IETF Logo Mail Archive

Re: [dhcwg] Reg RFC6704 (Forcerenew Nonce Authentication)

"Bernie Volz (volz)" <volz@cisco.com> Wed, 12 September 2012 11:28 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13F0A21F85F0 for <dhcwg@ietfa.amsl.com>; Wed, 12 Sep 2012 04:28:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.149
X-Spam-Level:
X-Spam-Status: No, score=-10.149 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, J_CHICKENPOX_72=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wGG5LfxlU24p for <dhcwg@ietfa.amsl.com>; Wed, 12 Sep 2012 04:28:12 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 12B5121F85ED for <dhcwg@ietf.org>; Wed, 12 Sep 2012 04:28:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4775; q=dns/txt; s=iport; t=1347449292; x=1348658892; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=PMA+4jUJYji/avJiqmskMg2eHf8N9pAuotqvIkQX+UE=; b=AbASp/47x1ebluSq2DyXPj1rTizWyz7ahe6I+y/6CSzsmMHjhMXYDFGR WNnXa1nML5sOCA2vtg56JmKdILK7Z5S/HowPEKjbsKVj/QpwQ7ZibmpVw tP2i0wDdzdXoXDou0zxZhGv7NGW8O+Q6UwqqWDpW89DE+Zc6utF6h3k+0 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAK1wUFCtJXHA/2dsb2JhbABFu0CBB4IgAQEBAwEBAQEPARRHCwUHBAIBCBEEAQEBJwcnCxQJCAIEDgUih2UGC5t0oEAEixCFYmADlV+ONoFpgmY
X-IronPort-AV: E=Sophos;i="4.80,408,1344211200"; d="scan'208";a="117751406"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-9.cisco.com with ESMTP; 12 Sep 2012 11:28:11 +0000
Received: from xhc-aln-x14.cisco.com (xhc-aln-x14.cisco.com [173.36.12.88]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id q8CBSBm5014475 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 12 Sep 2012 11:28:11 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.159]) by xhc-aln-x14.cisco.com ([173.36.12.88]) with mapi id 14.02.0318.001; Wed, 12 Sep 2012 06:28:11 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "Gaurav Halwasia (ghalwasi)" <ghalwasi@cisco.com>
Thread-Topic: [dhcwg] Reg RFC6704 (Forcerenew Nonce Authentication)
Thread-Index: AQHNkE8ckuiEXtYUDkaNnWZTSjI1wpeF7kOA////THCAACcbAIAAD8pAgABuTuE=
Date: Wed, 12 Sep 2012 11:28:10 +0000
Message-ID: <5F34B086-D5C8-4628-AAE4-1D3CBDEDF24E@cisco.com>
References: <90903C21C73202418A48BFBE80AEE5EB19241E49@xmb-rcd-x06.cisco.com> <CC756F01.221C%volz@cisco.com>, <90903C21C73202418A48BFBE80AEE5EB19242188@xmb-rcd-x06.cisco.com>
In-Reply-To: <90903C21C73202418A48BFBE80AEE5EB19242188@xmb-rcd-x06.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19178.005
x-tm-as-result: No--51.373700-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>, "<curtis@occnc.com>" <curtis@occnc.com>
Subject: Re: [dhcwg] Reg RFC6704 (Forcerenew Nonce Authentication)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Sep 2012 11:28:13 -0000

3318 --> 3118. Sorry for typo.

- Bernie

On Sep 12, 2012, at 1:03 AM, "Gaurav Halwasia (ghalwasi)" <ghalwasi@cisco.com> wrote:

> Hi Ted, Bernie,
> 
> Thanks for your thoughts. I think nobody can deny (including me) at this point of time that our focus should be on IPv6 and we should be willing to drop any minor DHCPv4 nits. I am with you on this. 
> 
>> It is interesting that RFC 3315 accommodates Information-Request; not sure why RFC 6704 didn't - I would guess because RFC 3318 didn't.
> 
> Are you sure you are referring to the correct spec. (3318.?) In case you meant RFC3203, I wanted to clarify that original Forcerenew spec indeed accommodates DHCP INFORM triggered by Forcerenew as RFC 3315 accommodates Information-Request. So i was surprised to find no reference of INFORM in 6704. This is want I wanted to clarify.  I am not particularly stressing to take this work right now but  still finding it little confusing to find that as per current standards we are saying that we can use Forcerenew Nonce Authentication for RENEW triggered by FORCERENEW but we still have to use original DHCP authentication for INFORM triggered by FORCERENEW.
> 
> Anyways thanks for your clarifications.
> 
> Thanks,
> Gaurav
> -----Original Message-----
> From: Bernie Volz (volz) 
> Sent: Wednesday, September 12, 2012 8:27 AM
> To: Gaurav Halwasia (ghalwasi); Ted Lemon; <curtis@occnc.com>
> Cc: dhcwg@ietf.org
> Subject: Re: [dhcwg] Reg RFC6704 (Forcerenew Nonce Authentication)
> 
> Just to extend Ted's comments a bit - one issue is how long does the server keep the information for the Inform only clients. When the reconfigure-key is associated with a lease, we have a lease time; there is no such item for Inform. This could be tied to draft-halwasia-dhc-inform-refresh-time-opt (obviously it should be kept longer than the refresh time), but that work might also reduce the need for this -- at least it bounds the period where information may be stale.
> 
> While in theory having Reconfigure for Inform isn't a bad concept, it just strikes me as overkill - do we really have a problem? Especially for IPv4 which we hope deprecate.
> 
> I'm also not sure how many clients do just Informs Š yes, there are lots of clients that do send Informs but they've usually also done Discover/...
> 
> It is interesting that RFC 3315 accommodates Information-Request; not sure why RFC 6704 didn't - I would guess because RFC 3318 didn't.
> 
> - Bernie
> 
> On 9/11/12 9:45 PM, "Gaurav Halwasia (ghalwasi)" <ghalwasi@cisco.com>
> wrote:
> 
>> Hi Ted,
>> 
>> Thanks for your comments.
>> 
>> I am talking about a deployment where we do create *session* database 
>> for hosts either based upon DHCP packet (Discover) or the normal IP 
>> packet in case few of the hosts has not done DHCP but instead has just 
>> DONE DHCP INFORM to get the config parameters. So in this kind of 
>> deployment we do anyways maintain the session(or binding in terms of 
>> DHCP) database on the box. Having said that I don't think storing 
>> client information is a problem (at least in this deployment). The only 
>> extra thing which we would need to store is a 'nonce'.
>> So I think it will be really useful to have nonce in INFORM-ACK 
>> callflow as it will also help in the usability of Forcerenew as per 6704.
>> 
>> Thanks,
>> Gaurav
>> 
>> -----Original Message-----
>> From: Ted Lemon [mailto:Ted.Lemon@nominum.com]
>> Sent: Wednesday, September 12, 2012 2:09 AM
>> To: <curtis@occnc.com>
>> Cc: Gaurav Halwasia (ghalwasi); dhcwg@ietf.org
>> Subject: Re: [dhcwg] Reg RFC6704 (Forcerenew Nonce Authentication)
>> 
>> I didn't say that FORCERENEW for DHCPINFORM clients was hard.   I said it
>> would impact performance.   We would go from DHCPINFORM being a
>> lightweight read-only operation to a heavyweight read/write operation.
>> I guess we could forgo the sync-before-ack logic of stateful DHCP, but 
>> this would add a lot of complexity to a performance-critical code section.
>> 
>> So yeah, from an implementation point of view, I don't really like this
>> idea.   It seems trivial until you think about the impact it has either
>> on performance or on implementation complexity.   If there's strong
>> demand for it with a clear use case, then I think that's fine.    I
>> wasn't able to tease one out of your rather dense message-could you try 
>> to state your use case in a short paragraph or two?
>> 
>> _______________________________________________
>> dhcwg mailing list
>> dhcwg@ietf.org
>> https://www.ietf.org/mailman/listinfo/dhcwg
>

v2.23.0 | Report a Bug | By Email