IETF Logo Mail Archive

Re: [dhcwg] Is there scope to address real world issues in RFC8415bis?

Bernie Volz <bevolz@gmail.com> Mon, 03 July 2023 19:25 UTC

Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3AEEC151084 for <dhcwg@ietfa.amsl.com>; Mon, 3 Jul 2023 12:25:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.202
X-Spam-Level:
X-Spam-Status: No, score=-6.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vO3YoLLSx0dj for <dhcwg@ietfa.amsl.com>; Mon, 3 Jul 2023 12:25:09 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B7CCC151534 for <dhcwg@ietf.org>; Mon, 3 Jul 2023 12:25:09 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id d75a77b69052e-403429b33f5so18693251cf.3 for <dhcwg@ietf.org>; Mon, 03 Jul 2023 12:25:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688412307; x=1691004307; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=u6+YQnnT2FfCU0nQgekJU3cLGKP4QQwhIpmrbVFwBkQ=; b=H/9Y8SnA3R0YOCNr89LEmoxFXdsg0pObv0DgrWuxjY3o3yCbrH3epLJX0rxARDp5+V MnlpQZvkraAl74gVAKy+lqHjzXFhc4G/AVlKm3v0lvu8Cg/Dn+ZfoxAoVjXOTBvbsdCL ga8hiaVoipvcxyV4v4p6iR9nS71SzKvBF7kX+q4+7sUcfDVBNrGKxj2knBL8bt+UHv1V HD8dnplSutvQiGAPa4U6mYDm2YHtMffvqg+gP2q1NeZ4DhwqsSIcO2/+E0VQdkVT+qJR NH2J972rbtNhHA17bfBD8xzY79wZoCWPMja4ONh9S76QdR4yWDQArp9sKJiF3PxlWUgG xBaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688412307; x=1691004307; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u6+YQnnT2FfCU0nQgekJU3cLGKP4QQwhIpmrbVFwBkQ=; b=chQHMYH57sWh7PsD7JN2HKgKTs9qumH76u7u9byMKZBPYK1ELIy34pCOgAIMfWnegh aRQJY+Hr7cUQetK8fjHjz06+fyDb7OgIZOrSi65BUidPSBJ5DHxepelStjRoLnFjJ0yZ K3bGLTQRQykmziBOY2nzCVHaiEzCV3GBMJrXP9pHSEd3cxr6Dd0OTDa++1VgLzFsXfJZ CsiAcwehcgqZV3XpqZPCP8mh11xZurSWlz7xwAuCFyVosl3oXHTUGeCZ4N/PV7tqylgd OHUHfR+VKWaFR4/2r/4aGBJ6GP1qXc2GtoHlGCW5GnqbYygW+TA8sZ8DDhXgJOtDclrB RysQ==
X-Gm-Message-State: AC+VfDxyQdrJhhxg3dzzYQ9sd86OHSGrNEiHpibshdz9WGqjwW3knY4b 1cN+NJh4z/SYvyE0KvdBpO+lPinwYg==
X-Google-Smtp-Source: ACHHUZ79icf7zER/Ux1w5ImRoVzGrZhM7VHbBbjgYg0pmABf1RaEMkZwzlUsTsztEzkTok8VrMT95w==
X-Received: by 2002:ac8:5e12:0:b0:400:2195:c1 with SMTP id h18-20020ac85e12000000b00400219500c1mr11414812qtx.55.1688412307412; Mon, 03 Jul 2023 12:25:07 -0700 (PDT)
Received: from smtpclient.apple (d-24-233-121-124.nh.cpe.atlanticbb.net. [24.233.121.124]) by smtp.gmail.com with ESMTPSA id 17-20020ac856f1000000b004035b79860dsm1733785qtu.81.2023.07.03.12.25.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 03 Jul 2023 12:25:06 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-2FC15722-97DF-479A-8AC6-FC2F58614BA1"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 03 Jul 2023 15:24:55 -0400
Message-Id: <109D87DF-34AE-44BD-A821-71B5B1FFACA7@gmail.com>
References: <6D53654F-E67F-44A6-B959-158F58CDF5A1@deployingradius.com>
Cc: Ole Trøan <otroan=40employees.org@dmarc.ietf.org>, Arran Cudbard-Bell <a.cudbardb=40freeradius.org@dmarc.ietf.org>, dhcwg@ietf.org
In-Reply-To: <6D53654F-E67F-44A6-B959-158F58CDF5A1@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
X-Mailer: iPad Mail (20F75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/VPiWmKY_dUGYkBpajJuk21Nlvcc>
X-Mailman-Approved-At: Mon, 03 Jul 2023 12:26:59 -0700
Subject: Re: [dhcwg] Is there scope to address real world issues in RFC8415bis?
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2023 19:25:14 -0000

The DHCPv6 protocol is a tool. How you or someone else choses to deploy that tool is up to you. There are always tradeoffs in any design … especially in cases where there is a lot of state stored in many different entities (clients, relays or other middleboxes, servers) as that’s always difficult to keep in sync (especially with loosely coupled devices such as those that DHCPv6 usually deals with).

Again, operational advice and documenting tradeoffs can be extremely useful but belongs in a document seperate from the core protocol specification.

Lots of very talented people worked on encryption designs for DHCPv6 but sadly nothing came of it as it is a very difficult problem. In some network architectures it might be less of a problem than others, but no one could come up with a design that would work reasonably well. It’s very easy to say oh let’s encrypt but not so easy when you have to actually design the mechanism.

See for example (in no particular order):
And, I think there was one other document.

The point was that the packets are completely unauthenticated.  The subscriber can share the Client Identifier with others.  At which point the lease is assigned to the wrong subscriber, or to the wrong place in the network.

Yes, this is indeed a problem in several SP technologies and some have used techniques to minimize or at least detect this. As using an alternative client id has other issues, often a technique to validate the “place in the network” is useful. But again, this is a deployment issue and not really a core protocol issue.

- Bernie (from iPad)

On Jul 3, 2023, at 2:56 PM, Alan DeKok <aland@deployingradius.com> wrote:

On Jul 1, 2023, at 6:35 AM, Ole Trøan <otroan=40employees.org@dmarc.ietf.org> wrote:
IPv6 is designed with some level of address stability in mind. The leased prefix should be tied to the subscriber, not to some entity that changes based on dynamic events in the network.

 The point was that the packets are completely unauthenticated.  The subscriber can share the Client Identifier with others.  At which point the lease is assigned to the wrong subscriber, or to the wrong place in the network.

 ISPs can increase the security of the system by tying subscribers to equipment under the control of the ISP.   e.g. the gateways in between the subscriber and the DHCPv6 server.  This allows an ISP to tie a particular subscriber to a particular "path" through the network.

The only option for the subscribers to protect themselves against ISPs “flash” renumbering customers this way would be to use NPT66 or NAT.

 What about ISPs protecting themselves against subscribers?

As the IETF we have a few options here.
a) not support this in protocols and standards to hope that is enough to discourage this practice
b) Add support for complete ephemeral addressing in ipv6
c) hack and duct tape something so it works for end users that are prohibited from running services in their network.

 Some responses;

For (a), it would be good to have the specifications document how the protocols work, and have at least a paragraph or two about design goals, and recommended operational practices or pitfalls

For (b) and (c), I don't think this is what's being asked for here.

Equipment vendors do things which are apparently against the design principles of DHCPv6.  Since RFC 8415 says nothing on these topics, the only conclusion is that those design principles are incorrect, and that the specification is correct.  As such, this behavior by vendors both follows the specification, and is permitted by it.

 Alan DeKok.

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email