Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with DISCUSS and COMMENT)
"Ben Campbell" <ben@nostrum.com> Thu, 01 October 2015 20:37 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0944C1A89FB; Thu, 1 Oct 2015 13:37:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XTWtD_ahKtBV; Thu, 1 Oct 2015 13:37:13 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 402AE1A89F2; Thu, 1 Oct 2015 13:37:13 -0700 (PDT)
Received: from [10.0.1.23] (cpe-70-119-203-4.tx.res.rr.com [70.119.203.4]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id t91Kb9aa023491 (version=TLSv1 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 1 Oct 2015 15:37:09 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-70-119-203-4.tx.res.rr.com [70.119.203.4] claimed to be [10.0.1.23]
From: Ben Campbell <ben@nostrum.com>
To: Kim Kinnear <kkinnear@cisco.com>
Date: Thu, 01 Oct 2015 15:37:09 -0500
Message-ID: <C847544D-A1AE-4732-9BC6-1C5983A12527@nostrum.com>
In-Reply-To: <0F3826E4-13C7-4348-9271-5439A3304572@cisco.com>
References: <20150930035228.20755.429.idtracker@ietfa.amsl.com> <19846C62-DF4F-402B-A7A6-9D2CE69BD9B3@cisco.com> <2BA9B2AC-116A-4FE5-BA17-AC8758B5C212@nostrum.com> <0F3826E4-13C7-4348-9271-5439A3304572@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/Nzh2_xd0aDx3CVQ9zhInmSuKjS4>
Cc: dhcwg@ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-dhcpv4-active-leasequery-06: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 20:37:16 -0000
Hi, thanks for the response-response :-) Based on your responses, and on discussion among the IESG on today's telechat, I will clear the discuss. Further comments inline. I've removed sections that don't seem to need further discussion. Unless I missed something, I think you've covered all my concerns. Thanks! Ben. On 1 Oct 2015, at 13:04, Kim Kinnear wrote: [...] > > On Sep 30, 2015, at 10:56 PM, Ben Campbell <ben@nostrum.com> wrote: > >> On 30 Sep 2015, at 16:00, Kim Kinnear wrote: [...] >>> On Sep 29, 2015, at 11:52 PM, Ben Campbell <ben@nostrum.com> wrote: [...] >>>> ---------------------------------------------------------------------- >>>> DISCUSS: >>>> ---------------------------------------------------------------------- >>>> >>>> Do you really want to discourage implementations that only support >>>> secure >>>> mode? >>> >>> There are installations who would prefer to operate in >>> insecure mode for operational reasons. That said, we do allow >>> implementation of secure only mode. >>> >>> I don't think that "SHOULD be able to operate in either >>> insecure or secure mode" is all that discouraging to an >>> implementor who feels that secure mode is the only thing that >>> their users want (or should want). >> >> I interpreted SHOULD be able to operate in either mode to mean the >> same as SHOULD NOT be limited to just one mode. Is that not the >> intent? > > Yes, that is the intent. I just don't think that SHOULD NOT or > SHOULD > will keep someone who thinks that secure mode is the only reasonable > mode from implementing only it. > > Would it meet your requirements if I were to say: > > "A requestor SHOULD be able to operate secure mode." > > This way, we don't discourage someone from implementing just secure > mode. While I certainly would not object to that change, if the original text matches the intent, then I am okay with it. >> >>> >>>> Is there a reason not to make secure mode MTI? >>> [...] >> >> To clarify, when I talk about MTI, I mean something to the effect of >> saying implementations "MUST implement the secure mode, and SHOULD >> [or MAY] implement the insecure mode" > > Thanks for the clarification. I was not clear -- the > reasoning for allowing insecure mode is the same as for not > requiring implementation of secure mode. I expect that some > implementations will not wish to implement secure mode at all, > since all of their deployments will be targeted toward > environments which are protected by more global protections. > > One use of Active leasequery is an alternative to providing a > direct connection to the DHCP server's lease state database. > We want to standardize Active Leasequery in such a way as to > facilitate that sort of implementation (which makes insecure > mode appropriate) as well implementations of the more > distributed sort which require secure mode. Thanks for the explanation. We discussed this on the telechat today, and the security ADs are okay without the secure mode being MTI. So I guess I am, as well. [...] >>> >>> I will add this sentence to the Security Considerations >>> section: >>> >>> "Operating in insecure mode (see Section 8.1) does not >>> provide any way to validate the authorization of requestors >>> of a DHCPV4 Active Leasequery request." >> >> That helps, although I think the bigger issue is that even if the >> intended client sits on the same network, insecure mode doesn't >> prevent unauthorized clients _not_ on that network from connecting. I >> noticed that the bulk query draft had some language around using >> external network devices to control access. > > Yes, and we had that in this draft too (word for word) and > were told to remove it since it was too vague (or something > like that). I can put it back in if you want, but that always > feels like I'm not following the rules. > > I don't actually remember who made us take it out. If this is > important to you I can go back and figure it out and see where > they are with this. If you had a good reason to take it out, then I'm okay with it. >> >>> >>>> >>>> The fact that insecure mode at the server does not allow a >>>> requester to >>>> upgrade to secure mode seems brittle. That is, it's easy to >>>> configure >>>> things where the server and requester simply cannot talk. >>> >>> I don't disagree, and initially I had a negotiation approach >>> written into the protocol. In the Int-dir review of the >>> DHCPv6 Active Leasequery draft (which is essentially identical >>> in all respects to this draft) which was done in May 2015, Ted >>> Lemon had me remove all of that and make it so that >>> configuration on the server governed, period. The theory was >>> that, if the server could be contacted from insecure places >>> (or if the data on the server was considered sufficiently >>> confidential), that it would require secure access. End of >>> story. The server knows what sort of data it has and >>> (presumably, though less clearly) knows who can contact it. >> >> That seems to be an argument to allow the server to require secure >> access. I'm fine with that. But the draft also allows the server to >> forbid secure access, even if a client wants to connect securely. Is >> that the intent? > > That is a result, not an intent. We either put some level of > negotiation in, or we don't. Since we took it all out, we don't > have any negotiation. So, the result is that if a client wants > to connect securely and the server doesn't allow it (either because > of configuration or implementation) then they won't talk. Then > someone will either change the client, or they will talk to the > folks that control the server and deal with it. >> >> Also, you mention this should be controlled entirely by the server. >> But it's not, since you also allow the client to be configured for >> secure or insecure access. If I understand correctly, that means a >> client configured for secure access cannot talk to a server >> configured for insecure access. (Note that I'm perfectly happy to >> say a client configured for insecure access cannot talk to a server >> configured for secure). > > Correct. They won't talk. Nothing bad will happen, they just > won't talk. This means that a client that thinks the data had > better be secure won't connect to a server that has been > configured to not support secure mode. > > The model of use of this protocol, even more so than bulk > leasequery, is that the people writing Active Leasequery > requestors are the same people managing the DHCP server. They > are writing Active Leasequery clients because they want to get > at the data in the DHCP server. There will in general be no > more than one Active Leasequery requestor for a DHCP server at > one time. Sure, you *could* have more, but that isn't the > design center here. > > I was all for negotiation, but since I took it out, I am > much more pleased by the result. The clarity is worth it. > > Bottom line -- since we took out negotiation, you can > configure things that will not work. Nothing bad will happen > if you do, other than them not working, but certainly you can > configure things that will not work. I believe that is > better than the complexity of negotiation, in the very > small number of edge cases where it will come up. Okay, thanks for the explanation. I will clear the DISCUSS. >>> >>>> ---------------------------------------------------------------------- >>>> COMMENT: >>>> ---------------------------------------------------------------------- [...] >>> >>> 2. There are legitimate differences as to how important >>> controlling the information in an Active Leasequery response >>> is. We could discuss this at length (and we can if you >>> desire), but for now I would just say that some people think >>> this is really important, and some people see it as less >>> important. >> >> Shouldn't the people who think it's important always have the option >> to configure this? > > while it is easy to say "of course" to that statement, it > really depends on the value of "this". For all values of > "this", no. For this particular value of "this", I would say > that the server implementor should have the say as to what > their server does. There are things I don't think the server > implementor should be allowed to decide, in which case I make > them a MUST. In this particular case, I believe that the > actual risks of some data vs other data in a DHCP request is > not a major issue that has to be mandated by the document. > You should be able to support this standard without having a > configuration capability to decide which of the DHCP options > you will let or not let though an Active Leasequery. > > Not every implementation allows you to configure everything. > If the server implementor didn't believe this was important, > then if you *do* think it is important, you should use a > different server. Okay. >> >>> >>> I have explained why not a MUST in the item #1 of the >>> previous section. >>>> >>>> -- 7.1: "If the attempt fails, >>>> the Requestor MAY retry." >>>> >>>> How many times? How often? >>> >>> >>> In some protocols, the details of retry times and counts are >>> specified in depth. I don't see this protocol as one of those >>> that requires an in-depth specification of these values. I expect >>> that someone implementing a requestor will do something reasonable >>> here. If they don't, it won't work as well as if they did. >>> >>> I can take out this entire sentence if you think it would be >>> better. >> >> My concern is that such failures are likely to have resulted from >> congestion, and lots of retries will increase that congestion. OTOH, >> if it resulted from something other than congestion, then there's a >> high chance the retry will also fail. So my personal (again, >> non-blocking) preference would be to puts some limits on retries, >> even if they are fuzzy limits. The main point is to discourage >> implementations from retrying forever. > > I don't expect that the failure are likely to have resulted > from congestion. I suspect that they are because the DHCP > server is not actually running at the moment (e.g., it crashed > and it is being rebooted, the hardware it was running on died, > etc.) For what that is worth. > > Both you and Spencer Dawkins called this one out, and > I will add: "Retries SHOULD NOT be more frequent than one > every ACTIVE_LQ_IDLE_TIMEOUT (Section 5.3)." > > That means one retry per minute. I don't see that stressing > the network or congesting things. I don't want limit > the time on retries, as a DHCP server could be out of service > for a couple of days (if the hardware dies and it has to be > rebuilt), and then come back. In a failover situation, > that isn't all that uncommon. I've seen it plenty of times. > Works for me, thanks! >> >>> >>>> >>>> -- 7.2: "A requestor SHOULD be able to operate in either insecure >>>> or >>>> secure >>>> mode. This MAY be a feature that is administratively controlled." >>>> >>>> Why only MAY? >>> >>> Same answer as above -- I try to not make requirements on >>> administrative interfaces when I don't have to. >> >> If a requestor allows both, but it's not administratively controlled, >> how would it work? > > I assumed that you might build a requestor that operated in > only one mode because that was the only thing you were willing > to use. If both are allowed, some control would be required. > > I will remove the statement "This MAY be a feature > that is administratively controlled." altogether as a way > of sidestepping specifying this one way or the other. I'm okay with that change. But due to other discussion about the two modes I'm okay if things stay as they were. [...] >>>> >> >>>> "If the handshake exchange does not yield a functioning TLS >>>> connection, then the requester MUST close the TCP connection." >>>> >>>> Is the requester allows to attempt a new connection in insecure >>>> mode? >>> >>> The requestor can initiate a new connection in any mode >>> it wants to. >> >> It seems like an implementation that tries secure mode but falls back >> to insecure mode if secure mode fails is vulnerable to bid-down >> attacks. > > An implementation which operates in insecure mode > is insecure. Unless it is operating in a secure > environment. If it needs to be secure, it should > not retry in insecure mode. Okay. (I asked the security ADs about this, and they were okay with it.) [...] Ben.
- [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-… Ben Campbell
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Kim Kinnear
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Ben Campbell
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Kim Kinnear
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Ben Campbell
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Kim Kinnear
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Kim Kinnear
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Ben Campbell
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Kathleen Moriarty