IETF Logo Mail Archive

Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem

Bernie Volz <bevolz@gmail.com> Sat, 13 August 2022 11:43 UTC

Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12375C157B4C for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 04:43:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVVSuLc5c5xv for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 04:43:14 -0700 (PDT)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 522F7C157B55 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 04:43:14 -0700 (PDT)
Received: by mail-qv1-xf36.google.com with SMTP id b7so2374609qvq.2 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 04:43:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:cc:date:message-id:subject:mime-version:from :content-transfer-encoding:from:to:cc; bh=9A753oJ2oYUq9lq/CKgTJBNy+9Z8WUqtR+2inoCTHd4=; b=Gyjg+euDrAZrXBqnQilW9DeCBUShGYGR/oYRdcnzpGY5VR1TMkvrvehfBqUIzDuhui Pdgce8XVjU5M3/oS/57o4w1q/qoA103Ara2q2eYeryNfRtI5Y0r5NxBm+f9eAS6rFvYJ FLBfpymnNZeCbHUFdMeZR++Z8ORNoJRj7kjy3MT+z6DSeMGlNK9jYOVV5GamGtI0C/ew +aULF90WKYEPCaFpyt0N4TYmTML/6iD5/3s8svkkXfo7XGTXnRXvE8zfBlEqfQhOhA23 Sun0GnCfH2I0EFPw0gjDAduFR7C1uD/pcY5hnJeT0ff60jY5o5Icj2ji60FajzwaoqUI yWrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:cc:date:message-id:subject:mime-version:from :content-transfer-encoding:x-gm-message-state:from:to:cc; bh=9A753oJ2oYUq9lq/CKgTJBNy+9Z8WUqtR+2inoCTHd4=; b=60nfjtVwIQyFUKM2IeaEHdt6MANISl2AyzOzo2raJ/c//2zLURrrLhq7vdzM9PZUe3 QUudznzsb0MCHsA4XZWV2iY6S8M8+1xlVSHp7Hfz/XXg+jPgC8l2NJCanlpUkox2yqSZ WPlPVkMxcyaok9pychPts3PyvEXQfsZPOOnBqzofeqZyWUJEhpcXiuEcm0RrzicnFC1U ICfX2XScoXrwSj54zY1obnTtvhO9E498H34Ncp0xnKsyc2RktUfyePgl65OtQkc0jadJ u7QesAZs2qFaL/zj8Xb3e5aStO18DMq/DVCq9xjkGDz1w15vQqLuVdWaWWqYOOHg2nwk mZVw==
X-Gm-Message-State: ACgBeo2ucyb0yQyDANnU7ap04LkUHF6GZlZRW3pEDxzkar4XGGyLkv12 2+llzKl1QhBMamHNYgHPlLAtQ1E0dg==
X-Google-Smtp-Source: AA6agR4CGOOm2d+wTefVglmxQedXpGGG4x2NoRuBUQFrMBEjWY20ixwGgJb4CvGPpM9hP6Ixm6dipw==
X-Received: by 2002:a05:6214:b6a:b0:474:90b4:f5eb with SMTP id ey10-20020a0562140b6a00b0047490b4f5ebmr7106778qvb.104.1660390992737; Sat, 13 Aug 2022 04:43:12 -0700 (PDT)
Received: from smtpclient.apple (d-24-233-121-124.nh.cpe.atlanticbb.net. [24.233.121.124]) by smtp.gmail.com with ESMTPSA id ew6-20020a05622a514600b00342f917444csm3807155qtb.85.2022.08.13.04.43.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Aug 2022 04:43:12 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-9567FD1D-E15D-404F-A55C-D3B1930D4512"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Message-Id: <66A9F135-F1AC-45DE-8981-78F4959689A9@gmail.com>
Date: Sat, 13 Aug 2022 07:43:11 -0400
Cc: dhcwg@ietf.org
To: Michael Richardson <mcr@sandelman.ca>
X-Mailer: iPad Mail (19G71)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/OQkLuGc8Eq0rYm3zvn1NvoN-3tU>
Subject: Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 11:43:18 -0000

These are great points Michael.

For the earlier (circa 2014) draft that was similar, draft-ietf-dhc-addr-registration, the reason a client would have implemented it was to get its information in DNS (as there would presumably be a reason it needed this, such as to allow other devices to communicate with it). With this new draft, there is really zero benefit to the client. I’m not promoting a shift to this DNS registration as that had its own issues.

If you want “notification”, why not just require DHCPv6 for address assignments? If you don’t care or are using other tools, use SLAAC. Do we really need something in between?

- Bernie Volz

> On Aug 12, 2022, at 9:03 PM, Michael Richardson <mcr@sandelman.ca> wrote:
> 
> This document seems to require many changes to many systems.
> Do I hear that Google is willing to do this for Android?
> I am very enthusiastic about having better information.
> 
> It works only if all the devices implement it, it's not that useful until all
> the devices do it.  Until that happens, then it's completely useless to the
> helpdesk.
> It requires updates to DHCPv6 server, assuming that there is one, which if
> you are using SLAAC... you probably don't even have one.
> It does not require updates to the core routers, which is the only
> interesting part.  {But, in homes and small offices, and remotely supported
> small offices with a b2b ISP..., that's all the same openwrt box.}
> 
> It seems that if one already had an SNMP or YANG/NETCONF feed from the
> routers for the Neighbor Entry Cache, that feeding that into the "database"
> would be good.
> 
> Warren eventually says that he thinks this would be *more* complicated, and I
> read his slide 10.... and come-on.   You hacked up something that needs to be
> clearly coded correctly in the router.  Yes, it's chatty, but it doesn't need
> to tell about every state transition.
> BUT, even if it did, who cares if you can't read it scrolling on your screen.
> That's what the networking monitoring system is for.  Actually, I think you
> just proved how easily this could be done even without code changes to the routers.
> 
> So, I don't think that I agree at all.  The best part about linking it to the NCE
> is that if the NCE is bad, overwhelmed or has been forged, then the client
> machine probably doesn't get connectivity anyway.  There is some fate sharing here.
> 
> Another way would be to send the proposed DHCPv6 message along the DHCPv6-relay
> path.  This is very much akin to the Accounting records that radius sends.
> Doing it this way links the v6 address more directly to the MAC address,
> while not requiring the host to actually know what it is doing.
> 
> As Lorenzo says in the chat, it needs to be tied in "whatever" L2 security
> mechanisms they already have, but I'm not really sure how this should involve
> the client system.
> 
> And...if I was going to upload all the source code, the first thing I'd do is send
> one of these messages saying that I'm either the CEO, or the new hire, and then do it.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email