Re: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - summary

"Templin, Fred L" <Fred.L.Templin@boeing.com> Wed, 19 April 2017 13:52 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 097E8127B60; Wed, 19 Apr 2017 06:52:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.219
X-Spam-Level:
X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dMLieJJJjmX; Wed, 19 Apr 2017 06:52:00 -0700 (PDT)
Received: from phx-mbsout-02.mbs.boeing.net (phx-mbsout-02.mbs.boeing.net [130.76.184.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED9AF127868; Wed, 19 Apr 2017 06:51:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id v3JDpwlZ051862; Wed, 19 Apr 2017 06:51:59 -0700
Received: from XCH15-06-09.nw.nos.boeing.com (xch15-06-09.nw.nos.boeing.com [137.136.239.172]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id v3JDprAH051819 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Wed, 19 Apr 2017 06:51:53 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-09.nw.nos.boeing.com (2002:8988:efac::8988:efac) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 19 Apr 2017 06:51:52 -0700
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1263.000; Wed, 19 Apr 2017 06:51:52 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Lishan Li <lilishan48@gmail.com>
CC: Tomek Mrugalski <tomasz.mrugalski@gmail.com>, dhcwg <dhcwg@ietf.org>, draft-ietf-dhc-sedhcpv6 authors <draft-ietf-dhc-sedhcpv6@ietf.org>
Thread-Topic: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - summary
Thread-Index: AQHSrj/Om2r5zeyMdU24tzLmWNqPBaHMxxkAgAB4SgD//4s1MA==
Date: Wed, 19 Apr 2017 13:51:52 +0000
Message-ID: <913306d77da44ee48136f4e86e26b433@XCH15-06-08.nw.nos.boeing.com>
References: <e08be0f6-f1b4-4f57-6cdf-ddd546f8b793@gmail.com> <1380758a-b7d0-bb73-bf58-4e318e88a6d0@gmail.com> <257f4b807afa44d5841e7764859f150c@XCH15-06-08.nw.nos.boeing.com> <CAJ3w4NcCwUS2CAk=C6wfz+6vJViTPmevBQgCgiH1obbNxcxfbA@mail.gmail.com>
In-Reply-To: <CAJ3w4NcCwUS2CAk=C6wfz+6vJViTPmevBQgCgiH1obbNxcxfbA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: multipart/alternative; boundary="_000_913306d77da44ee48136f4e86e26b433XCH150608nwnosboeingcom_"
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/UsZh1l-MtHwjKE4Ms9TTrxAjtes>
Subject: Re: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - summary
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2017 13:52:02 -0000

Ø  I have considered this problem. Yes, secure DHCPv6 is incompatible with SAVI.

Ø  If secure DHCPv6 is implemented, SAVI cannot work well and have to be updated.

OK, so you knew this but has it been discussed already on the lists or is
this the first time it has come up for discussion? Because this seems like
a rather significant incompatibility to me. And, when you say SAVI has
to be updated, how do you see that happening? Must the encryption keys
held by the client and/or server be shared with the L2 snooping device?

Thanks - Fred


From: Lishan Li [mailto:lilishan48@gmail.com]
Sent: Wednesday, April 19, 2017 6:46 AM
To: Templin, Fred L <Fred.L.Templin@boeing.com>
Cc: Tomek Mrugalski <tomasz.mrugalski@gmail.com>om>; dhcwg <dhcwg@ietf.org>rg>; draft-ietf-dhc-sedhcpv6 authors <draft-ietf-dhc-sedhcpv6@ietf.org>
Subject: Re: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - summary

Hi,

I have considered this problem. Yes, secure DHCPv6 is incompatible with SAVI.
If secure DHCPv6 is implemented, SAVI cannot work well and have to be updated.

Best Regards,
Lishan
在 2017年4月19日,下午9:41,Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> 写道:

Hi,

RFC7513 seems to suggest DHCP snooping, i.e., some L2 device on the link from
the DHCP server or relay to the client examines the contents of DHCP messages.
Unfortunately, sedhcpv6 mandates encryption making snooping impossible.

Does it mean that Secure DHCPv6 will be incompatible with SAVI?

Thanks - Fred
fred.l.templin@boeing.com<mailto:fred.l.templin@boeing.com>


-----Original Message-----
From: dhcwg [mailto:dhcwg-bounces@ietf.org<mailto:dhcwg-bounces@ietf.org>] On Behalf Of Tomek Mrugalski
Sent: Wednesday, April 05, 2017 12:07 PM
To: dhcwg <dhcwg@ietf.org<mailto:dhcwg@ietf.org>>
Cc: draft-ietf-dhc-sedhcpv6 authors <draft-ietf-dhc-sedhcpv6@ietf.org<mailto:draft-ietf-dhc-sedhcpv6@ietf.org>>
Subject: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - summary

It took a little bit more than planned, but the extra time gave us a
couple more comments.

We did receive a number of in depth reviews with technical comments. In
general, several people praised the significantly improved quality and
clarity of the document. Nobody said that is opposed to this work. So
from that perspective this last call is a success.

However, both chair and at least one co-author feel that an important
concern has not been addressed yet. There currently are no known
implementations or prototypes of this draft. For a typical DHCP draft
that adds an option or two that would probably be fine, but for this
particular draft it is not. For two reasons: First, we feel that this is
an essential piece of the whole DHCPv6 ecosystem and as such require
much more scrutiny then an average draft. Second, security is a complex
matter and any unclear aspects would gravely damage the
interoperability. Jinmei had put it well: "I suspect the current spec
still has some points that are critically unclear, which you would
immediately notice once you tried to implement it."

Given that, we declare that more effort is needed before this work is
deemed ready for IESG. At the same time, chairs would like to strongly
applaud authors' efforts to improve this work. This version is
significantly better than its predecessors. Thank you for your hard
work. You are doing excellent work. Please continue.

Also, to address the concern of missing implementations, chairs would
like to announce a DHCP hackathon in Prague. Details are TBD, but the
primary goal will be to have at least two independent implementations of
that draft. The hackathon will take place the weekend before IETF
meeting (that's July 15-16). A separate announcement will be sent soon.

That is well over 3 months away. Authors and supporters of this work,
please seriously consider dedicating some of your time implementing
prototypes and attending the hackathon, if you can. If you can't we will
organize some means for participating remotely.

Thank you to the authors and to everyone who commented.

Bernie & Tomek

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org<mailto:dhcwg@ietf.org>
https://www.ietf.org/mailman/listinfo/dhcwg