mentioned in my other email if you want to use an IPv6 prefix
from the delegate prefix you would need to use prefix exclude option RFC
6603. I agree with you that you would save address space but this model may
not be optimal for the operators that would like to have the management
interface of all the RG's in the same IPv6 prefix in order to
reduce/simplify the number of ACL's that they would need to add in the
network to restrict the access to the management systems.

Thanks
Roberta


> Regs
> Carl
>
>
> -----Original Message-----
> From: homenet-bounces@ietf.org [mailto:homenet-bounces@ietf.org] On
> Behalf Of Michael Richardson
> Sent: vrijdag 15 november 2013 16:11
> To: Roberta Maglione
> Cc: dhcwg@ietf.org WG; homenet@ietf.org; robmgl@cisco.com; radext@ietf.org
> Subject: Re: [homenet] [dhcwg] PPP, DHCPv6 and Prefix Delegation
>
>
> Thank you for the write up.
> It's clear that there is a gap, which TR-187 has filled.
>      http://www.broadband-forum.org/technical/download/TR-187_Issue-2.pdf
>
> RFC4241 is Informational... why didn't TR-187 come to the IETF to
> standardize 4241?  (Will TR-187 get re-issued with the reference to
> access-16 changed to RFC6911?)
>
> ===
> I was wondering this week whether or not the WAN link needed other than
> link-local addresses, and it seems to me that this depends very much on
> whether or not the CPE is going to do all of 6204 or not.
>
> If link-local is enough, then there is no reason to do RS/RA over the WAN
> link at all: stateless DHCPv6 to do PD is enough.
>
> How can the BNG/BNAS know what will happen?   Is it reasonable to assume
> that the
> if the device does a RS that it expects the ISP to number the WAN link
> with a global address?
>
> The documents all seem to suggest that the ISP is going to make a
> provisioning decision a-priori about this.  And this seems to imply that
> all customers will have to be provisioned.... while IPv6 space is very
> large, bigger allocations cost ISPs more money, and so this still seems
> silly.
>
> While the customer can be provisioned, the end user may well swap CPEs in
> and out, and may connect desktop computers directly to the DSL connection
> at times, so making the ISP and the end user agree here seems like a way to
> guarantee truck rolls)
>
> RFC6204 does not (as far as I can see) suggest that (un)numbering the WAN
> link is something the CPE can/should do.  RFC6204 says:
>      W-3:  Absent other routing information, the IPv6 CE router MUST use
>            Router Discovery as specified in [RFC4861] to discover a
>
> yet, RFC4241 omits a RS/RA phase in section 2.2, which specifically goes
>         from IPV6CP (link-address negotiation) to prefix delegation
>
>   2.2. IP Layer
>     After IPV6CP negotiation, the CPE initiates a prefix delegation
>     request.
>
> The diagram in RFC4241, figure 2 also clearly leaves out RS/RA.
> (I remind that 4241 is Informational, not standards track)
>
> If it does PD, then the CPE device can clearly use an address from the
> delegated prefix to originate traffic to the Internet. 4241 suggests
> assigning the "0" subnet network to the router's loopback.
>
> (I note that this could make the CPE's firewall more complex, as one can
>  assume that all PD/56 traffic is to be protected equally.)
>
> Further, if the WAN link is numbered as a /64 from within the prefix that
> (will be) delegated, that also would seem to make the CPE's firewall even
> more complex, so I'd rather number it outside the PD if it needs to be
> numbered at all.
>
> Meanwhile, TR-187 says that Route Advertisements are generated by the BNG.
> (section 5.2
>
> and says:
>     Whenever the Framed-IPv6-Prefix attribute is returned from RADIUS, the
>     BNG includes this prefix as On-Link and Autonomous in the Router
>     Advertisement Prefix Information Option. If this attribute is omitted,
>     the BNG will not send a Prefix Information Option. DHCPv6 is used to
> delegate prefixes.
>
> so this is exactly inline with what I had concluded: number the link if
> provisioned to do so, leave it unnumbered otherwise.
>
> Has this worked well in the field?
>
> section 5.3.1 suggests that the delegated prefix be returned during the
> initial communication with the radius server.  This is great for
> pre-provisioned systems, but seems to premeditate the size of prefixes that
> customers will get, regardless of what they put into their DHCPv6 PD
> request.
>
> It also implies that every customer, even those not yet IPv6 ready, are
> going to get IPv6 prefixes delegated to them, as the various IPv6 radius
> attributes are returned during PPP LCP phase, and before one has any idea
> that the customer is v6 capable.  It also prevents the CPE from turning on
> IPv6 later on without cycling the PPP connection.
>
> I think it would be better to omit that on the first connection, and
> permit the allocation to be driven by the actual DHCPv6.  RFC6911 outlines
> the attributes to be used, but it isn't clear to me that they have to be
> done at PPP LCP time.
>
> It seems that TR-187, in requirement R-22, (section 9), is suggesting that
> /128 addresses be given out via stateful DHCPv6.  But R-29 says /64 for
> SLAAC.
>
>
> Roberta Maglione <robmgl.ietf@gmail.com> wrote:
>     > Basically all the parameters required to configure the RG can be sent
>     > by the RADIUS Server to the BNG (RADIUS client) in the Access-Accept
>     > during the authentication phase and then the BNG (acting as DHCPv6
>     > Server) can use them to number the Wan link and delegate an IPv6
> prefix
>     > to the home network.
>
> Yes,  the delegated prefix could be in the initial Access-Accept, and this
> is easy to do if the prefixes are all statically provisioned.  There are
> radius servers that can do dynamic allocation, but the bigger issue I'm
> concerned about is that the allocation may not be able to reflect what the
> CPE will actually ask for.
>
>     > Please take a look at TR-187 issue2 from BBF
>
>     > http://www.broadband-forum.org/technical/download/TR-187_Issue-2.pdf
>
> Thank you this document is useful.  I'd like to ask that some homenet
> document cite it.
>
>     mcr>  and RFC 4241 for  more details on the architectural model.
>
>     mcr>     Or, if the radius server had returned some kind of session ID
> to
>     mcr> the ppp, it could communicate that to a co-located DHCPv6 server
> (or
>     mcr> relay) to include in the request.
>
> I have been reminded of the radius State attribute which is commonly used.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        | network
> architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails
>    [
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
>
>
>