Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)

"Bernie Volz (volz)" <> Mon, 12 September 2016 13:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6B6A012B2A5 for <>; Mon, 12 Sep 2016 06:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -16.029
X-Spam-Status: No, score=-16.029 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.508, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4k-0zoNSdyE9 for <>; Mon, 12 Sep 2016 06:41:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 689AD12B01B for <>; Mon, 12 Sep 2016 06:41:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=27105; q=dns/txt; s=iport; t=1473687672; x=1474897272; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=b05e0T8uKYV7ZXuCEtQk3P/SbZf6MCI5SLcxbjM9lJ4=; b=doV6h68lhyVsG0LQLswV+xPybaRBrOSSzw4R+Z420gWXPS35AuYeLg8q L+KcchPtd2mHbleGsQH6DDtwd+l8HqSHeYAOgF4xjV9p3ihYaIIeyWYSI CQWX94B5Uk6z7kHvErPpEnMK2gcxHkoz5ZuMt9CSZuZodWlx+1HSK1uz/ s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.30,322,1470700800"; d="scan'208,217";a="322594722"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 12 Sep 2016 13:41:10 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u8CDfAMT012122 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 12 Sep 2016 13:41:10 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 12 Sep 2016 08:41:10 -0500
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Mon, 12 Sep 2016 08:41:10 -0500
From: "Bernie Volz (volz)" <>
To: "Templin, Fred L" <>
Thread-Topic: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)
Date: Mon, 12 Sep 2016 13:41:10 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> ,<> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_06156b7382fa424fa69967d734cb7590XCHALN003ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>, Ted Lemon <>, Ralph Droms <>
Subject: Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Sep 2016 13:41:16 -0000

Adding Ralph as he might remember some more of the details. And, adding DHCWG as perhaps there is someone with better memory (or historical search capabilities) than me, and others may have an opinion on the work.

This is perhaps something to add to the Seoul agenda for discussion and finding volunteers to work on this?

I hadn't done it, but recovering the issue(s) that caused the earlier work to be abandoned might be a good first step? I think Thomas Narten raised some issues that might have derailed it, but perhaps it was someone / something else. I recall the potential timing issue was supposed to be addressed by making use of "DHCPv6 Server Reply Sequence Number Option", draft-ietf-dhc-dhcpv6-srsn-option-02, and that got added in the -01 but for some reason was dropped in the -04. Sadly all the 04 change log says is "Changes in rev -04: all references to the "Server Reply Sequence Number" option were removed from the draft." - not why it was removed. But perhaps this is the "complicated protocol was suggested..." from IETF-75 minutes: contains:

DHCPv6 Relay Agent Assignment Notification Option
                                           Chairs                10 minutes

Ted Lemon: The draft tries to solve the way to setup the routing
    information in dhcp replay agents.  Currently it is done by snooping
    on the relay agent traffic. This option should enable to dhcp
    system to send the information for routing information to eliminate
    the guesswork. Allows the relay agent to add a route in its routing
    table based on DHCP information.  A potential timing problem could
    affect customer routing. Complicated protocol was suggested to
    prevent this failure mode, this protocol was not received well,
    decision to go forward with the original proposal and document the
    potential failure mode which would be an operational problem. The
    option is solving the original requirement and needs to advance

WG Chairs encourage people to read the draft and supply feedback.

Mark Andrews volunteered to review and to provide feedback.

Ralph Droms will refresh/resubmit the draft.

The draft was never refreshed or resubmitted by Ralph. While I only looked at the next 3 meeting minutes, I didn't find any reference to this document/work in those later minutes.

I think perhaps:

1.       The timing window for CableLabs and DOCSIS 3.0 for IPv6 support ran out and CableLabs was going to use snooping on the CMTS and therefore a major motivation for this draft was removed.

2.       The potential failure mode is no different from what exists today with snooping. As it doesn't appear to have caused any operational issues, perhaps we can argue that while it is a potential issue it would be rare and infrequent and alternatives (i.e., snooping) also suffer from this issue.

3.       While an alternative might be to use Active Leasequery by a relay to monitor a server's activity, that has latency and additional overhead issues that snooping or RAAN would eliminate (as the information is piggybacked with the actual client message).

Ralph: If you have the XML version of this draft source, it might be useful to provide it so that if it is resurrected, we don't have to start over (I suspect though it would require some tweaking to bring it up to current XML2RFC version).

I have no issues with discussing as to whether to dust off this work and try again. Whether we do this now or wait a bit longer to see how the sedhcpv6 work shakes out (it seems to have lost a lot of momentum lately) is always open to debate and may depend more on what issues the RAAN work needs to resolve (if any) - hence making sure we understand all of the key issues is important. I suspect though that until sedhcpv6 is actually being implemented, many relay agents (CMTS, ...) won't bother to be updated to make use of RAAN since the snooping alternative is already implemented and has been working (and they can block the encrypted-messages to prevent its use until the relays and servers are ready to support sedhcpv6).

-          Bernie

From: Templin, Fred L []
Sent: Friday, September 09, 2016 6:01 PM
To: Bernie Volz (volz) <>
Cc: Ted Lemon <>
Subject: RE: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)

Hi Bernie and Ted,

I think I have a way forward for AERO that would avoid needing to fight the Secure
DHCPv6 working group consensus, but it depends on the ability to resurrect RAAN.
And, I would not need to add anything new to  RAAN - just use it as it appears in

Given that Secure DHCPv6 will make DHCPv6 client<->server messages exchanges
opaque to relays, there would seem to be a requirement for RAAN in general even
not considering AERO. What would we need to do to bring RAAN back?

Thanks - Fred