IETF Logo Mail Archive

Re: [dhcwg] recommendation on DHCP6 source port numbers

Mark Smith <markzzzsmith@gmail.com> Wed, 28 February 2024 08:13 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D23CEC1C4D87 for <dhcwg@ietfa.amsl.com>; Wed, 28 Feb 2024 00:13:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QoqFauGVF8k4 for <dhcwg@ietfa.amsl.com>; Wed, 28 Feb 2024 00:13:51 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9E01C1C4D85 for <dhcwg@ietf.org>; Wed, 28 Feb 2024 00:13:50 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-563bb51c36eso5867896a12.2 for <dhcwg@ietf.org>; Wed, 28 Feb 2024 00:13:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709108029; x=1709712829; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eG50rVpj1kfc4pK3hFIzNfJnbVkwarLMC61r+7UEVc0=; b=PhuULzaKCtX0CgjiKzEq51G7V7AlSEHgirRqQx3QReKXk5CmgXueEj92rka8y0Omzy Ah49E8Xu1WMVHphcx7q9EEXi14IpJM0EV70JWERQiniwZxQJzELZ8I2spUixKwdYH7I5 Yf3Ynx/BpQqsYqre0MTetAIdEuYPVvC4Ah+MIG6MfZbv/FUMhocV0nPqahQI2+VLNxdT MXQv/IuVUHX7K3lq2wplPUiVNjqdipOZ8DSXq+ldgh271aYauJ6/vJ3HH9vwMst5YoTF dIICtEVzdJ2B8cyjc6rTzJEZMrvtJZLOA/qA+B4ZEGmUH/zgIET+Irkzxjf5gu+pCaAy 710g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709108029; x=1709712829; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eG50rVpj1kfc4pK3hFIzNfJnbVkwarLMC61r+7UEVc0=; b=UZEJz1O6CyS3PGoGuBnZ5zPD1987O3D27XQlUSgSGMgwjfmztqGeejkkSDuYEzUcBz NsK0/z6ROtU4G805jRdRY028OHaehEU0UtS6oUKf/1mahB8h6rIP0d3vPwQ18U6yp/fh Oh0z42f4uUeeTXHQZ+ViUjup1I475IWCW+5IbJ1oj7QqkcJU5T9qZG/MC1zAUXvcoEhR SzdBg0J1PKonHDgOgqvzpRqrUmlN2CJaWawGJOqgZJmBeGuY/g94XuKCUlXCiebZvuJk L3GZFrzIpOiMuRp81Pieu1K9qKRggDAxp4RoroFzEj26Tz2XLEx68fbm2eeGQnB2WWun 4U6w==
X-Forwarded-Encrypted: i=1; AJvYcCWvaRt1Pcb6roevAZ5byc3vXbvmy8Q8PfbknQjYUJ2eM1SHIpexqFV+5aIZrCR2MohktQLDLpCHA7iO5kRMyw==
X-Gm-Message-State: AOJu0Yzt6Z/TNKSZh+hoWLyxEWBsFifUh5qEArW/0MqyL8eoP2lCq9f+ MUlGgY5LhF051apT76EmzuFR+feUhjBfPG3UI8OZuxKeHSjhlXHVg3/JUGfnxk2BR/iMn7TpQI6 PDTuaJL87Q+NHhXKVKvMf0+UWyWcr4dXq
X-Google-Smtp-Source: AGHT+IFAqrmXjhKd/KT9bUN9x1ijsqECQzcMKGzt6yA8ykif2NBelywImWoYWp/X/kEAk/8QNHUdAgfnM0dlsu31Vz8=
X-Received: by 2002:aa7:ce09:0:b0:566:470b:2edc with SMTP id d9-20020aa7ce09000000b00566470b2edcmr2436990edv.22.1709108028863; Wed, 28 Feb 2024 00:13:48 -0800 (PST)
MIME-Version: 1.0
References: <20240226.150017.738223219320498350.tsahara@iij.ad.jp> <57DFF11C-CA3B-4528-A318-F0A01E82AC80@gmail.com> <CD90C58C-76E1-40D6-8489-5011D840FC7E@employees.org>
In-Reply-To: <CD90C58C-76E1-40D6-8489-5011D840FC7E@employees.org>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Wed, 28 Feb 2024 19:13:37 +1100
Message-ID: <CAO42Z2xQEAio9DL7c-3yVd_9HsM2RH7eRGMe72T2mFGzEM-uvw@mail.gmail.com>
To: Ole Troan <otroan=40employees.org@dmarc.ietf.org>
Cc: Bernie Volz <bevolz@gmail.com>, Tomoyuki Sahara <tsahara=40iij.ad.jp@dmarc.ietf.org>, dhcwg <dhcwg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f176ad06126cb895"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/W5VZMH4YkA8vYM-wv2Zh2tc5ETs>
Subject: Re: [dhcwg] recommendation on DHCP6 source port numbers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 08:13:51 -0000

On Wed, 28 Feb 2024, 18:47 Ole Troan, <otroan=40employees.org@dmarc.ietf.org>
wrote:

> Bernie,
>
> > No. Normal UDP communication rules apply. A client sends traffic to a
> well-known destination port and it is free to select whatever port number
> it likes as the source port. The server’s response is sent from that well
> known port (as source port) and sent to the client’s selected port (as
> destination port). This is normal communication and dhcpv6 follows it. That
> is why nothing is said or needs to be said about the client source port.
>
> I’m with Tomoyuki here.
>
> "
> 7.2. UDP Ports
>
> Clients listen for DHCP messages on UDP port 546. Servers and relay
> agents listen for DHCP messages on UDP port 547.
>
> “
>
> Just checked my little scapy based DHCPv6 server and I do:
>
>        reply = (Ether(src=self.interface_info.mac, dst=request[Ether].src)
> /
>                     IPv6(src=self.interface_info.ip6ll,
> dst=request[IPv6].src) /
>                     UDP(sport=547, dport=546) /
>                     DHCP6_Reply(trid=trid) /
>                     DHCP6OptServerId(duid=self.duid) /
>                     DHCP6OptClientId(duid=clientduid) /
>                     DHCP6OptIA_NA(iaid=request[DHCP6OptIA_NA].iaid, T1=t1,
> T2=t2,
>                                   ianaopts = DHCP6OptIAAddress(addr=ipv6,
>
>  preflft=self.preflft,
>
>  validlft=self.validlft)
>                     )
>
>
> I couldn’t find any text supporting your position Bernie.


RFC 8085/BCP 145 on UDP usage guidelines recommends randomised source ports
to protect against off-path data injection.

Regards,
Mark.


Although I would be fine if that was also the outcome.
> As another implementor I cannot figure out what the correct behaviour is
> from the RFC.
>
> Cheers,
> Ole
>
>
>
> > - Bernie Volz
> >
> >> On Feb 26, 2024, at 1:00 AM, Tomoyuki Sahara <tsahara=
> 40iij.ad.jp@dmarc.ietf.org> wrote:
> >>
> >> Hi, DHC wg members:
> >>
> >> Can we make recommendations on source port numbers of DHCP6 messages
> >> in rfc8415bis?
> >>
> >> DHCP6 specification says that DHCP6 clients and servers listen on UDP
> >> port 546 and 547 respectively, in RFC8415 section 7.2.  It implies
> >> that DHCP6 clients MUST send messages to UDP port 547 (server port) and
> >> servers MUST send messages to UDP port 546 (client port) to work with
> >> their counterpart correctly (though restrictions can be relaxed with
> >> RFC8357 for relays).
> >>
> >> But it says nothing about source port numbers.  Without any
> >> restrictions, some implementations use ephemeral source port
> >> (e.g. 12345) to send their messages.  DHCP6 conversations look like:
> >>
> >> 1. client send Solicit    fe80::2#49876    -> ff02::1:2#547
> >> 2. server send Advertise  fe80::1#547      -> fe80::2#546 (!)
> >> 3. client send Request    fe80::2#49877(?) -> ff02::1:2#547
> >> 4. server send Confirm    fe80::1#547      -> fe80::2#546
> >>
> >> This behavior is not prohibited by the specification but makes
> >> confusions for DHCP6 implementer and network/firewall operators (*1).
> >> Most Internet protocols nowadays assume that servers send response
> >> messages from the port number they received on.
> >> (*1 e.g. https://bugzilla.redhat.com/show_bug.cgi?id=952126 )
> >>
> >> In my humble opinion, it is too late to require that DHCP6 client and
> >> server MUST send messages from the fixed port number (546/547) because
> >> there are too many DHCP6 implementations in the wild.  But making a
> >> recommendation is helpful for new implementations/deployments of DHCP6.
> >>
> >> An idea to make such recommendation is adding a text in rfc8415bis:
> >>
> >> OLD:
> >>   7.2. UDP Ports
> >>     Clients listen for DHCP messages on UDP port 546.  Servers and
> >>     relay agents listen for DHCP messages on UDP port 547.
> >>
> >> NEW:
> >>   7.2. UDP Ports
> >>     Clients listen for DHCP messages on UDP port 546.  Servers and
> >>     relay agents listen for DHCP messages on UDP port 547.
> >>
> >>     Clients are RECOMMENDED to send DHCP messages from UDP port 546.
> >>     Servers and relay agents are RECOMMENDED to send DHCP messages
> >>     from UDP port 547 (unless relay agent includes Relay Source Port
> >>     Option for DHCP6 [RFC8357]).
> >>
> >> I know WGLC has been concluded but I believe the recommendations above
> >> encourage new implementations to use the standard DHCP6 port numbers
> >> on UDP source port.
> >>
> >>
> >> Best regards,
> >> Tomoyuki Sahara
> >>
> >>
> >> _______________________________________________
> >> dhcwg mailing list
> >> dhcwg@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dhcwg
> >
> > _______________________________________________
> > dhcwg mailing list
> > dhcwg@ietf.org
> > https://www.ietf.org/mailman/listinfo/dhcwg
>
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>

v2.23.0 | Report a Bug | By Email