IETF Logo Mail Archive

Re: [dhcwg] WGLC: draft-ietf-dhc-dhcpv6-tunnel-01.txt

Ole Trøan <otroan@employees.org> Thu, 27 September 2012 07:59 UTC

Return-Path: <otroan@employees.org>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5392821F86D9 for <dhcwg@ietfa.amsl.com>; Thu, 27 Sep 2012 00:59:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.989
X-Spam-Level:
X-Spam-Status: No, score=-9.989 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWXRH58-7fW2 for <dhcwg@ietfa.amsl.com>; Thu, 27 Sep 2012 00:59:44 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 2B84921F86D5 for <dhcwg@ietf.org>; Thu, 27 Sep 2012 00:59:44 -0700 (PDT)
X-Files: smime.p7s : 4351
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAIkGZFCQ/khM/2dsb2JhbABFvg+BCIIgAQEBAwESAWYQC0YCVQY1h10Gl3Cff5BVYAOObpU9gWmCaQ
X-IronPort-AV: E=Sophos; i="4.80,494,1344211200"; d="p7s'?scan'208"; a="144437196"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-1.cisco.com with ESMTP; 27 Sep 2012 07:59:42 +0000
Received: from dhcp-lys01-vla250-10-147-112-179.cisco.com (dhcp-lys01-vla250-10-147-112-179.cisco.com [10.147.112.179]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q8R7xfMi028306 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 27 Sep 2012 07:59:42 GMT
Content-Type: multipart/signed; boundary="Apple-Mail=_53F11B0F-3B7B-43BF-A407-053D56E597E7"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\))
From: Ole Trøan <otroan@employees.org>
In-Reply-To: <7329B869-8093-4EDA-8490-1491D97D22D8@nominum.com>
Date: Thu, 27 Sep 2012 09:59:40 +0200
Message-Id: <2918F4E4-DD2D-4705-ACBC-5D6E5E0F2357@employees.org>
References: <4D779082-B182-4728-9534-39456573682E@nominum.com> <489D13FBFA9B3E41812EA89F188F018E0F4EA3B4@xmb-rcd-x04.cisco.com> <E1CE3E6E6D4E1C438B0ADC9FFFA345EA3C4668ED@SZXEML510-MBS.china.huawei.com> <8AC1BB64-BA6D-4395-ABA7-1F317C3550D0@nominum.com> <D4AB11DA-0815-4E79-A097-F9B408210D81@employees.org> <C53F80F0-F243-4A0D-B03D-BDEE4B4246BC@nominum.com> <39714EDD-C5DA-4DDF-AD10-E06A934EEDAE@employees.org> <8275EA44-3606-4C82-A656-653B56009D09@nominum.com> <2144A493-A8A0-46C3-9281-1F2D58867685@employees.org> <7329B869-8093-4EDA-8490-1491D97D22D8@nominum.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
X-Mailer: Apple Mail (2.1498)
Cc: dhc WG <dhcwg@ietf.org>
Subject: Re: [dhcwg] WGLC: draft-ietf-dhc-dhcpv6-tunnel-01.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 07:59:45 -0000

Ted,

>> - allow a unicast address as destination address to reach the DHCPv6 server
> 
> Huh.   How does the client know that address?   Why aren't you advertising a route to the All_DHCP_Servers multicast address down the tunnel?

draft:
   "The 6rd CE DHCPv6 relay agent SHOULD use the 6rd BR IPv6 anycast address as the destination address, 
   section 20 of [RFC3315].  If the 6rd link supports multicast [I-D.ietf-mboned-auto-multicast] the 6rd
   CE DHCPv6 relay MAY use the All_DHCP_Servers [RFC3315] as the   destination address of Relay-forward messages."

some links (e.g. 6rd) do not support IPv6 multicast.

>> there are a few MUSTs that must be changed. equally there might be security implications, and new text for how the server should deal with on or offlink clients.
> 
> Wouldn't the security implications be the same in both cases?   You realize that RFC3315 does allow unicast to the server if it's been negotiated with the server, right?   How are the security implications different in that case than in this one?   How does putting in a fake relay agent change things?   Can't any client put in a fake relay agent, whether they are at a tunnel endpoint or not?   I can help you to work through the security considerations section if that's your only concern.
> 
>> this isn't completely different. the draft describes how this can be achieved with existing DHCPv6 servers and within current RFC3315.
>> what is complicated and what is not compatible?
> 
> You have to hack the client to pretend it's a relay agent.   If this happens, you're going to wind up with clients like that all over the place, and your DHCP deployment is going to have to handle them correctly.   And then if we change RFC3315 to solve the problem the right way, then your DHCP deployment is going to have to handle both mechanisms, one of which delivers a packet with an extra relay package.

I don't quite understand this concern. this draft describes how one can put together existing DHCP protocol modules to achieve support for links that do not support link-local addresses and multicast.

if we instead were to change 3315 how would a new client speak to an old server?

cheers,
Ole

v2.23.0 | Report a Bug | By Email