Re: [dhcwg] [Int-dir] Review of draft-ietf-dhc-relay-server-security-02

"Yogendra Pal (yogpal)" <yogpal@cisco.com> Tue, 31 January 2017 18:38 UTC

Return-Path: <yogpal@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D75F129546; Tue, 31 Jan 2017 10:38:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.72
X-Spam-Level:
X-Spam-Status: No, score=-17.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rv8Ur1j_I1GZ; Tue, 31 Jan 2017 10:38:24 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61EA4129447; Tue, 31 Jan 2017 10:38:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19278; q=dns/txt; s=iport; t=1485887904; x=1487097504; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=vDqkMJwgR7RLr1gSCZpM4t/oHk4ZdhnESvmJZAh+vYo=; b=WdaPy99lDqcJj5Bd/w8ZvKN4cxLd6U6pMZmunrfZsCOigYGajswXOSRz TvxNVj0DirXxgkoK8bcwe01WKtvxr14DvwzOppnkL61gBKfFhXjccCecl NuJ6SMnKvW+mUAmFJhBx49SdrRwdV5d8het/d10Se/1tQqeppZl5EAl0p I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ATAQAl2ZBY/4gNJK1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgm85K2GBCQeNWJIHiAqNKYINhiICgjU/GAECAQEBAQEBAWIohGk?= =?us-ascii?q?BAQEELUwQAgEIEQMBAQEoByERFAkIAgQBDQWJVgMVrlmHPQ2DaAEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAR2GS4RvglGBZTYWhS8Fj3SLKzgBjWmEFIF5jn+FZoJAggG?= =?us-ascii?q?IVwEfOIFLFTuGOXWHHoEMAQEB?=
X-IronPort-AV: E=Sophos;i="5.33,315,1477958400"; d="scan'208,217";a="200972974"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 31 Jan 2017 18:38:22 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id v0VIcMlv003752 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 31 Jan 2017 18:38:22 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 31 Jan 2017 12:38:22 -0600
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Tue, 31 Jan 2017 12:38:21 -0600
From: "Yogendra Pal (yogpal)" <yogpal@cisco.com>
To: "Bernie Volz (volz)" <volz@cisco.com>, Ted Lemon <mellon@fugue.com>, "jouni.nospam" <jouni.nospam@gmail.com>
Thread-Topic: [dhcwg] [Int-dir] Review of draft-ietf-dhc-relay-server-security-02
Thread-Index: AQHSd5+82dShQp2gUEerASIUIPJreqFK8haAgAA2QQCAAFA2gIAAAyOAgAAGBgCAAAf2AIABoSWAgAASNACABMZQAIAACZmAgAAEFICAAZjVgA==
Date: Tue, 31 Jan 2017 18:38:21 +0000
Message-ID: <D4B6CD12.21668%yogpal@cisco.com>
References: <148541310715.6205.3276873953603821357.idtracker@ietfa.amsl.com> <ff898bc0-81ce-7598-c3f3-2e114d30df30@gmail.com> <e996599692ff4584b8ace30a36ea6881@XCH-ALN-003.cisco.com> <B3CE8C9D-C20C-4FAB-9054-0F09B2B87F63@gmail.com> <C099032E-F538-43AD-970F-F71A1A9E15D8@fugue.com> <367DE531-AF9C-40A3-8B1F-5F595D804023@gmail.com> <519FB5EF-52B0-4DEA-B670-2D2593C3FB66@fugue.com> <6DA7EAEF-C226-43E2-800A-9C3CB7F9FB6D@gmail.com> <3C1097F9-0F7A-4349-93E7-3A27BBDF1749@fugue.com> <24F2F434-05FE-4E71-A75E-55DF632EA1D8@gmail.com> <18BE1906-43BB-4505-A584-7A6F034852E3@fugue.com> <3c6cc9adffe14172954e69195f05c5dd@XCH-ALN-003.cisco.com>
In-Reply-To: <3c6cc9adffe14172954e69195f05c5dd@XCH-ALN-003.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.42.134]
Content-Type: multipart/alternative; boundary="_000_D4B6CD1221668yogpalciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/QAWOleFFdhxYZ_bVRewEB2TRh88>
Cc: "ietf@ietf.org" <ietf@ietf.org>, "int-dir@ietf.org" <int-dir@ietf.org>, Jouni Korhonen <jounikor@gmail.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>, "draft-ietf-dhc-relay-server-security.all@ietf.org" <draft-ietf-dhc-relay-server-security.all@ietf.org>
Subject: Re: [dhcwg] [Int-dir] Review of draft-ietf-dhc-relay-server-security-02
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2017 18:38:27 -0000

With full due respect of conversation, I see Bernie's point, towards flexibility. For e.g: We see two operators primary wherein, device operator would like to have base RFC3315 supported for n/w and security operator asking for security in n/w via RFC9999.

Regards, Yogendra Pal
From: "Bernie Volz (volz)" <volz@cisco.com<mailto:volz@cisco.com>>
Date: Tuesday, 31 January 2017 4:38 am
To: Ted Lemon <mellon@fugue.com<mailto:mellon@fugue.com>>, "jouni.nospam" <jouni.nospam@gmail.com<mailto:jouni.nospam@gmail.com>>
Cc: Tomek Mrugalski <tomasz.mrugalski@gmail.com<mailto:tomasz.mrugalski@gmail.com>>, "dhcwg@ietf.org<mailto:dhcwg@ietf.org>" <dhcwg@ietf.org<mailto:dhcwg@ietf.org>>, "draft-ietf-dhc-relay-server-security.all@ietf.org<mailto:draft-ietf-dhc-relay-server-security.all@ietf.org>" <draft-ietf-dhc-relay-server-security.all@ietf.org<mailto:draft-ietf-dhc-relay-server-security.all@ietf.org>>, "ietf@ietf.org<mailto:ietf@ietf.org>" <ietf@ietf.org<mailto:ietf@ietf.org>>, Jouni Korhonen <jounikor@gmail.com<mailto:jounikor@gmail.com>>, "int-dir@ietf.org<mailto:int-dir@ietf.org>" <int-dir@ietf.org<mailto:int-dir@ietf.org>>
Subject: RE: [dhcwg] [Int-dir] Review of draft-ietf-dhc-relay-server-security-02
Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>>
Resent-To: <volz@cisco.com<mailto:volz@cisco.com>>, Yogendra Pal <yogpal@cisco.com<mailto:yogpal@cisco.com>>, <tomasz.mrugalski@gmail.com<mailto:tomasz.mrugalski@gmail.com>>, <suresh.krishnan@ericsson.com<mailto:suresh.krishnan@ericsson.com>>, <terry.manderson@icann.org<mailto:terry.manderson@icann.org>>, Tomek Mrugalski <tomasz.mrugalski@gmail.com<mailto:tomasz.mrugalski@gmail.com>>
Resent-Date: Tuesday, 31 January 2017 4:39 am

Hi:

Let's take the 3315bis out of the discussion as we don't yet know when that will be available and we'd like to progress on this draft sooner than that (as it is shorter and easier to do). We can get back to it later, but let's focus first on today's issue with is the document with RFC 3315.

So if this is released as RFC9999, the only way you as someone looking for relay or server implementations (or both) could know that this is supported is by asking the supplier whether they support RFC3315 and RFC9999. RFC9999 does not have up update 3315. This is just like many of the other DHCP RFCs which extend the functionality - Leasequery, bulk Leasequery, active Leasequery, and the many options documents. If you want certain features and they are in other documents, you have to specify the complete list.

Saying it updates RFC3315 doesn't help since there are plenty of existing implementations that don't support IPsec.



Back to RFC 3315 bis (draft-ietf-dhc-rfc3315bis), that is still a work in progress. Our plans to date are that we'll incorporate all of the changes of draft-ietf-dhc-relay-server-security but leave it OPTIONAL to implement IPsec. This means that once draft-ietf-dhc-rfc3315bis is published as an RFC, those that want IPsec will have to check that the implementation supports both the bis RFC and RFC9999 (or whatever number). But that's the same that someone wanting Leasequery must do - they'll need to check that the bis RFC and RFC5007 are supported.

The draft-ietf-dhc-rfc3315bis and/or draft-ietf-dhc-relay-server-security authors can always raise it to the DHC WG to see if there is sufficient consensus to make IPsec a MUST in the bis document. But there hasn't been in the past.


-          Bernie

From: Ted Lemon [mailto:mellon@fugue.com]
Sent: Monday, January 30, 2017 5:54 PM
To: jouni.nospam <jouni.nospam@gmail.com<mailto:jouni.nospam@gmail.com>>
Cc: Bernie Volz (volz) <volz@cisco.com<mailto:volz@cisco.com>>; Tomek Mrugalski <tomasz.mrugalski@gmail.com<mailto:tomasz.mrugalski@gmail.com>>; dhcwg@ietf.org<mailto:dhcwg@ietf.org>; draft-ietf-dhc-relay-server-security.all@ietf.org<mailto:draft-ietf-dhc-relay-server-security.all@ietf.org>; ietf@ietf.org<mailto:ietf@ietf.org>; Jouni Korhonen <jounikor@gmail.com<mailto:jounikor@gmail.com>>; int-dir@ietf.org<mailto:int-dir@ietf.org>
Subject: Re: [dhcwg] [Int-dir] Review of draft-ietf-dhc-relay-server-security-02

On Jan 30, 2017, at 5:20 PM, jouni.nospam <jouni.nospam@gmail.com<mailto:jouni.nospam@gmail.com>> wrote:
Now if I decide to implement rfc3315bis *with* security, follow all musts in Section 20.1, and listed "updates" in the header, I have still no guarantee whether I can interoperate with another rfc3315bis implementation because it decided to follow relay-server-security. That is not good.

Thanks.   This is the clarification I was looking for.