Re: [dhcwg] Martin Duke's Discuss on draft-ietf-dhc-v6only-05: (with DISCUSS and COMMENT)
Jen Linkova <furry13@gmail.com> Thu, 30 July 2020 03:47 UTC
Return-Path: <furry13@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE2993A0C79; Wed, 29 Jul 2020 20:47:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id isaOPQ_iu0n3; Wed, 29 Jul 2020 20:47:34 -0700 (PDT)
Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0B8C3A0C76; Wed, 29 Jul 2020 20:47:33 -0700 (PDT)
Received: by mail-qk1-x741.google.com with SMTP id l64so17655007qkb.8; Wed, 29 Jul 2020 20:47:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=QhmUNqvhquLGzVO6Ge0JGj/uDuqMP6KwEdkPpqeN5+A=; b=Tkz7fFVbkJjab3eDx/fCQgfz1aitLo0M4sFdjLN3enMCSGOWWGDPfBX6TvIvonWLmT 8O+TT+o3mprcGwgmce6CHsqHZH/LYzofMQhl822Srd+F5pq/CizJ4gU8RZHPBerQaFNC LQ6PDOTzCtd9UocDCv/Fudcdls3tnuAaqwESvnc3IvscfKRokRWqAC0dCWjdALOxdY13 yz6Qs9aoDkkOnIziejyDXyccZE7iUVYvWU3DB1NYEmA7y8SNgQB4ZVqdM5Br9ItNBten YEjg+w59+n+sXfT7caQCk2ViLXwD2gMQK7g2Go09Wk0PuUmkBKnsw5wfA0BDX4PZwH+P AEig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=QhmUNqvhquLGzVO6Ge0JGj/uDuqMP6KwEdkPpqeN5+A=; b=Zwzp3RoHf3sTvhyN9iXBbQC45HjY7UQNmG0GHCqhBxmkU3ZYwIqt49O78p8CcNazQY 0zAeQg0D+13xavKD7XkCr5N82ncotKvMEaBz+AHjoyOncwg03Sz9yGVTRdHFAAoPJvJF PCBNX01FnIlx/es+2IOpPafermIhHndVlmUxVPPsw9WFhjkW4JUmpc/FAeZe/0y/4AF6 8zrc7UGU4C3s5M91Eox7+EBxWF+nyMCorC+8NAtzme3Ia7l5Icu8GgWDhTkiiE99YwlX FvtKdCCUpE8SRoMw/2CAJ8Ry2+Zc8+ON5d72eNEPXuz8pm4ZEKY/gz7BkYJdNSSqQqPY RTIg==
X-Gm-Message-State: AOAM533+/S+6rLzcJEzVorpFYjbg1HMjCYgmLgEHWRDKu/o901XS87xE MHx+fDUE/47OKkv7WeiLBLt2N/C9ASF6037ULnU=
X-Google-Smtp-Source: ABdhPJxjVVf4QkfiLeupvmVnZeN6hEJs4g+V016zERgmPZJyZ2E4vnfUqWE/dlxDxnO0Y3+xxO0/k0WskuzZ9wcrzdA=
X-Received: by 2002:a37:9c4b:: with SMTP id f72mr30179836qke.332.1596080852856; Wed, 29 Jul 2020 20:47:32 -0700 (PDT)
MIME-Version: 1.0
References: <159606370302.11342.6386305944714261698@ietfa.amsl.com> <CAFU7BATqgZBJs5MaE-C9b6N28=bFS1m4rJQxpVEYX3y29NOFRg@mail.gmail.com> <CAM4esxSGf8fnnMn_JJqPjyns2+jG9nbPXH8ewo_eV0Qra-2u4w@mail.gmail.com>
In-Reply-To: <CAM4esxSGf8fnnMn_JJqPjyns2+jG9nbPXH8ewo_eV0Qra-2u4w@mail.gmail.com>
From: Jen Linkova <furry13@gmail.com>
Date: Thu, 30 Jul 2020 13:47:21 +1000
Message-ID: <CAFU7BASLzWfXLxtLWtYn1nsuW7CMnPNwe_X4yK976dt908a5KQ@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>
Cc: draft-ietf-dhc-v6only@ietf.org, dhcwg@ietf.org, "Bernie Volz (volz)" <volz@cisco.com>, dhc-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/anz32GMdd8UCjq9nIxV4gwpqk1I>
Subject: Re: [dhcwg] Martin Duke's Discuss on draft-ietf-dhc-v6only-05: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 03:47:37 -0000
On Thu, Jul 30, 2020 at 1:09 PM Martin Duke <martin.h.duke@gmail.com> wrote: >> How about we change the first paragraph of the Security Considerations >> (https://tools.ietf.org/html/draft-ietf-dhc-v6only-05#section-6) to: >> >> "An attacker might send a spoofed DHCPOFFER containing IPv6-only >> Preferred option with the value field set to 0xffffffff, disabling >> DHCPv4 on clients supporting the option. If the network is IPv4-only >> such clients would lose connectivity, while on a dual-stack network >> without NAT64 service only connectivity to IPv4-only destinations >> would be affected. The recovery would require triggering a network >> attachment event. However it should be noted that if the network does >> not provide protection from a rogue DHCPv4 server the similar attack >> vector can be executed by setting the Lease Time option value field to >> 0xffffffff. The latter attack would also affect hosts without >> IPv6-only Preferred option support. Therefore the security measures >> against rogue DHCPv4 servers would be sufficient to prevent the >> attacks specific to IPv6-only Preferred option." > > > I would be satisfied with that additional text to close the DISCUSS. Great, the text above will be added to -06 which I'll submit close to the next Telechat date so more feedback could be incorporated. >> > Sec 3.1 In client-generated messages, what is in the "Value field"? I presume >> > this is one of those "client MUST set to zero and server MUST ignore" cases? >> >> The client does not send the full option. The client includes the >> option code into the Parameter Request List option (see >> https://tools.ietf.org/html/draft-ietf-dhc-v6only-05#section-3.2). >> > > Oh wow, that is very subtly worded so I totally missed that. Sorry! If this is very much the pattern for other DHCP options (client uses a code, server has a full option) then carry on; if it's not the pattern, a little text in version 3.1 that only servers send this would be helpful. I've updated the Code field description in Section 3.1 with the following text: "The client includes the Code in the Parameter Request List in DHCPDISCOVER and DHCPREQUEST messages as described in Section 3.2." I hope this text makes it more explicit that the client is not sending the full option. -- SY, Jen Linkova aka Furry
- [dhcwg] Martin Duke's Discuss on draft-ietf-dhc-v… Martin Duke via Datatracker
- Re: [dhcwg] Martin Duke's Discuss on draft-ietf-d… Jen Linkova
- Re: [dhcwg] Martin Duke's Discuss on draft-ietf-d… Jen Linkova
- Re: [dhcwg] Martin Duke's Discuss on draft-ietf-d… Ms. Li HUANG
- Re: [dhcwg] Martin Duke's Discuss on draft-ietf-d… Lorenzo Colitti
- Re: [dhcwg] Martin Duke's Discuss on draft-ietf-d… Jen Linkova