RE: [dhcwg] Leasequery: should it be standardized?
"Woundy, Richard" <Richard_Woundy@cable.comcast.com> Sat, 08 March 2003 00:19 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA17866; Fri, 7 Mar 2003 19:19:07 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h280UUO30609; Fri, 7 Mar 2003 19:30:30 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h280T7O30517 for <dhcwg@optimus.ietf.org>; Fri, 7 Mar 2003 19:29:07 -0500
Received: from peacock.tci.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA17694 for <dhcwg@ietf.org>; Fri, 7 Mar 2003 19:16:50 -0500 (EST)
Received: from mms01-relayb.tci.com (mms01-relayb.broadband.att.com [147.191.90.1]) by peacock.tci.com (8.12.2/8.12.2) with ESMTP id h280IlJD000533; Fri, 7 Mar 2003 17:18:47 -0700 (MST)
Received: from 147.191.90.11 by mms01-relayb.tci.com with ESMTP ( Tumbleweed MMS SMTP Relay (MMS v5.5.0)); Fri, 07 Mar 2003 17:18:39 -0600
Received: by entexchimc04.broadband.att.com with Internet Mail Service ( 5.5.2653.19) id <FZG2V8TF>; Fri, 7 Mar 2003 17:17:57 -0700
Message-ID: <6732623D2548D61193C90002A5C88DCC056637B2@entmaexch02.broadband.att.com>
From: "Woundy, Richard" <Richard_Woundy@cable.comcast.com>
To: dhcwg@ietf.org
cc: 'Kim Kinnear' <kkinnear@cisco.com>, Ralph Droms <rdroms@cisco.com>, Thomas Narten <narten@us.ibm.com>, "Woundy, Richard" <Richard_Woundy@cable.comcast.com>
Subject: RE: [dhcwg] Leasequery: should it be standardized?
Date: Fri, 07 Mar 2003 17:18:35 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-WSS-ID: 1277E9551220596-01-01
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Folks, I don't know the outcome of this thread, after the flurry of comments in support of the DHCP Lease Query functionality -- which included some useful comments to improve the next draft version. Today, as a fairly large cable service provider, I use DHCP Lease Query between distinct vendors of DHCP servers and DOCSIS CMTS relay agents, where it provides great value -- preventing IP address theft among subscribers. In places where I cannot yet deploy this technology, some legitimate subscribers have to use some ugly workarounds (e.g. continuously pinging the first-hop router) in order to defend their legitimately-assigned DHCP address lease. The Lease Query functionality exists in multiple vendor DHCP server implementations and multiple vendor (CMTS) relay agent implementations. Today, these vendors tend to use the documentation of the Lease Query protocol from the Cisco website. While I believe that Lease Query should be standardized within the DHC WG, I am not sure I would refer to this functionality as "access control". Performing source IP address verification is one small piece of router access control. To see the full ugliness of access control from the DiffServ perspective, see RFC 3289 -- this extent of functionality is way beyond the charter of DHC. I don't think we should extend Lease Query to be a generic DHCP server lookup protocol. For example, if a non-relay agent needs to know the lease database information from a DHCP server, it should query the DHCP Server MIB <http://www.ietf.org/internet-drafts/draft-ietf-dhc-server-mib-08.txt> -- which incidentally I believe now is ready for WG last-call. So perhaps some re-wording of the problem statement, and perhaps some pruning of functionality that has crept into the draft, is in order. I am sorry I did not respond to this thread sooner, but I have been overwhelmed with other IETF discussion threads. DiffServ and DHCP Server MIB come immediately to mind. ;^) -- Rich P.S. I remember the original intent of Lease Query -- since I first pitched the Lease Query idea (aka "Third-Party DHCP") back in April 1998, <http://www.ietf.org/proceedings/98mar/98mar-edited-51.htm#P6021_315505>. In fact, I still have the original slide deck on my laptop. ;^) -----Original Message----- From: Kim Kinnear [mailto:kkinnear@cisco.com] Sent: Wednesday, February 26, 2003 12:37 PM To: dhcwg@ietf.org Cc: Ralph Droms; Thomas Narten; Kim Kinnear Subject: [dhcwg] Leasequery: should it be standardized? Folks, We have come to something of a impasse on the leasequery draft, and I need *your* support if you believe we should continue to pursue this draft. =============================================================== Without considerable support from the DHC WG, we will halt work on the leasequery draft and all attempts to bring this work to standard status. =============================================================== If you believe that there is any value in standardizing the leasequery capability, please at least respond to this list ASAP with your positive support. If you have the time and expertise, please read the rest of this email and see if you can offer cogent arguments as to why this is work that the DHC working group should be pursuing. If we don't standardize the leasequery capability, each vendor of access concentrators and DHCP products that wish to use this approach will then need to work together (possibly in some other forum) to try to get their products to be compatible. Of course, it may well be that we are the only folks who see this as a useful capability, and so that may not be an issue at all. Thanks -- Kim ----------------------- Summary ----------------------- In case you haven't been following the email between Thomas Narten and myself, he has been questioning the problem statement of the leasequery draft. Ralph proposed a new problem statement, but Thomas feels that this whole capability is questionable. You are invited to respond to Thomas' arguments, which I have distilled as follows: 1. Doing anything in the DHC WG like supporting "access control in router type devices" is out of scope for the working group, and doesn't fit its current charter. 2. Access control in router type devices is not well enough understood to be sure that: a) leasequery is the right solution. b) any DHC-based approach is the "right" approach to solve this problem. 3. Until we are sure of 2(a), then we should not proceed with this work (I believe that this statement is implicit in Thomas' comments.) ----------------------- Background --------------------------- Here is Ralph's proposed problem statement: Router-type devices which want to enforce some level of access control over which IP addresses are allowed on their links need to maintain information concerning IP<-MAC/client-id mappings. One way in which these devices can obtain information about IP<-MAC/client-id bindings is through "DHCP gleaning", in which the device extracts useful information from DHCP messages exchanged between hosts and DHCP servers. However, these devices don't typically have stable storage sufficient to keep this information over reloads. There may be additional information that is useful to the device that cannot be obtained through DHCP gleaning. The leasequery request message described in this document allows a device to obtain information about IP<-MAC/client-id bindings from a DHCP server. This information may include currently active bindings, bindings involving previously assigned addresses for which the lease on the address has expired and static bindings for devices that are otherwise configured and not using DHCP for address assignment. Thomas' concerns center on the second paragraph above, and he says: Note, that above is pretty vague and doesn't say what information the access device needs. It's hard to look at the problem statement and say "yes, I understand the boundaries of the problem" and then "and the solution seems like a good match for the problem". Popping up a level, how is it even appropriate for the DHC WG to be doing work on "access control in router type devices"? One can argue that work of this broad a scope is well out-of-scope for this WG (e.g., look at the recently approved charter). I'm far from clear that work of this scope should be done in DHC or that the problem is well enough understood to conclude that DHC lease query is the right solution or that any DHC-based solution is the right one. What about routers wanting to do access control that don't use DHC, for instance? And note, I'm not raising these issue just to be a PITA. These are questions that I expect that the IESG would ask if I brought the document forward. Thus, I need to have reasonable responses to those questions. Otherwise, I can predict the likely outcome. My response to Thomas was: This approach to access control was developed by joint work with the folks building our access concentrators and several of us in the DHCP implementation group. They found that the functionality delivered to actual users was of sufficient value to those users to be worth the cost of engineering this particular solution. We supported them in moving the implementation forward. The solution was not based on the charter of the DHC working group either then or now -- it was based on a rather pragmatic approach to meeting the needs of users, which it has seemed to do. In my view at least, it fits within spirit of the DHC WG activities, and was a logical extension of the those activities. It isn't a comprehensive approach to any sort of security (nor was it designed to be such) -- it is a supporting piece of technology to one limited form of access control. Thanks for your interest in the leasequery capability. Kim _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- RE: [dhcwg] Leasequery: should it be standardized? Mark Stapp
- RE: [dhcwg] Leasequery: should it be standardized? Bernie Volz (EUD)
- RE: [dhcwg] Leasequery: should it be standardized? Bernie Volz (EUD)
- Re: [dhcwg] Leasequery: should it be standardized? Ted Lemon
- RE: [dhcwg] Leasequery: should it be standardized? Mark Stapp
- RE: [dhcwg] Leasequery: should it be standardized? Steve Gonczi
- RE: [dhcwg] Leasequery: should it be standardized? Bernie Volz (EUD)
- RE: [dhcwg] Leasequery: should it be standardized? Woundy, Richard
- RE: [dhcwg] Leasequery: should it be standardized? Erik Nordmark
- RE: [dhcwg] Leasequery: should it be standardized? Bernie Volz (EUD)
- RE: [dhcwg] Leasequery: should it be standardized? Woundy, Richard