IETF Logo Mail Archive

Re: [dhcwg] Re: Renumbering DNS with stateless DHCPv6 - bug?

Stig Venaas <Stig.Venaas@uninett.no> Wed, 19 November 2003 00:27 UTC

Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA27539 for <dhcwg-archive@odin.ietf.org>; Tue, 18 Nov 2003 19:27:37 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMGBb-0003sp-N7 for dhcwg-archive@odin.ietf.org; Tue, 18 Nov 2003 19:27:20 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id hAJ0RBgX014921 for dhcwg-archive@odin.ietf.org; Tue, 18 Nov 2003 19:27:11 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMGBb-0003sG-Ji for dhcwg-web-archive@optimus.ietf.org; Tue, 18 Nov 2003 19:27:11 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA27455 for <dhcwg-web-archive@ietf.org>; Tue, 18 Nov 2003 19:26:55 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AMGBW-0003eF-00 for dhcwg-web-archive@ietf.org; Tue, 18 Nov 2003 19:27:06 -0500
Received: from [132.151.1.19] (helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AMGBV-0003e6-00 for dhcwg-web-archive@ietf.org; Tue, 18 Nov 2003 19:27:06 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMGBS-0003oK-Ly; Tue, 18 Nov 2003 19:27:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ALs9B-0004Yg-So for dhcwg@optimus.ietf.org; Mon, 17 Nov 2003 17:47:06 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA10858 for <dhcwg@ietf.org>; Mon, 17 Nov 2003 17:46:52 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ALs99-0000cT-00 for dhcwg@ietf.org; Mon, 17 Nov 2003 17:47:03 -0500
Received: from tyholt.uninett.no ([158.38.60.10]) by ietf-mx with esmtp (Exim 4.12) id 1ALs98-0000bC-00 for dhcwg@ietf.org; Mon, 17 Nov 2003 17:47:02 -0500
Received: from sverresborg.uninett.no (sverresborg.uninett.no [IPv6:2001:700:e000:0:204:75ff:fee4:423b]) by tyholt.uninett.no (8.12.10/8.12.10) with ESMTP id hAHMkOpI019732; Mon, 17 Nov 2003 23:46:24 +0100
Received: from sverresborg.uninett.no (localhost.localdomain [127.0.0.1]) by sverresborg.uninett.no (8.12.8/8.12.9) with ESMTP id hAHMkOR7004984; Mon, 17 Nov 2003 23:46:24 +0100
Received: (from venaas@localhost) by sverresborg.uninett.no (8.12.8/8.12.8/Submit) id hAHMkNdP004983; Mon, 17 Nov 2003 23:46:23 +0100
X-Authentication-Warning: sverresborg.uninett.no: venaas set sender to Stig.Venaas@uninett.no using -f
Date: Mon, 17 Nov 2003 23:46:23 +0100
From: Stig Venaas <Stig.Venaas@uninett.no>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc: Tim Chown <tjc@ecs.soton.ac.uk>, dhcwg@ietf.org
Subject: Re: [dhcwg] Re: Renumbering DNS with stateless DHCPv6 - bug?
Message-ID: <20031117224623.GC4875@sverresborg.uninett.no>
References: <20031113191145.GS3473@login.ecs.soton.ac.uk> <3FB40486.8020608@necom830.hpcl.titech.ac.jp> <20031116113524.GB2256@sverresborg.uninett.no> <3FB8EFCD.9080008@necom830.hpcl.titech.ac.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3FB8EFCD.9080008@necom830.hpcl.titech.ac.jp>
User-Agent: Mutt/1.4.1i
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

On Tue, Nov 18, 2003 at 12:57:01AM +0900, Masataka Ohta wrote:
> >I suggest for server to send reconfigure to clients via relays.

After some thinking I see that this is much harder than I first
anticipated (like always...). I'm still thinking about it, but
it's not easy.

> >>From server to relay:
> >
> >    If multicast routing available in the site:
> 
> "site" is not a useful concept for autoconfiguration, when
> the "site" is really small, which is, perhaps, the primary
> target case of "stateless", which is why I asked multicast
> over site boundaries.

Yes, I also see cases where it wouldn't work. Unicast to relays
have advantages, also wrt to security. Only issue is that server
will need to know their addresses.

> >	unicast to each relay, server has a list of relays
> 
> is a rational approach for either case.

I may agree. I'm trying to think of good ways to do reconfigure.
For now I think I'll do more thinking of that before I go into
possible solutions. As I said above it seems to be rather complex.

> Of course, the server have a stable storage.
> 
> However, some says "has a list of relays" is a "stateful"
> approach and is no good.

Yes, my feeling too.

> Lack of well definedness of "stateless" is making design and
> discussion very hard.

Yes. I would say that the DHCP server has configuration state,
but no dynamic state. A static list of relays is not ideal, but
might be ok. There are levels of dynamic state too though, it
should be avoided, but I feel the most essential is to not
require state through restarts/reboots. If reconfigure requires
state, it may be better to forget it.

> >Then from relay to client you can always use multicast on link.
> 
> It is unreliable that relays also should have lists of clients
> and stable storages or the server directly take care of the
> clients, in either of which case, unicast is good enough.

Yes, relays should not have lists of clients. I'm not insisting
on multicast in itself, but multicast is the only way I see to
avoid having per client state.

> >Reconfigure messages should be protected due to possible DoS
> >attacks. I didn't consider that at first. I think that can be
> >done using public key crypto. Server has a single key pair.
> >Clients get public key together with the config info, and the
> >reconfigure message is signed with the private key.
> 
> Sorry, public key crypto is computationary expensive that it
> rather amplifies than prevents DoS effect.

Yes, that is a good point.

> With your case, reconfigure messages with bogus signature will
> force clients perform expensive public key crypto computation.

Yes. It can avoid DoS attack on DHCP server (because all clients
do reconfigure), but it puts a big burden on clients. This is a
problem.

> >>W.r.t. inter-link multicast, what multicast protocols is intended
> >>to be used by people in DHC WG?
> 
> >I'm not sure that should be specified. At least as long as it
> >isn't SSM, the DHCP infrastructure is completely independent
> >of which multicast protocols are used, just like other
> >multicast applications.
> 
> I asked not "specified" but "intended".

I can't speak for people's intentions, but I don't expect people
to have given it much thought. I may be wrong. But SSM will not
work with current spec. Current spec allows site multicast to be
used, but doesn't require it. So I would say it's up to the
implementor and administrator.

> >Interesting question. It's relatively easy with standard
> >PIM-SM. You only need to reconfigure the RP address on the
> >routers, and if you use say BSR, you only need to change on
> >the c-BSRs and c-RPs.
> 
> It is more straight forward to change addresses of a DHCP server
> on relayes to be used for unicast relaying. However, a DHCP server
> is a single point of failure.

I don't agree on this. And if you have multicast deployed, you
will make sure that works as well.

> >Discussion on multicast reliability and renumbering could be
> >a good topic for mboned wg. It doesn't belong here.
> 
> I'm afraid it is not an attractive idea to involve yet another
> WG in the thread.

I agree, and I'm removing dnsop from this one. I don't think they
are interested in these details. But if you want to discuss
multicast and renumbering in general, you could if you like
create a new thread on mboned and not mention DHCP. Well, just a
suggestion. My point is that discussions on that problem is
much better in that group. There is more expertise there, and
I'm not sure how interested people are in dhc...

> >For SSM, relays would need to know unicast addresses of DHCP
> >servers, and if you do reconfigure with multicast, you also
> >need servers to know unicast addresses of relays. Then you
> >might as well use unicast.
> 
> Yup. But, is it "stateless"?

Not sure, I would like to avoid it though. It for sure adds
complexity to implementation.

> >>Is a well known unicast address is assigned to a primary and
> >>a back-up CORE/RP/SS, which means ANYCAST.
> 
> >Anycast might be used
> 
> An interesting fact is that there are someone who don't want to
> use "anycast" for DNS servers, because it intermingles DNS and
> routing system. However DNS servers by DHCP with multicast is 
> already eaqually bad. Then, are we having DHCP with multicast
> with anycast CORE/RP/SS?

I'm not too sure about using anycast myself. But if you use
anycast for RP, that's limited to the network. But let's not
discuss how to make multicast reliable here.

> Sure. However, mboned is the worst place to discuss "multicast
> does not work at all".

Well yes, people may not like it (; But there are people there
that think that multicast could be improved. And I'm not sure
renumbering has been given much thought.

> My intention here is to demonstrate that, with multicast, routing
> and DHCP are intermingled.

I would say that multicast and routing is in the network, while
DHCP is an application making use of multicast and routing.

DHCP may use site-scoped multicast if available, but it's not
required. However link-local multicast is required for IPv6 in
general, also DHCP.

Stig

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email