Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay-supplied-options-02.txt
"Bernie Volz (volz)" <volz@cisco.com> Tue, 05 October 2010 04:22 UTC
Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D50F43A6BAD for <dhcwg@core3.amsl.com>; Mon, 4 Oct 2010 21:22:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.341
X-Spam-Level:
X-Spam-Status: No, score=-10.341 tagged_above=-999 required=5 tests=[AWL=0.258, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NzcBtOb1xVKc for <dhcwg@core3.amsl.com>; Mon, 4 Oct 2010 21:22:16 -0700 (PDT)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 33F613A6A76 for <dhcwg@ietf.org>; Mon, 4 Oct 2010 21:22:16 -0700 (PDT)
Authentication-Results: rtp-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAIpEqkytJV2c/2dsb2JhbACiQXGqfZw9hUcEhFGIdw
X-IronPort-AV: E=Sophos;i="4.57,282,1283731200"; d="scan'208";a="167079220"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rtp-iport-2.cisco.com with ESMTP; 05 Oct 2010 04:23:12 +0000
Received: from xbh-rcd-202.cisco.com (xbh-rcd-202.cisco.com [72.163.62.201]) by rcdn-core-5.cisco.com (8.14.3/8.14.3) with ESMTP id o954NCwC018638; Tue, 5 Oct 2010 04:23:12 GMT
Received: from xmb-rcd-101.cisco.com ([72.163.62.143]) by xbh-rcd-202.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 4 Oct 2010 23:23:11 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 04 Oct 2010 23:23:06 -0500
Message-ID: <D9B5773329187548A0189ED6503667890437918F@XMB-RCD-101.cisco.com>
In-Reply-To: <B127EC9D-3B95-4968-9845-61FF737B06DD@nominum.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay-supplied-options-02.txt
Thread-Index: Actj8NBPWTb2EqlyQhyS5MANMSe5hwAUh8Hw
References: <20100929093005.0814B3A6B00@core3.amsl.com><061901cb5fba$932f56a0$4f548a0a@china.huawei.com> <8AEF2484-72DE-4F42-A62F-C5386956E894@incognito.com> <D9B5773329187548A0189ED6503667890423B366@XMB-RCD-101.cisco.com> <A98C67B7-C343-44A6-B2E2-EED424131176@nominum.com> <D9B5773329187548A0189ED65036678904378A6D@XMB-RCD-101.cisco.com> <AA8FDE81-025E-4BC6-8555-4F81259DCB7D@nominum.com> <D9B5773329187548A0189ED65036678904378AE9@XMB-RCD-101.cisco.com> <C2EAB35E-1F0F-47C4-A9D6-EC4299D8A1FC@nominum.com> <D9B5773329187548A0189ED65036678904378B12@XMB-RCD-101.cisco.com> <B127EC9D-3B95-4968-9845-61FF737B06DD@nominum.com>
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
X-OriginalArrivalTime: 05 Oct 2010 04:23:11.0999 (UTC) FILETIME=[059E90F0:01CB6445]
Cc: dhcwg@ietf.org, Andre Kostur <akostur@incognito.com>
Subject: Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay-supplied-options-02.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Oct 2010 04:22:17 -0000
OK ... I would like to see (though it is your call as to whether I will as they wording may be tricky): 1. Improved description of the usage model for options that could be considered RSOO options. The abstract, introduction and protocol summary could be clearer that RSOO options should only be used for cases where the relay has acquired information that needs to be delivered to the client that the server would otherwise not be able to know. It is not a mechanism for the relay to provide configuration that the server would normally be configured with. 2. Please work in some text to be very clear that existing options are all RSOO-disabled. It wasn't that clear to me that this was the case (though I do fully agree that as the document says "Unless specifically called out as an RSOO-enabled option, no DHCP option should appear in an RSOO." I think requesting an IANA registry for these is also a good idea as it assures that there is one place we can go to see what the list of RSOO-enabled options are, rather than having to look through various RFCs? If IANA is unwilling to do this, then we can take it out. - Bernie -----Original Message----- From: Ted Lemon [mailto:Ted.Lemon@nominum.com] Sent: Monday, October 04, 2010 2:20 PM To: Bernie Volz (volz) Cc: Andre Kostur; Qin Wu; dhcwg@ietf.org Subject: Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay-supplied-options-02.txt On Oct 1, 2010, at 4:39 PM, Bernie Volz (volz) wrote: > I could easily see some of the options where a relay might be configured > with local policy that it wants to override ... for example, if I want > to use a specific domain search list or a set of (internal) DNS servers, > these seem like valid uses of this capability? Essentially what you are saying is that it might be worthwhile in some cases to configure the DHCP server by storing configuration on individual routers toward the edge of the network. By comparison, the application we have in mind is for a situation where the router has acquired information about the client during the layer two authentication/authorization process that it wants to share with the client. This mechanism provides a communications path to the client that solves the problem nicely. So it's really quite a different situation. Does what you are talking about make sense? I guess so--I can see how you might run a network that way. But it's a very different application. And nobody does it that way now, nor does anybody expect to. Furthermore, we haven't thought through the security implications, and I think they are significant. It's because of the security implications that I want to keep this draft as small and targeted as possible. The mere *possibility* that this might be useful in the case you describe is not (IMHO) a good enough reason to open such a large attack surface. If you have a real use case, that's a different thing, but you haven't given us any indication that you do. > So you'd have to get the DHCP administrator to unconfigure these items > for the networks serviced by the relay. Camel. Tent. Nose. The extra opening up of attack surface that you're suggesting is precisely why I don't want us to do this. In order for this to be useful in the way you are proposing, I think it necessarily has to have relay agent authentication. > If this is just about the EAP stuff, why not have an EAP specific Relay > Option that communicates this rather than a very general purpose > mechanism?? Avoids a lot of these issues and questions? The reason for having a generic mechanism is that there's another draft that's actually in the IETF publication queue that also depends on this sort of functionality, and that indeed defined a one-off solution. Each such one-off solution requires special-case code in the DHCP server. Hence, it makes sense to define a general mechanism for solving problems of this kind. > BTW: The above text from the draft brings up an old issue ... if relay > chaining is in use, and multiple relays in the chain include RSOO, what > is the default order for processing these multiple RSOOs (a DHCP server > could always allow for policy to override). This was never clarified > with respect to the link-address field in the Relay-Forw's in 3315 > (though there likely closest relay to the client out makes sense because > the link-address closest to the client is likely the correct one). Yeah, I added a bunch of text for this to the relay encapsulation for DHCPv4 draft. I haven't reread RFC3315 to see how it compares. > As a nit, if you stick with the general purpose option, the use of > "suboptions" is a bit confusing in 3. Encoding. I'd recommend you follow > the convention in RFC 3315 (such as 22.4 and 22.5) and use > "RSOO-options" instead of "suboptions". Good point, thanks!
- [dhcwg] I-D Action:draft-ietf-dhc-dhcpv6-relay-su… Internet-Drafts
- Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpv6-rela… Qin Wu
- Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpv6-rela… Andre Kostur
- Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpv6-rela… Ted Lemon
- Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpv6-rela… Andre Kostur
- Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpv6-rela… Ted Lemon
- Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpv6-rela… Andre Kostur
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Qin Wu
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Ted Lemon
- Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpv6-rela… Bernie Volz (volz)
- Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpv6-rela… Ted Lemon
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Bernie Volz (volz)
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Ted Lemon
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Bernie Volz (volz)
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Ted Lemon
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Bernie Volz (volz)
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Ted Lemon
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Bernie Volz (volz)
- Re: [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay… Ted Lemon
- [dhcwg] I-DAction:draft-ietf-dhc-dhcpv6-relay-sup… Ted Lemon