IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by September 13, 2023

David Farmer <farmer@umn.edu> Mon, 25 September 2023 14:13 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 186A9C1519B9 for <dhcwg@ietfa.amsl.com>; Mon, 25 Sep 2023 07:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13T8-ED9JXLV for <dhcwg@ietfa.amsl.com>; Mon, 25 Sep 2023 07:13:44 -0700 (PDT)
Received: from mta-p7.oit.umn.edu (mta-p7.oit.umn.edu [134.84.196.207]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4347EC1522AD for <dhcwg@ietf.org>; Mon, 25 Sep 2023 07:13:43 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 4RvPxL4G0tz9w41f for <dhcwg@ietf.org>; Mon, 25 Sep 2023 14:13:42 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4knRE0hZsNWo for <dhcwg@ietf.org>; Mon, 25 Sep 2023 09:13:41 -0500 (CDT)
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 4RvPxH5SQwz9vskk for <dhcwg@ietf.org>; Mon, 25 Sep 2023 09:13:39 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p7.oit.umn.edu 4RvPxH5SQwz9vskk
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p7.oit.umn.edu 4RvPxH5SQwz9vskk
Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-3172a94b274so5013715f8f.0 for <dhcwg@ietf.org>; Mon, 25 Sep 2023 07:13:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; t=1695651217; x=1696256017; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=AsuCPMQ5XRlxLkJzwBAWeS5Ssv+sPAnlP2DHJO6/BZk=; b=SbX/5rqzklASFbCmpfFebP+hHPQUa4aBACH5/jBd4FxDupxUkIe2+AfuF8BlnhkX8w 2Hnz8LE/LCWatYEMn4RCFgSiQUcs7eMiynqrTezpr2Cr738mAB+qWsulOR8G/yDi50XA ro3Hro4iSTlXUZ+0wdj/OJOnvb+KbOqCzKX7oDilMH1azTd9FDkiBEFcwKM1vFkIPT2j u5v16GE6LhJG0TlYxxraG+2Dj9ummd1E51gQBLZaE5Xj3VXK9gTb+WCXikQmKl29KJVM cRqV3S3q8XXI7QThWsjWXiyhk+Uh64tQ0QQX997d/c1HM1ZbWjcdU7M9a5PU7OYfsVJ0 qqlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695651217; x=1696256017; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AsuCPMQ5XRlxLkJzwBAWeS5Ssv+sPAnlP2DHJO6/BZk=; b=SnbpeecaOE2aubGYBqvkW/ea3A2UNPBW+FBGsFEeaNnbeM9DzefDd4nvgirBCnsN1I u1e7hyN2jpZy8aoi2UWjfb0elCYfSKwXThRWKpP6QKqCJoLvtZ1uXkcW2qh6M4nsfuhK eymVu6zUbOsc/q369ieZwjwFnYWmXVtKtg7SkE4F+CUxxLEHbAQa0YtWagIX/QCOnGJW AqIgT2B+1yTvxBB4A+BBCy4hOW/Hy47OPn9W8cQAaJgJQ1anEU79lzrYGr/jTG/Yuk60 FNGLdq0dY6D+Brxe1ncP58l97oV9TFxckCSRxeBrtdrc6Qg6BSxA9JMg7UYC9ibFVCRm YBRw==
X-Gm-Message-State: AOJu0YwLaAHty5MOkKdhL7t5mKD3D+tZS9Z47JbTyVuBoUQMJoEaq6VR EsVHXrA8ra+2TEu/PNOCk3PE3Q1k8eVIUQIKJdwXV0IqIo3NTRlICpaxUpN8G31dwUE5AjeeMkj phNDwGT4Kc8HEaO+e7ncxcnNyrw==
X-Received: by 2002:a5d:4d83:0:b0:31a:d4d0:6e98 with SMTP id b3-20020a5d4d83000000b0031ad4d06e98mr5697707wru.8.1695651216725; Mon, 25 Sep 2023 07:13:36 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGKs9LOavHbHrsIs0UKizuzcwPflGDDTBn/HV2eHsLeQkDY/0Eyx3f3QdogR7I2Er8YRys54ZM2VXFXeNMhr/Y=
X-Received: by 2002:a5d:4d83:0:b0:31a:d4d0:6e98 with SMTP id b3-20020a5d4d83000000b0031ad4d06e98mr5697675wru.8.1695651216198; Mon, 25 Sep 2023 07:13:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAJgLMKvATJP78ONPc8f6kG2eNWq83XCTSdvRLVGKWB26JGrANQ@mail.gmail.com> <1E185C09-B45E-4B1E-81F8-3CB6141B9881@employees.org> <CAJgLMKtYy2U1vScQoW4eWD3sLipeUTak7BqkELXZ61=6_cKJDQ@mail.gmail.com>
In-Reply-To: <CAJgLMKtYy2U1vScQoW4eWD3sLipeUTak7BqkELXZ61=6_cKJDQ@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Mon, 25 Sep 2023 09:13:19 -0500
Message-ID: <CAN-Dau3NUUxjFsEJeo8qB+1w0Y3C48e_82UC0WqQeiJaHMpUkQ@mail.gmail.com>
To: Timothy Winters <tim@qacafe.com>
Cc: Ole Trøan <otroan@employees.org>, dhcwg <dhcwg@ietf.org>, Ted Lemon <mellon@fugue.com>
Content-Type: multipart/alternative; boundary="00000000000067b5c406062f9099"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/cYoJnD1z1116gAirchlYw-xbYKk>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-addr-notification - Respond by September 13, 2023
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2023 14:13:49 -0000

So, even with IPv4, DHCP isn't completely authoritative. Static assignments
are missing. Nevertheless, many people find DHCP tracking to be
operationally sufficient. However, we both scrap ARPs out of routers and
use DHCP logging. DHCP logging provides additional information that is not
easily available from the routers even though it is not
completely authoritative.

It's only speculation, but seems like this could also be operationally
sufficient for many. However, similar to DHCP, adding to ARP information, I
believe this would provide additional information not easily available from
ND scraping of the routers, even though it is only voluntary.

Thanks.

On Mon, Sep 25, 2023 at 8:44 AM Timothy Winters <tim@qacafe.com> wrote:

> Hi Ole,
>
> We have had some operators' interests in this solution over
> scrapping switches and routers.   I think it would be helpful to hear from
> network operators or DHCPv6 server solutions about how viable and
> deployable this solution is.
>
> ~Tim
>
> On Sat, Sep 23, 2023 at 4:08 AM Ole Trøan <otroan@employees.org> wrote:
>
>> Thanks Tim,
>>
>> I do wonder if it’s not worth doing a complete retake of this proposal.
>>
>> If the operator requirement is to know which address has been in use in
>> the network by which device at any point in time, then that cannot be
>> guaranteed with this mechanism. Existing first-hop security mechanisms in
>> switches and routers would be much more robust.
>>
>> O.
>>
>> On 22 Sep 2023, at 22:22, Timothy Winters <tim@qacafe.com> wrote:
>>
>> 
>> Hi Everyone,
>>
>> The working group had some great discussion about this document during
>> the WGLC.    Based on the discussion it didn't pass WGLC at this time.  It
>> will mostly need another round of discussion and potentially a revision
>> based on those discussions.
>>
>> Additionally, Bernie and I discussed and think it's a good idea to wait
>> to ask IANA for a early code points until we have passed WGLC.
>>
>> Regards,
>> Tim
>>
>> On Thu, Sep 14, 2023 at 3:16 PM Bernie Volz <bevolz@gmail.com> wrote:
>>
>>> An interesting question may be do we need new messages at all? Using
>>> Information Request / Reply with new option is perhaps cleanest?
>>> - existing clients can do what they do today
>>> - existing servers (and relays or other snoopers) will not know option
>>> so ignore (hopefully silently)
>>> - existing servers only see “more” Information-Request for clients not
>>> supporting this new work when enabling O-bit to request address
>>> registrations
>>> - “new” clients that do SLAAC when O-bit set and did support
>>> Information-Request can do initial registration in first message (or send
>>> when address assigned) and do periodic updates (perhaps even ask for other
>>> options via ORO to refresh information) … they may actually have no more
>>> messages than today (well, except if they have multiple SLAAC addresses as
>>> need to use a separate Information-Request for each) … they could also
>>> decouple previous and new behavior at increase in traffic.
>>> - registration only clients that did not use Information-Request
>>> previously add new traffic … which is exactly what we want
>>>
>>> The only downside is it kind of overloads Information-Request as it is
>>> now also a client to server communication. Though the client already can
>>> send information to server in Information-Request (user class, vendor
>>> class, vendor information, …). And, we could say the client is asking
>>> whether the server supports registration (by getting new option in Reply).
>>>
>>> Note: It may be worth thinking about making use of the new “registration
>>> address” option’s encapsulated options field if client wants to send other
>>> information (such as fqdn). This isn’t really bad as this is likely address
>>> specific and any server that wanted to do something with this data needs
>>> updating anyway. This keeps all of the registration information hidden from
>>> those devices that don’t that registration option.
>>>
>>> Anyway, this is now a very good reason to hold off on early assignment
>>> for message types (and likely say WGLC failed).
>>>
>>> - Bernie (from iPad)
>>>
>>> On Sep 14, 2023, at 2:32 PM, Bernie Volz <bevolz@gmail.com> wrote:
>>>
>>> Hi:
>>>
>>> (Just catching up and responding to this as was asked specifically…there
>>> could have been more I haven’t yet read.)
>>>
>>> 8415bis only prohibits IA options in Information-Request
>>>
>>> 16.12.  Information-request Message
>>>
>>>    Clients MUST discard any received Information-request messages.
>>>
>>>    Servers MUST discard any received Information-request message that
>>>    meets any of the following conditions:
>>>
>>>    *  the message includes a Server Identifier option (see
>>>       Section 21.3), and the DUID in the option does not match the
>>>       server's DUID.
>>>
>>>    *  the message includes an IA option.
>>>
>>>
>>> I wonder however if having an Address Registration option specifically
>>> would be better (the Information-Request and new registration request could
>>> use this instead of IA_Addr option). This might avoid an overly aggressive
>>> server or relay that checks the Information-Request or its Reply for
>>> options from doing odd things if it sees the IAAddr. If we’re trying to
>>> make things safe, this may be best. Note also that it may help other
>>> devices in the path that may want to snoop for this data. (But it could
>>> have downside if any “options” are developed as then those specifications
>>> would need to determine if they are also allowed in this new address
>>> option).
>>>
>>>
>>> On a separate note, one issue the current draft may need to document and
>>> is a consideration is that when O-bit (RA) and A-bit (PIO) is set, a
>>> registration only server should really support Information-Request as it
>>> will also get lots of those from clients that support DHCPv6 - it may just
>>> send back a pretty empty Reply.
>>>
>>> By using Ted’s suggestion of using Information-Request, it would be
>>> natural for registration only to be implemented at least sufficiently to
>>> send a well formed Reply even when not address registration request.
>>>
>>> It seems like a clever idea to use Information-Request at least for
>>> initial determination of support.
>>> - it avoids extra packets.
>>> - client could honor server’s INF_MAX_RT to reduce frequency of probing
>>> (likely periodic probing is not a bad idea).
>>>
>>>
>>> - Bernie (from iPad)
>>>
>>> On Sep 14, 2023, at 11:29 AM, Lorenzo Colitti <lorenzo@google.com>
>>> wrote:
>>>
>>> 
>>> On Fri, Sep 15, 2023 at 12:22 AM Ted Lemon <mellon@fugue.com> wrote:
>>>
>>>> What I think would be most expedient (if we must use DHCP to probe for
>>>> support of address registration) would be to do the first address
>>>> registration as an information request with the additional information in
>>>> the information request, using the source address being registered. If the
>>>> reply that comes back confirms the address registration, then all
>>>> subsequent address registrations on this link would be sent as address
>>>> registrations.
>>>>
>>>
>>> Well, but if we can come up with a reasonable way to represent an
>>> address registration using an information-request packet, then why not make
>>> all registrations be information-request packets?
>>>
>>> +Bernie Volz <bevolz@gmail.com> any thoughts on using
>>> information-request and reply messages, instead of the new addr-reg-inform
>>> and addr-reg-reply messages currently defined in the draft?
>>>
>>> _______________________________________________
>>> dhcwg mailing list
>>> dhcwg@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>>
>> _______________________________________________
>> dhcwg mailing list
>> dhcwg@ietf.org
>> https://www.ietf.org/mailman/listinfo/dhcwg
>>
>> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email