IETF Logo Mail Archive

Re: [dhcwg] Adoption Call for draft-wkumari-dhc-addr-notification-07- Respond by April, 20 2023

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 08 April 2023 19:03 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE88CC14CEFE for <dhcwg@ietfa.amsl.com>; Sat, 8 Apr 2023 12:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RlHnj_28Ws1t for <dhcwg@ietfa.amsl.com>; Sat, 8 Apr 2023 12:03:07 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE241C14CEED for <dhcwg@ietf.org>; Sat, 8 Apr 2023 12:03:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id F1C3F3898C; Sat, 8 Apr 2023 15:19:52 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Y9IEntvKJjJs; Sat, 8 Apr 2023 15:19:49 -0400 (EDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:1c14:eaff:fec3:b3c7]) by tuna.sandelman.ca (Postfix) with ESMTP id 163A13898B; Sat, 8 Apr 2023 15:19:49 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1680981589; bh=bz+R/hImyZsgfJ/KRr9/y5/xJZIdYHVy+fktyPc1C2Y=; h=From:To:Subject:In-Reply-To:References:Date:From; b=GW3BRfAIVqk4tu6x1VD5g708RpBRDYyM5pqbTvHoZlRDx87fHdFlbQp5pWBBCVHZ9 JdNCecbDnyiIklshgRNc+xfE+TEroToFaXBBlll1TWuzcOix9idR6RJFc6ixDz7RfO 3x6s1xW3pD9jm29vNexiQcZ71Jey9vET1GOIIylGcXqKvpKW7LIdeJg1yjKHCe/fg6 tnMHWtxT7NLaHxMYHw8jsPSC5ljNuFsYKSIoIfCVufLxCdy8ZzMcpwtS0FCXyCSEMl zl7NLR7sw3dyMnxuP22j+/x6VfddXxZLqolv17/4SjrcfdNc6jUoNgO70LGocVu5zm aQipz95m+XKkQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 93254668; Sat, 8 Apr 2023 15:03:00 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Jen Linkova <furry13@gmail.com>, dhcwg <dhcwg@ietf.org>
In-Reply-To: <CAFU7BARWZSY8ORz-_iXYxgU4JKnzC5NVEUG6DZHXByhqpJiX_w@mail.gmail.com>
References: <CAJgLMKsH9ZqXjwDbYo4izUiOM27tuH_gk_rZPW8H52BawQ48mg@mail.gmail.com> <5948.1680883536@localhost> <CAFU7BARWZSY8ORz-_iXYxgU4JKnzC5NVEUG6DZHXByhqpJiX_w@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 08 Apr 2023 15:03:00 -0400
Message-ID: <14663.1680980580@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/VvP6Q483wooUegMif2uCSBpHV8c>
Subject: Re: [dhcwg] Adoption Call for draft-wkumari-dhc-addr-notification-07- Respond by April, 20 2023
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Apr 2023 19:03:13 -0000

TL;DR> let's go ahead with the document.

Jen Linkova <furry13@gmail.com> wrote:
    >> It seems that this will be in conflict with
    >> draft-collink-v6ops-ent64pd, should it be adopted.

    > I'm not sure it's the case, actually.  Let's say my DHCP server knows
    > that clients on the link A should be delegated the prefixes from
    > 2001:db8:a::/48.  Then if it receives ADDR-REG-INFORM from link A for
    > an address in 2001:db8:a::/48, it shall be considered "appropriate for
    > the link".  Or am I missing smth?

So 2001:db8:a::/64 is the "LAN" onlink.
And host 2001:db8:a::1234 has done a DHCP-PD and been delegated 2001:db8:a:0001::/64.
It now sends a registration for 2001:db8:a:0001::babe/128.
Does it send that from 2001:db8:a:0001::babe or from 2001:db8:a::1234?

I prefer that it sends it from ::babe.
I prefer that we don't try to associate the delegated /64 with the address
that asked for it... because... a) the requesting address might change due to
reasons (privacy, etc.)   b) OSPF might move the prefix around a bit.

    >> The Security Considerations relating to the AUTH option
    >> are... insufficient.  I wish we'd removed it from 8415.

    > So would you prefer if we do not mention it, or..?

DHC AUTH was unfortunately undeployable in symmetric form, and the assymetric
form (RSA signatures) was still born.  Twenty years ago, we actually tried to
use it:
  https://web.archive.org/web/20020719073631/http://www.wavesec.org/

I could probably dig out the diagrams.

    >> Does the packet need to originate from the IP address which is being
    >> registered?

    > This is to prevent spoofing: the host would need "own" the address, if
    > the infrastructure supports SAVI.

So, the answer is yes, it must originate from the IP address which is being registered?

    >> Can a host include RFC4704 (Client FQDN) in the same packet to have
    >> the reverse DNS updated?

    > Section 4 already says that: "Clients MAY include other options, such
    > as the Client FQDN Option [RFC4704]."

Ah, I missed that.

    >> There is some subtle (emotional?) connection to RFC8505, which I'll
    >> try to resolve in my mind.

    > I haven' read that one, adding to my reading list. Do you think there
    > are any conflicts between two documents?  Thanks!

There are no conflicts, but there might be something to learn, and I'm
thinking about that.

Lorenzo Colitti <lorenzo@google.com> wrote:
    > What's your concern with that specifically? FWIW, we have heard from
    > large Android deployments that simply take the FQDN option in the
    > DHCPv4 request and put the contents in their internal DNS zones. So
    > basically any host that can get on the link and send a DHCP request
    > will be able to populate an arbitrary name in DNS. This doesn't seem
    > that different.

It's not really different at all.

The zone that the DHCPv4 went into was likely an internal (RFC1918) zone, so
has fewer privacy implications.  A smart operator could put entries it into
an ip6.arpa zone with that has limits on whom may query it.
Some interesting ACLs and (and CNAMEs) one could have externally visible and
invisible names.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email