IETF Logo Mail Archive

Re: [dhcwg] draft-ietf-dhc-server-override-03.txt returned to dhc WG for review (2nd call for review)

Ted Lemon <Ted.Lemon@nominum.com> Tue, 14 March 2006 21:24 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FJH0R-0002MU-G5; Tue, 14 Mar 2006 16:24:39 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FJH0P-0002IS-CM for dhcwg@ietf.org; Tue, 14 Mar 2006 16:24:37 -0500
Received: from shell-ng.nominum.com ([81.200.64.181]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FJH0O-00066g-Nu for dhcwg@ietf.org; Tue, 14 Mar 2006 16:24:37 -0500
Received: from vpn-38.vpn.nominum.com (vpn-38.vpn.nominum.com [128.177.199.38]) (using SSLv3 with cipher EXP1024-RC4-SHA (56/128 bits)) (Client did not present a certificate) by shell-ng.nominum.com (Postfix) with ESMTP id 8452B56823; Tue, 14 Mar 2006 13:24:35 -0800 (PST) (envelope-from Ted.Lemon@nominum.com)
From: Ted Lemon <Ted.Lemon@nominum.com>
Organization: Nominum, Inc.
To: dhcwg@ietf.org
Subject: Re: [dhcwg] draft-ietf-dhc-server-override-03.txt returned to dhc WG for review (2nd call for review)
Date: Tue, 14 Mar 2006 14:24:29 -0700
User-Agent: KMail/1.9.1
References: <20060309193834.GF27300@isc.org> <4.3.2.7.2.20060314120158.0316cc88@email.cisco.com>
In-Reply-To: <4.3.2.7.2.20060314120158.0316cc88@email.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200603141424.30346.Ted.Lemon@nominum.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1b0e72ff1bbd457ceef31828f216a86
Cc: Margaret Wasserman <margaret@thingmagic.com>, Stig Venaas <stig.venaas@uninett.no>, Ralph Droms <rdroms@cisco.com>, "Mark Townsley (townsley)" <townsley@cisco.com>, Kim Kinnear <kkinnear@cisco.com>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org

On Tuesday 14 March 2006 10:56, Kim Kinnear wrote:
> We certainly don't have the only server which NAK's renewals, and
> I thought that this was old news indeed -- about the state
> transition diagram allowing NAK's on renews.

It is.   The Nominum DHCP server and the ISC DHCP server can both NAK renewals 
as well, if the client is no longer allowed to have a particular IP address 
that it's trying to renew.   This is very old news indeed.

> Now, I've never discussed NAKing renews with anyone based on
> network attachment, and indeed, our server has code that is
> functionally similar that described by David -- we don't NAK a
> renew based on network connnectivity, only a rebind.  But that
> doesn't mean that in general we can't NAK a renew -- far from it.

Right, and in fact server override makes it more likely that things will 
function correctly: because we are now intercepting the DHCP client message 
at the relay agent and setting giaddr, the server can be *sure* whether the 
client's IP address is valid on the link to which it is connected.   With 
unicast renewals, we have no way of knowing, and indeed we have to guess.   
So server override actually takes us down a cleaner and safer code path - it 
makes things better, not worse.

> Issue #2: Load balancing generates multiple ACK's.
>
> This certainly is an issue, and does make load balancing largely
> uninteresting in a situation where you would use the
> server-id-override sub-option.  On the other hand, failover would
> still work -- you just don't get any effective load balancing.
>
> We've viewed this as the price you pay to talk to a DHCP client
> that you wouldn't otherwise be able to talk to, and given the
> circumstances, a small price to pay for that capability.
>
> It would be nice to be able to tell a unicast from a broadcast in
> the packet forwarded from the relay agent.  That would make load
> balancing work and would also allow a solution to #1 and #3.

Actually, there's another way to look at this: we have an opportunity to solve 
this problem now.   We could define a way to do load balancing at the relay 
agent (in a separate draft), and require that relay agents that implement 
server override also implement load balancing.   This might be a thing worth 
considering, since currently the load generated by forwarding renewals to 
both servers will be substantial.

> Issue #3:  Clients can get multiple ACK's to a renew, not just a
> rebind.
>
> At present a client can get multiple ACK's to rebind, but not a
> renew.  This would go away if issue #2 was solved somehow, since
> that is how this situation occurs.
>
> Given that client's expect multiple responses from a rebind,
> we've never seen issues with clients from multiple ack's from
> renews, for what that is worth.

Furthermore, if the servers are correctly configured, the renews should be 
interchangeable - the only difference will be which server gets picked, and 
this is immaterial because with server override, there will never be a case 
where load is directed to a particular server based on whether or not it was 
the server that renewed a particular lease.

> The question comes to -- how to have the relay agent tell the
> server the packet was unicast or broadcast.  The obvious answer
> is add information to the server-id-override sub-option, a flags
> byte perhaps.

I don't think this is necessary or worthwhile.   I don't see any upside in 
sending this flag, because, as you say, existing clients support DHCPNAK at 
DHCPRENEW.

>
> But there is a larger problem related to this one that deserves
> some discussion:
>
> One major issue with implementing advanced capabilities in the
> DHCP server is the lack of option-82 information in the unicast
> renew packets.  One solution to this is to never answer renews,
> but just answer rebinds, which works but is less than optimal.

I thought the whole point of server override was to make sure that every 
packet, renewal or not, went through the relay agent, and thus was elegible 
to have option 82 added to it.   Not so?

Anyway, from my perspective, I think that the right thing to do here is:

(1) allocate the suboption code now, so that implementation isn't held back by 
the roadblock I'm about to suggest (I don't *think* we are required not to 
allocate a suboption code prior to RFC).

(2) Write a new draft that describes how relay agents do load balancing.   
[[Short summary - they get the balance mask from the server somehow; they use 
it to decide where to forward _any_ DHCP packet; they check the value of the 
secs field and forward to all servers if secs is over some preconfigured 
limit.]]

(3) Require that conforming implementations of server override also implement 
the relay agent load balancing protocol.

I think that this would do it.   I think the DHCPNAK issue is a red herring.

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email