IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by December 11, 2023

Jen Linkova <furry13@gmail.com> Tue, 09 January 2024 07:09 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67242C1CAF2A for <dhcwg@ietfa.amsl.com>; Mon, 8 Jan 2024 23:09:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqhA--WWiSQ7 for <dhcwg@ietfa.amsl.com>; Mon, 8 Jan 2024 23:09:01 -0800 (PST)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E053CC1CAF48 for <dhcwg@ietf.org>; Mon, 8 Jan 2024 23:09:01 -0800 (PST)
Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2ccb923c4d2so27407221fa.1 for <dhcwg@ietf.org>; Mon, 08 Jan 2024 23:09:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704784139; x=1705388939; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=R0yYQK7g0A5ZRW9aPl3V91fwhALMf9b8FVIoC9oC2As=; b=A6tT5nEun8MeMwunrwonM/ITJ+J0y6cFKGRvT24M2X0yE812p9cltOw8Qpb8y2YHoB ZihKqISWqVVNy5OY1wa/D8FFQSc9rrY8/kLQlK24qMh2J9yT94t/NTDW1CH3VwLw4yDp 1ElYzTxzaghmCjyPsbQIsClkghYuW+akpOl83Q6zQ8wY5l3C/+4MQZ9+tBqZnsI7JqDs uNVzFS9DVkVgpcgV4hC6QzcRvRsodZwFhnis69GWjLDsw8Je/Djomxokdx8d3A5r4Pfm nrKSAoeqWPAmRWGAhfgNCOa9FO34HTmFFSQqre7jyBrdPRyFYBPzXLrLXY13dPr8vczv tfBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704784139; x=1705388939; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=R0yYQK7g0A5ZRW9aPl3V91fwhALMf9b8FVIoC9oC2As=; b=X77tCJIDFQibSggCDJOKOpoSNcxYUwjxrJEGESd49ew1sfX1CtosfbY086TfYScYxT SuFUUnyCYqg13oWJ954Q+tuoRLpvzDO2DFygGUJYjv34Tt5v9egZRK8sknY+3pYhqWkx /iQIA7jYamRdI1x/yuLIv8uuwJhMyHqfotG1sWQtBqZQUvdulUDUX0TCsTNW1ARQ7Vwb wU0ZOoibN/P3nw+TsNc15Ydb3ypAnlfKre/2xsqjcKXEnLGrStOonZsekoUgeuIBpUzt Xr0lAGkXMU+A4Slhn3/c919ruzczbWFfiItNSK3h2aSMoeeSI+5NPX/VsWAcK8c4AWc2 VpCg==
X-Gm-Message-State: AOJu0Yw2wzEgZMyZL/oEvo2AOJ+RYFte6Lk+x4H5bLQq96tEIWAItLLp ahSEm3+lj/2ygpgGT2efsTvD6DHFbb94cZ1LdVaKIkviJq1oKQ==
X-Google-Smtp-Source: AGHT+IENs8eInzxrkw0e14snfeYdT/p97qfQlyZZNi9+yn1X28YlbfxRA5s/mKh9jxbNn8j8EaZRG9libjF8H9aStmE=
X-Received: by 2002:a2e:8919:0:b0:2cc:5fda:5bd7 with SMTP id d25-20020a2e8919000000b002cc5fda5bd7mr1313244lji.99.1704784139168; Mon, 08 Jan 2024 23:08:59 -0800 (PST)
MIME-Version: 1.0
References: <CAJgLMKuUkm1bxhT379QxrdOLzbA0zuGPQY4UbvzOYJD-ykWBwg@mail.gmail.com> <CAFU7BAQzwW4yFXH6vF2stZT5G7OmyZj248zGxeZbJ06JDJ_ieg@mail.gmail.com> <7598.1701799723@localhost> <CAFU7BAQ1Ge3yKjdSXEX80ukbw-OYMReC8+Tvh6UNAB2UKEOz5w@mail.gmail.com> <9253.1703255775@localhost> <CAFU7BAQ6fJjhjtvmwJd8otwPG3A0=4x87oFnMRPyyn9uWoCB6Q@mail.gmail.com> <21509.1703869064@localhost>
In-Reply-To: <21509.1703869064@localhost>
From: Jen Linkova <furry13@gmail.com>
Date: Tue, 09 Jan 2024 08:08:47 +0100
Message-ID: <CAFU7BATBfT4P3tMBbeCcwouYuvhbq_Vd6GQ00eTFHnxE_-bxCA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: dhcwg <dhcwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/WsGbOeCDHPD6CtPuYZJGfHzsCF0>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by December 11, 2023
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jan 2024 07:09:06 -0000

On Fri, Dec 29, 2023 at 5:57 PM Michael Richardson
<mcr+ietf@sandelman.ca> wrote:
>     >> EXEC SUM: I think it's really complex for a client to know when "all" of the
>     >> servers have turned on this option. While clients are supposed to listen
>     >> for all the servers, I think in practice, they listen for the first
>     >> server that is "Good Enough" for them.

>     > So are we OK with the client oscillating between starting and and
>     > stopping the registration process if some servers on the network do
>     > not support it?
>
> I'll repeat once more :-)
> I'm not okay with this.  I think it should be wire-or.

That's why I'm confused: if you are not OK with oscillating clients,
why are you OK with "listening to the first server is good enough"?
That may (and in many cases will) lead to the oscillation.

>     >> While I think that the incidence of DHCPv6 being turned on randomly by
>     >> desktop operating systems is far lower than for DHCPv4, the occurance of
>     >> people plugging in "home routers" at their desk thinking they are ethernet
>     >> switches is just going to rise.  (using the "LAN" ports exclusively)
>
>     > The threat exists even w/o the proposed mechanism, right?
>     > Or am I missing anything and you do see a new thread being introduced?
>
> When you consider the case where someone at an Enterprise sticks a "switch"
> on their desk in order to hook up a few more things they are supposed to be
> configuring. (someone junior in IT at a non-IT company. So Jen, not your network)


Oh, my network allows that - it's just 802.1x would take care of
making sure other clients are not affected  ;)

> Only, as I suggest, it's not a switch, it's a home router, and they have
> plugged the LAN side in.
>
> Sure, RAguard/DHCPguard on the Enterprise switch port keeps that junk away from the
> rest of the network, but the devices on junior-IT guy's desk all see two RAs,
> and two DHCP Advertises.  Only the only from the "switch" does not have
> ADDR-REG-ENABLE on.
>I think that it is *PRECISELY* in a case like that IT
> would really really like reports from all those devices to show up in their
> logs.

IMHO it's a job for DHCP guard/RA guard.

> I'm not claiming a new security issue, I'm claiming that finding these kinds
> of things is exactly the problem we are trying to diagnose.

I do not think the primary use case here is "finding rogue DHCP
servers", to be honest.
The use case we have in mind is an additional mechanism to report
addresses in use, not
finding rogue routers/DHCP servers (though actually rogue RAs with
PIOs can be detected using the proposed mechanism).

>     >> I think that (1) is simplest, but it seems that all of the server option
>     >> announcements can timeout, and then there would be no announcements and maybe
>     >> the client should stop.
>
>     > I might be wrong but I do not think it's what Bernie and Lorenzo are
>     > suggesting. I read it as 'the client starts the registration process
>     > as soon as it gets the very first support signal, and then it doesn't
>     > stop even if subsequent Replies do not have the option". Because if it
>     > does take subsequent Replies into account, then it either has to
>     > a)track which server sends it (-07 text, which we all agree is
>     > complicated) or b) treat the first reply w/o the option as a signal to
>     > stop (the original text, which would lead to the oscillation).
>
> I guess I assumed it would track which server sends the signal.
> And there aren't any timeouts involved, since no addresses were allocated,
> which I forgot.  I was thinking that there were some things allocated
> (v6-PD!), so there would be a timeout associated with that lease.
>
> But, I see your point, one could just observe the latest announcement.
>
> Well, I don't know then, the simpler solution is appealing.

By the simplest you mean "once the client starts sending, it doesn't stop"?
Are you (and the group) OK with 'cons' (such as 'if the administrator
wants to turn it off, it might need to
bounce the client's connection.')?

>     > 1. The client MUST NOT send the registration messages until it gets an
>     > explicit signal.
>
> Sure.
>
>     > 2. The client SHOULD start sending the registration message when it
>     > receives the signal.
>
> Agreed.
>
>     > What shall the client do after that?
>     > What shall the client do if it sends an information request and gets a
>     > reply w/o an option?
>
> Is this the ADDR-REG-INFORM message, or another information request?
I'm not sure I understand the question. The client sent a packet (e.g.
Information request) which includes OPTION REQUEST OPTION containing
OPTION_ADDR_REG_ENABLE code and got a response w/o
OPTION_ADDR_REG_ENABLE option back.
What's now?
Stop? Continue sending?

-- 
Cheers, Jen Linkova

v2.23.0 | Report a Bug | By Email