Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)
"Templin, Fred L" <Fred.L.Templin@boeing.com> Thu, 25 August 2016 19:53 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6873112D0A0 for <dhcwg@ietfa.amsl.com>; Thu, 25 Aug 2016 12:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNU0ovFN0WL8 for <dhcwg@ietfa.amsl.com>; Thu, 25 Aug 2016 12:53:31 -0700 (PDT)
Received: from ewa-mbsout-02.mbs.boeing.net (ewa-mbsout-02.mbs.boeing.net [130.76.20.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 550EB12B040 for <dhcwg@ietf.org>; Thu, 25 Aug 2016 12:53:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by ewa-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id u7PJrUx7032782; Thu, 25 Aug 2016 12:53:30 -0700
Received: from XCH15-05-01.nw.nos.boeing.com (xch15-05-01.nw.nos.boeing.com [137.137.100.58]) by ewa-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id u7PJrOpE032357 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Thu, 25 Aug 2016 12:53:25 -0700
Received: from XCH15-05-05.nw.nos.boeing.com (2002:8989:6450::8989:6450) by XCH15-05-01.nw.nos.boeing.com (2002:8989:643a::8989:643a) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 25 Aug 2016 12:53:24 -0700
Received: from XCH15-05-05.nw.nos.boeing.com ([137.137.100.80]) by XCH15-05-05.nw.nos.boeing.com ([137.137.100.80]) with mapi id 15.00.1178.000; Thu, 25 Aug 2016 12:53:24 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Ted Lemon <mellon@fugue.com>
Thread-Topic: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)
Thread-Index: AdHz4kyO7hzDfzYnSfqWBjHhBsGHFqBGDGeAgAA+lwCAAAn1AIAEKdgAgAH3pgCAAcHfgIABdYgAgAADMICAAPbYAIAGuH0AgAAcCACAAGAdAIAAvucAgAAFvoCAABCsgIAAAW4AgAANBwCgRB0kAL94U6OAgAB0uWD//7EwAIABOJWAgABgDKD//7oDgIAAY22g
Date: Thu, 25 Aug 2016 19:53:24 +0000
Message-ID: <f3f1af6232194fb88703237bc55d8be3@XCH15-05-05.nw.nos.boeing.com>
References: <92dcf2e0cf08452caa5861f7258ea6c5@XCH15-05-05.nw.nos.boeing.com> <201608121919.u7CJJqcS056876@givry.fdupont.fr> <c5303eef3c124228825f32a40f229107@XCH-ALN-003.cisco.com> <ccaff4d4cb5c4eefb05eee0660c2611c@XCH15-05-05.nw.nos.boeing.com> <f46aa91e4cfb41b29dd2d8186f5959f8@XCH-ALN-003.cisco.com> <ba1c8ff573d7466b8c437373e05f1023@XCH15-05-05.nw.nos.boeing.com> <b65e1dd66b634240b3ca164b2c04c20a@XCH15-05-05.nw.nos.boeing.com> <CAJE_bqfb5sxOpkTEXkwZXckKBWof7U1-W6EFzCHk7ijnMjpMMA@mail.gmail.com> <5ec83aaf4e76497aa4b4d465483bdcf5@XCH15-05-05.nw.nos.boeing.com> <CAJE_bqeKqEgLVC2ZZyUCjsrPP5_suRJ8en2NC+g13Q5PyQL1iw@mail.gmail.com> <30c9413c4662476096ef087ac88f6314@XCH-ALN-003.cisco.com> <dc9d2c300d574732a12f7f366f6223c0@XCH15-05-11.nw.nos.boeing.com> <3A5F0B79-8C76-4E82-97E9-FA63657DE6C3@cisco.com> <CAJ3w4NdjgVxvnvuaWjGM=qtOe0qUq4N96fVXsbNrf=YkhiABbQ@mail.gmail.com> <2f45b99b50f84b1280e92ad824e39e26@XCH15-05-05.nw.nos.boeing.com> <9E9A9543-ECB0-4D99-A00F-1AAD813B6522@fugue.com> <091180442e44490ba451874d1543f814@XCH15-05-05.nw.nos.boeing.com> <CAPt1N1=pD7TBrU_NnuyGz61+CiUVp0JiyLLfMUKTz_dgnO59QQ@mail.gmail.com> <AF387F3E-1B64-4E5D-BAF7-EB5BF3ED1EB4@cisco.com> <55dcbc0cd1484fffa264b18b2fc3322c@XCH15-05-05.nw.nos.boeing.com> <122453F6-3987-46D4-89EB-84AF99402BC3@cisco.com> <dd827ec92b874ad8a188b17f44392c54@XCH15-05-05.nw.nos.boeing.com> <438d610f19da4f7aa39fb70a7dc11513@XCH15-05-05.nw.nos.boeing.com> <2279C5E3-0D51-4631-AFC9-DAF05339D21D@cisco.com> <d6f8ed9bdfc8461aa463e6542269ccda@XCH15-05-05.nw.nos.boeing.com> <CAPt1N1nTHJm44KR1SBg=ohj8HfKO+yLna+b+95FPocTjcuuwbQ@mail.gmail.com>
In-Reply-To: <CAPt1N1nTHJm44KR1SBg=ohj8HfKO+yLna+b+95FPocTjcuuwbQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.137.12.6]
Content-Type: multipart/alternative; boundary="_000_f3f1af6232194fb88703237bc55d8be3XCH150505nwnosboeingcom_"
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/bZEJUJKz5irR9o2Lp9wsyrsvu8M>
Cc: dhcwg <dhcwg@ietf.org>, "Bernie Volz (volz)" <volz@cisco.com>
Subject: Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 19:53:34 -0000
Hi Ted, Thanks for the outside-the-box thinking on this. But, maybe this can be even easier than what you are suggesting. I don’t want the relay to receive the client’s information directly from the client – I want for the server to first authenticate the client’s message and then loop the client information back to the relay. That way, the relay knows that it can trust the information since the server has already authenticated it. So, is there a way for the relay to include an ORO or something like that to convince the server to loop the client-supplied option back in the Relay-Reply message to the relay? If yes, then that piece of the puzzle is solved. But, that still leaves us with resurrecting RAAN and how we would go about doing that? Thanks - Fred From: Ted Lemon [mailto:mellon@fugue.com] Sent: Thursday, August 25, 2016 11:14 AM To: Templin, Fred L <Fred.L.Templin@boeing.com> Cc: Bernie Volz (volz) <volz@cisco.com>; dhcwg <dhcwg@ietf.org> Subject: Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis) Fred, if we allow a non-encrypted mode, that will be the only mode that is universally implemented. That is why the consensus was to only define a standard for the encrypted mode. You are asking us to compromise rather drastically on that for the benefit of your protocol, which as far as I know has no real-world deployments that require interop, and is not on track to become a standard. I don't mean to say that what you want doesn't matter, but neither is it the case that you have said anything to justify overturning the working group consensus on this. So instead, the right thing to do is to figure out a way to get what you want without requiring the working group to change its consensus. If what you want is for the client to be able to communicate preferences to the relay, something similar to the relay-supplied options option would do the trick, only sent from the client rather than the relay. On Thu, Aug 25, 2016 at 2:08 PM, Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote: Hi Bernie, VPN clients may need to configure their virtual interfaces over multiple underlying physical interfaces (e.g., WiFi, Cellular, SATCOM, etc.) – each with its own IP address. The relay then sees the client as a single network layer entity with multiple link-layer addresses. So, the client needs to have some way to tell the relay about its preferences for each of the underlying interfaces. The client does this by including an option with the preference values that the relay then needs to snoop in-the-clear, i.e., and not encrypted. Thanks – Fred fred.l.templin@boeing.com<mailto:fred.l.templin@boeing.com> From: Bernie Volz (volz) [mailto:volz@cisco.com<mailto:volz@cisco.com>] Sent: Thursday, August 25, 2016 9:41 AM To: Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> Cc: dhcwg <dhcwg@ietf.org<mailto:dhcwg@ietf.org>>; Ted Lemon <mellon@fugue.com<mailto:mellon@fugue.com>> Subject: Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis) Please explain what else the relay needs to know. - Bernie (from iPhone) On Aug 25, 2016, at 9:34 AM, Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote: Hi, on further consideration RAAN options alone are not sufficient for my needs. For my needs, the relay has to be able to inspect the contents of both the client’s messages to the server and the server’s messages to the client. And, it is about more than just IA_NA and IA_PD. The use case is VPN clients connecting in to a secured home network then using DHCPv6 to obtain prefixes and/or addresses. So, the client comes in across a secured link where there is no concern for eavesdropping, but the client still needs to prove to the server that it is authorized to receive the requested addresses/prefixes. In that case, when we can say that the link is secured against eavesdropping, then there is a use case for authentication-only DHCPv6 security. Thanks – Fred fred.l.templin@boeing.com<mailto:fred.l.templin@boeing.com> From: dhcwg [mailto:dhcwg-bounces@ietf.org] On Behalf Of Templin, Fred L Sent: Wednesday, August 24, 2016 12:51 PM To: Bernie Volz (volz) <volz@cisco.com<mailto:volz@cisco.com>> Cc: dhcwg <dhcwg@ietf.org<mailto:dhcwg@ietf.org>>; Ted Lemon <mellon@fugue.com<mailto:mellon@fugue.com>> Subject: Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis) Can we dust this off and insert it back into the process? Thanks - Fred From: Bernie Volz (volz) [mailto:volz@cisco.com] Sent: Wednesday, August 24, 2016 12:46 PM To: Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> Cc: Ralph Droms (rdroms) <rdroms@cisco.com<mailto:rdroms@cisco.com>>; Ted Lemon <mellon@fugue.com<mailto:mellon@fugue.com>>; dhcwg <dhcwg@ietf.org<mailto:dhcwg@ietf.org>> Subject: Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc3315bis) Note that latest version of that draft is https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-agentopt-delegate-04. Also, 03 used the https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-srsn-option-02 draft to address out of order issues. Don't recall why 04 removed this and whether there were other issues still unresolved - though I think there were. Sadly there is no change log to indicate changes made in each rev, so we will need to review the email dialog and meeting minutes around the time of these drafts to determine open issues & how to move forward. I think interest died because cable (cmts) just started to snoop the client packets. This actually doesn't resolve out of order issues, though I think those have not caused any known problems. So while in theory they could be, in practice they are not. - Bernie (from iPhone) On Aug 24, 2016, at 11:26 AM, Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote: draft-draft-droms-dhc-dhcpv6-agentopt-delegate-00.txt
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… 神明達哉
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… 神明達哉
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Francis Dupont
- [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rfc331… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Lishan Li
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ralph Droms (rdroms)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Ted Lemon
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Bernie Volz (volz)
- Re: [dhcwg] Citing 'draft-ietf-dhc-secdhcpv6' (rf… Templin, Fred L