IETF Logo Mail Archive

Re: [dhcwg] recommendation on DHCP6 source port numbers

"rob@deepdivenetworklng.com" <rob@deepdivenetworking.com> Fri, 01 March 2024 01:34 UTC

Return-Path: <rob@deepdivenetworking.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B099C14F5F4 for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 17:34:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.899
X-Spam-Level:
X-Spam-Status: No, score=-3.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_FROM_2_EMAILS=3.004, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ggvvz7xMPk30 for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 17:34:35 -0800 (PST)
Received: from sender4-op-o12.zoho.com (sender4-op-o12.zoho.com [136.143.188.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA7CC14F6E1 for <dhcwg@ietf.org>; Thu, 29 Feb 2024 17:34:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1709256863; cv=none; d=zohomail.com; s=zohoarc; b=ZZIHia99q1KhLYdy+O+2rhTlAHbV2CFUHy8L42ryhtmSNEMWvv+owThidpnD4k2PBCuwhyfMVbSlD+NbjwXXeRNqc7R+2qYQJd6qZNytwn/YIIJmwyPRrXLVKBnR5GMuaKkh5vQtDFU/UWE0Wy9yO1C5x2FIHgulOU1meAxk93Y=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1709256863; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=iyfm2JAO5HAba1i0sp9ZKHPqP22NZoJfI9PzSRcedNw=; b=H8tJRF38JyqGUTunWrzbR5i4NDoNJRDCgT3Mq7EJCs1ZlZFD7jIHOHqaIhtkbyYOt6Gbut3HTQ/cYeE+avj90ICM+Bozr7nep+BRv/0txuBJakujCOIZLDWJpNB4j0EvU+xjh7XbpFtH48w4HiRuTe/z3vNRmqkJXATaPhYU3R0=
ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass smtp.mailfrom=rob@deepdivenetworking.com; dmarc=pass header.from=<rob@deepdivenetworking.com>
Received: from smtpclient.apple (c-174-174-114-65.hsd1.or.comcast.net [174.174.114.65]) by mx.zohomail.com with SMTPS id 1709256861093895.0491119755832; Thu, 29 Feb 2024 17:34:21 -0800 (PST)
From: "rob@deepdivenetworklng.com" <rob@deepdivenetworking.com>
Message-Id: <6B61C919-ED53-4F66-8011-DC6A536EEF67@deepdivenetworking.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6EEE0F67-983E-4061-83E8-1FC4580A6BF4"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Thu, 29 Feb 2024 17:34:10 -0800
In-Reply-To: <13193.1709254997@obiwan.sandelman.ca>
Cc: David Farmer <farmer@umn.edu>, dhcwg <dhcwg@ietf.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <CAN-Dau3m2_L7J9T9VBk7oyHTK0EeMeuiv+jNpuMGE3m1T623=A@mail.gmail.com> <CC99EB8A-3350-4682-B273-D0656AD8F7F4@employees.org> <CAN-Dau1SPXgyHg_fkmU6rTxWpt-edAWA9hM2kR1qyP8t1XW+_Q@mail.gmail.com> <A477E0AF-F68A-4528-A907-CF0C9F7448F2@deepdivenetworking.com> <CAN-Dau3cMV8yXF=WVXrdD36oV+_FQELDsgP4cddjrFfsagpv2w@mail.gmail.com> <E4494DF6-D1F4-4613-BA4C-9A74F4B6989B@deepdivenetworking.com> <13193.1709254997@obiwan.sandelman.ca>
X-Mailer: Apple Mail (2.3731.700.6)
X-ZohoMailClient: External
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/YThWo2zTsOfTNB2zxkL6puc9IW4>
Subject: Re: [dhcwg] recommendation on DHCP6 source port numbers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 01:34:39 -0000

Michael,

Thats an important distinction that I should have thought about before replying. I was thinking client - server but really its client - relay and  relay - server in 99% of cases…. It also negates my comparison to Cache-poisoning issue. I need a nap apparently. So if we are only making recommendations for client source port to be locked down, I have zero argument with that. Once we get into relay->Server then we have to consider those packets could be going anywhere.

Rob

Robert Nagy
- - - - - - - - - -
Senior Dive Master | Deep Dive Networking Inc
p: 408.480.5133 
e: rob@deepdivenetworking.com
www.deepdivenetworking.com

> On Feb 29, 2024, at 5:03 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> rob@deepdivenetworklng.com <rob@deepdivenetworking.com> wrote:
>> David, I can see that argument. But we also didn't think randomized
>> source ports were going to be important for DNS... I guess I don't see
>> why we should be declaring what an implementer does on the source port
> 
> We expect DNS messages to leave the "enterprise" (site) and get returned to
> us.  We require it for DNS to work.  It's the whole point.
> Yes, there was a point in the past where many DNS requests were *from* port-53.
> 
> DHCPv6: not so. Just the opposite.
> OpenWRT actually blocks port 546/547 from being accepted on the wan
> interface, unless it's LL. (zone_wan_input)
> If DHCPv6 leaves the local link, it's because there is a DHCP relay configured.
> 
> So I feel confident that we will NEVER need clients to port randomized
> source ports.  We *might* decide that there is some scenario where we want a
> DHCPv6 *RELAY* to do something like that, but I'll bet we won't do that
> without a DTLS or IPsec wrapper.
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email