[dhcwg] Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)
Warren Kumari via Datatracker <noreply@ietf.org> Wed, 27 May 2020 20:26 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dhcwg@ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D46163A0B40; Wed, 27 May 2020 13:26:11 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Warren Kumari via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dhc-mac-assign@ietf.org, dhc-chairs@ietf.org, dhcwg@ietf.org, Tomek Mrugalski <tomasz.mrugalski@gmail.com>, Ian Farrer <ianfarrer@gmx.com>, ianfarrer@gmx.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.1.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Warren Kumari <warren@kumari.net>
Message-ID: <159061117184.12588.3496366666468663429@ietfa.amsl.com>
Date: Wed, 27 May 2020 13:26:11 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/Yt5eLAz230gExndvmJJ7ucNYEW0>
Subject: [dhcwg] Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 20:26:12 -0000
Warren Kumari has entered the following ballot position for draft-ietf-dhc-mac-assign-06: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dhc-mac-assign/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Be ye not afraid -- these should be easy to address. I have some concerns about this document -- much of my unease isn't specifically about the document itself, but rather the impact that deploying this on a wide scale may create. Much of my concerns can probably be addressed by sprinkling on some weasel-words / "you could shoot yourself in the foot if not careful" language. Unless I've horribly misunderstood, in the direct client mode, a device comes up, connects to a switch and then changes its MAC address to the DHCP assigned one. This may interact poorly with: a: switches with small CAM tables (sometimes deployed in DCs) b: devices with configured maximum MACs per port, common in enterprises (e.g: https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/l2/switchport-port-security-maximum.html ) c: 802.1X (which is often configured to only allow a single MAC per interface / VLAN) d: switches which do things like DHCP snooping. Again, I do realize that most of these issues are not directly the result of this technique, but implementing / deploying this makes it more likely that devices will come up with a temp address and then pivot to an assigned one, and I'd like to see some operational warnings... ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for writing this -- I *do* like this document, and agree that it solves a real problem (e.g: http://grouper.ieee.org/groups/802/PrivRecsg/email/msg00164.html ), but would like to make sure that it is deployable without causing sadness... I think it would be useful to also add some text around policy limits / DoS. As examples, would you expect that this would be enabled on "regular" user interfaces (e.g at my local coffee shop), or is it more designed for datacenters and IoT VLANs? Either way, should a device be able to ask for 00:00:00:00:00:01 and 2^48-2 addresses? The document does say things like: "In particular, the server may send a different starting address than requested, or grant a smaller number of addresses than requested.", but it might be nice to also include something like "implementations should allow configuration of the maximum number of addresses to allocate" or something similar (yes, an attacker could keep coming back and looking like a new device, but...)
- [dhcwg] Warren Kumari's Discuss on draft-ietf-dhc… Warren Kumari via Datatracker
- Re: [dhcwg] Warren Kumari's Discuss on draft-ietf… Bernie Volz (volz)
- Re: [dhcwg] Warren Kumari's Discuss on draft-ietf… Warren Kumari