IETF Logo Mail Archive

Re: [dhcwg] Layer 2 Relay Agent Information draft

Ramesh <ramesh22@gmail.com> Sun, 26 April 2009 16:18 UTC

Return-Path: <ramesh22@gmail.com>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEFC93A696B for <dhcwg@core3.amsl.com>; Sun, 26 Apr 2009 09:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_73=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AwHwikQNHnhE for <dhcwg@core3.amsl.com>; Sun, 26 Apr 2009 09:18:54 -0700 (PDT)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by core3.amsl.com (Postfix) with ESMTP id C12073A68E8 for <dhcwg@ietf.org>; Sun, 26 Apr 2009 09:18:53 -0700 (PDT)
Received: by yw-out-2324.google.com with SMTP id 3so2180330ywj.49 for <dhcwg@ietf.org>; Sun, 26 Apr 2009 09:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=3AyH3ZIj4m38ickqvuoemPjbmNb6cyE59LkeKBotF3w=; b=iPgaidAKLPqDDt62VHEjaup9I7EAMt+run+R9EFppkrqXaVv7EGwdui8kIHWJdCcq9 Um8yv8w19TTSm7s6UaTVYgBxPZeJIR4VMJOhpm8/WCpMkiAEC2lxLvvT5BwhFIeSwiZq keIf2LaWrtnPOgyAxJuT/VvsvWI/QKxPQBbIo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=WSC80Kh2zNryyDs9iOjbpjd9PEmvdlKfVDqZupOrUJUyPo2X+YrkTEUuBgG3Ihjbaa kyU9S5CWRWsFVY3a10ETTtA35D2MPPQRWsJWAzZCRzDbG18ziFrC9l+Dja0xyFufMGql A8uTuv4tjiYrDC77WX43b2b/3xHn6QNDC42Gk=
MIME-Version: 1.0
Received: by 10.151.131.4 with SMTP id i4mr7003400ybn.136.1240762813664; Sun, 26 Apr 2009 09:20:13 -0700 (PDT)
In-Reply-To: <7221E17E68B1A944ADCE8A83364DBEE61AC554F789@BLRKECMBX01.ad.infosys.com>
References: <31D55C4D55BEED48A4459EB64567589A0E857E6A43@BLRKECMBX02.ad.infosys.com> <42704ecd0904260313y15c90d64o1db7e6384030e0b4@mail.gmail.com> <7221E17E68B1A944ADCE8A83364DBEE61AC554F789@BLRKECMBX01.ad.infosys.com>
Date: Sun, 26 Apr 2009 21:50:13 +0530
Message-ID: <42704ecd0904260920l68b8ce36tf08fb1ab4a0802c0@mail.gmail.com>
From: Ramesh <ramesh22@gmail.com>
To: pavan_kurapati <pavan_kurapati@infosys.com>
Content-Type: multipart/alternative; boundary="001e680f112cc24f930468779a53"
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] Layer 2 Relay Agent Information draft
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2009 16:18:56 -0000

Pavan,
Please see comments inline



Section 4.1.1

-------------
3 ...A Layer 2 Relay Agent may be configured to intercept unicast DHCP
messages.
[ramesh] I think all L2 Relay Agents SHOULD intercept _all_ the DHCP
messages from server
_if_ it has inserted option-82. This is because for a client, option-82 do
not make any sense.
[Pavan] Mandating all L2RAs to intercept unicast messages may be too strict
behavior  given that there are implementations which doesnt do it. I feel
'may' is good here.
[Ramesh] My concern here is, L2RA should intercept all packets from server,
as server could do unicast reply for a broadcast request.
As per RFC 3046 information option have to be stripped off by the relay
agent which added it,
"

   The Relay Agent Information option echoed by a server MUST be removed
   by either the relay agent or the trusted downstream network element
   which added it when forwarding a server-to-client response back to
   the client.

"
Also, I think it will be harsh on the client by asking it to accept a DHCP
option which a client software does not care at all.
Today, there _can_ be DHCP clients which misbehave(?) when it see an
option-82, as RFC 3046 clearly removes client's relationship with option-82.

section 4.2.2

-------------
1 .... Layer 2 relay agents SHOULD select the longest lease time of two
conflicting
but similar replies, by discarding replies that shorten the lease time.
[Ramesh] I thought, to keep the state of a client, L2 Relay Agent will learn
from the REQUEST+ACK message exchange which involves only one server. So
there
is no question of keeping a client state more than its life time. Am I
missing
something here?

In any case, Maintaining a state ( and hence filter) even after a client is
dead,
mean anomalies.
[Pavan] This condition can occur when multiple DHCP servers are configured
for failover. In such a configuration, there are servers which ignore
server-id and in certain exceptional conditions may respond to the same IP
address request with multiple ACKs. In this scenario, L2RA must take the one
which has more lease time.
[Ramesh] I feel we are leaving a security hole here.
Say you have a client which should be leased IP for 10 minutes. One server
lease with 10 minutes and another server with 20 minutes of lease interval.
L2RA will assume the client is valid for 20 minutes and tune the filter.
Whereas the management box ( eg. BRAS) would think it is valid for 10
minutes.
So it is like allowing an unauthorized client to be active from 10 to 20th
time instance. ?
By the way, how is the client expected to behave when it gets two lease. Is
it expected to use the address leased by the server corresponding to the
server-id?



section 4.3.2

-------------
3 ...Because of this, it could be difficult for the DHCP server to
differentiate
between a RENEWING and REBINDING state.
[Ramesh] Did you mean "difficult to differentiate between RENEW and REBIND
messages
here? State is term used in the server context, right?
If you are talking about server state - then its server who leased out an IP
and
hence it would know the state of the client based on T1 & T2.

[Pavan] Actually this state is in terms of client's context. A client would
broadcast the dhcp message with client address filled in this state. In case
of failover configurations, a REBIND may imply that one of the primary
server is not responding [since it is broadcast]. However, in L2RA, since
unicast messages are also intercepted and option 82 added, a RENEW may be
misunderstood as REBIND by server. Let us know if it is not clear.
[Ramesh] My understanding is, if unicast messages are intercepted,
               - RENEW will get option 82 added and giaddr not set.
               - REBIND will get option 82 added and giaddr set.
This difference is sufficient for the DHCP Server to distinguish the client
packet.
Did I get something wrong?

-- 
cheers
ramesh


On Sun, Apr 26, 2009 at 7:04 PM, pavan_kurapati
<pavan_kurapati@infosys.com>wrote:

> Hi Ramesh,
> Thanks for the review. Please find replies inline
>
> Thannks,
> Pavan
> ________________________________
> From: dhcwg-bounces@ietf.org [dhcwg-bounces@ietf.org] On Behalf Of Ramesh
> [ramesh22@gmail.com]
> Sent: Sunday, April 26, 2009 3:43 PM
> To: Bharat Joshi
> Cc: dhcwg@ietf.org
> Subject: Re: [dhcwg] Layer 2 Relay Agent Information draft
>
>
> Bharat,
>
> Few comments/suggestions. Search for [Ramesh].
>
> Section 4.1.1
>
> -------------
> 3 ... The DHCP server responds with a DHCPOFFER message after applying its
> local policies.
> [Ramesh] Will it be good to mention ".. after applying its local policies
> for
> address allocation". This is just to make clear of what policy, DHCP is all
> concerned
> about and readers do not relate this to any system policies.
>
>
>
> [Pavan] I feel the text is generic and conveys the message.
>
>
> Section 4.1.1
>
> -------------
> 3 ...A Layer 2 Relay Agent may be configured to intercept unicast DHCP
> messages.
> [ramesh] I think all L2 Relay Agents SHOULD intercept _all_ the DHCP
> messages from server
> _if_ it has inserted option-82. This is because for a client, option-82 do
> not make any sense.
>
>
>
> [Pavan] Mandating all L2RAs to intercept unicast messages may be too strict
> behavior  given that there are implementations which doesnt do it. I feel
> 'may' is good here.
>
> section 4.1.1
> -------------
> 6. ...
>
> DHCPNACK - RFC 2131 refer to DHCPNAK and not DHCPNACK. Is this ok?
>
> [Pavan] Yes, thanks. Will change it.
>
> section 4.2.2
>
> -------------
> 1 .... Layer 2 relay agents SHOULD select the longest lease time of two
> conflicting
> but similar replies, by discarding replies that shorten the lease time.
> [Ramesh] I thought, to keep the state of a client, L2 Relay Agent will
> learn
> from the REQUEST+ACK message exchange which involves only one server. So
> there
> is no question of keeping a client state more than its life time. Am I
> missing
> something here?
>
> In any case, Maintaining a state ( and hence filter) even after a client is
> dead,
> mean anomalies.
>
>
>
> [Pavan] This condition can occur when multiple DHCP servers are configured
> for failover. In such a configuration, there are servers which ignore
> server-id and in certain exceptional conditions may respond to the same IP
> address request with multiple ACKs. In this scenario, L2RA must take the one
> which has more lease time.
>
>
> section 4.3.2
>
> -------------
> 3 ...Because of this, it could be difficult for the DHCP server to
> differentiate
> between a RENEWING and REBINDING state.
> [Ramesh] Did you mean "difficult to differentiate between RENEW and REBIND
> messages
> here? State is term used in the server context, right?
> If you are talking about server state - then its server who leased out an
> IP and
> hence it would know the state of the client based on T1 & T2.
>
> [Pavan] Actually this state is in terms of client's context. A client would
> broadcast the dhcp message with client address filled in this state. In case
> of failover configurations, a REBIND may imply that one of the primary
> server is not responding [since it is broadcast]. However, in L2RA, since
> unicast messages are also intercepted and option 82 added, a RENEW may be
> misunderstood as REBIND by server. Let us know if it is not clear.
>
> --
> cheers
> ramesh
>
>
>
>
> On Wed, Apr 22, 2009 at 6:43 AM, Bharat Joshi <bharat_joshi@infosys.com
> <mailto:bharat_joshi@infosys.com>> wrote:
> Hi All,
>
>      We have published version 04 of Layer 2 Relay Agent Information draft.
> This version addresses several editorial comments provided by Alfred.
>
>      Draft is available at
> http://www.ietf.org/internet-drafts/draft-ietf-dhc-l2ra-04.txt
>
> Thanks,
> Bharat
> **************** CAUTION - Disclaimer *****************
> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended
> solely
> for the use of the addressee(s). If you are not the intended recipient,
> please
> notify the sender by e-mail and delete the original message. Further, you
> are not
> to copy, disclose, or distribute this e-mail or its contents to any other
> person and
> any such actions are unlawful. This e-mail may contain viruses. Infosys has
> taken
> every reasonable precaution to minimize this risk, but is not liable for
> any damage
> you may sustain as a result of any virus in this e-mail. You should carry
> out your
> own virus checks before opening the e-mail or attachment. Infosys reserves
> the
> right to monitor and review the content of all messages sent to or from
> this e-mail
> address. Messages sent to or from this e-mail address may be stored on the
> Infosys e-mail system.
> ***INFOSYS******** End of Disclaimer ********INFOSYS***
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org<mailto:dhcwg@ietf.org>
> https://www.ietf.org/mailman/listinfo/dhcwg
>
>
>
>
>

v2.23.0 | Report a Bug | By Email