IETF Logo Mail Archive

Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem

Ted Lemon <mellon@fugue.com> Sat, 13 August 2022 14:25 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55642C157B41 for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:25:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6SaQur_-S3rV for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:25:30 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58920C157B37 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:25:30 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id m5so2736077qkk.1 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:25:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc; bh=U5JMYlm89QpQnYxR4IkTlZFOnGZfxUIgEHRI7d9ak5I=; b=XbE1DtQMZ16WpFHiEBLsUgS48MkJ+faoKPQpW6WQkRurSYfS4mpCEtdwqLJ0ry0+BR 0dXMkJw8jrvIBcrxp+dEVmON9dYMwvx+IA9yh60OYK5YSOvlK7ncBJkXZN+jhRxNJEEE 8aX9GrtldPJfV44suRN85bCTrwBJKbA5QRSCbs2r/z/i8+/AvU77R/QG1p17+8fm67A9 dZjoA8nLZA0r3QRS7GO2YssUKEVJclJRq4rZ/XPPVdF9O2Anz9npy0PJQ+tgyBfmWmHq 3FZKJ9jkEAyDBEnYsNIfxWCDnxZbnsFQjRps9d4mSJikLXXIWkgHGRoXP17KOh8l6Tnd fi6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc; bh=U5JMYlm89QpQnYxR4IkTlZFOnGZfxUIgEHRI7d9ak5I=; b=OdwkypPCzElhY8fRN8036ZmmhuPPJxI8gP2uLZqOfT1R2XLiwvUTbv9kmdKqAv9Kvv nr5Ncz4WEmlWEYHemcuG5/xpLSFrl20W6SKsbJu2Cx8CVH6SnvEw1i69c2agws1pWjbk /Lm/OnaZLwxOz/xfWCzZeGXlRp7MIv89pdWZpaA92RvTDyZlbLflx7AWW0jQamDdJuRM +kViD633kviF5ygaYh8gDznM3fqcLs3ZTXhxgCZ81V2EYTL0MND2RLR9pG17KA8JYfw5 x8THaq0b/y4B4LEECQQy/QyTuYenN/02ZJ7iolwrrz+Y+MO52/L1wVNvG1pIUymjuaJl 4B5A==
X-Gm-Message-State: ACgBeo2oETISOX0rvSbohY90A8XAVGujfdlLWUQOesDMy6tkBccXHpFK bkF8aS3Q4AK4Ea1jGhNFZ+GlsyvlYcxUwA==
X-Google-Smtp-Source: AA6agR7Ww2CR4lKljqApSb+QzWmlXZJoVO5FHa43IDS5kB9WA4FZWzD5ZOQNcxYs0X+lBk5SuvO6GA==
X-Received: by 2002:a05:620a:c43:b0:6a9:77ef:e000 with SMTP id u3-20020a05620a0c4300b006a977efe000mr6348883qki.396.1660400729134; Sat, 13 Aug 2022 07:25:29 -0700 (PDT)
Received: from smtpclient.apple ([2601:18b:300:3380:755d:42f7:429a:7771]) by smtp.gmail.com with ESMTPSA id gb6-20020a05622a598600b00342fa1f4a10sm3907246qtb.61.2022.08.13.07.25.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Aug 2022 07:25:28 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-CD0D8894-7816-49E7-91F5-23542C135847"
Content-Transfer-Encoding: 7bit
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 13 Aug 2022 10:25:27 -0400
Message-Id: <6C6A01B5-3FDB-4500-A3F2-5C15A8F2D322@fugue.com>
References: <58224CCB-E770-4CB5-ACE3-E5C4C6746A41@gmail.com>
Cc: Michael Richardson <mcr@sandelman.ca>, dhcwg@ietf.org
In-Reply-To: <58224CCB-E770-4CB5-ACE3-E5C4C6746A41@gmail.com>
To: Bernie Volz <bevolz@gmail.com>
X-Mailer: iPad Mail (19F77)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/eaEjM9XKessikh2iBXPC3YjqzxM>
Subject: Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 14:25:31 -0000

The reason that DHCPv6 IA_NA has not gotten full implementation in clients is because it can be used to force clients to use a single stable address. I know you’ve heard this said before, Bernie.

This is why I would argue for deprecating IA_NA—it threatens the whole IPv6 addressing architecture and makes it more likely that homes will wind up having single addresses as is currently the case with IPv4.

IOW this is a compromise position: people have said they want DHCPv6 address assignment because they want to track clients, not because they want to constrain them to single addresses. If that’s so, then having clients implement this behavior would address that problem without throwing the baby out with the bathwater.

On the other hand, maybe that was never the issue in the first place, in which case this proposal will force people to advocate for what they really want, and force us to have the addressing architecture discussion.

It’s really unfortunate that DHCPv6 has found itself in the position of being the place in which this battle has been fought for lo these many years, but there’s not much we can do to change that, unfortunately.

Sent from my iPad

> On Aug 13, 2022, at 10:21 AM, Bernie Volz <bevolz@gmail.com> wrote:
> 
> I understand this “control” difference. But why should a client care whether it gets address A or B? If there is a requirement to provide a client a specific address, DHCPv6 servers support reservations (typically based on client id, DUID, but there are other possibilities). And clients can suggest addresses, and a server generally could allow that address to be used unless there is a specific conflict?
> 
> - Bernie
> 
>>> On Aug 13, 2022, at 10:14 AM, Ted Lemon <mellon@fugue.com> wrote:
>>> 
>> If a client wants to do DNS registration, the DNSSD service registration protocol might be a good option: https://datatracker.ietf.org/doc/draft-ietf-dnssd-srp/
>> 
>> As to why not use DHCPv6 IA_NA, the answer is that this allows the DHCP server to control the client’s address, whereas registering the address doesn’t give the DHCP server that sort of control. This is a significant difference, and is why a client implementation might choose to include registration, but not IA_NA allocation.
>> 
>> Sent from my iPad
>> 
>>>> On Aug 13, 2022, at 7:43 AM, Bernie Volz <bevolz@gmail.com> wrote:
>>>> 
>>> 
>>> These are great points Michael.
>>> 
>>> For the earlier (circa 2014) draft that was similar, draft-ietf-dhc-addr-registration, the reason a client would have implemented it was to get its information in DNS (as there would presumably be a reason it needed this, such as to allow other devices to communicate with it). With this new draft, there is really zero benefit to the client. I’m not promoting a shift to this DNS registration as that had its own issues.
>>> 
>>> If you want “notification”, why not just require DHCPv6 for address assignments? If you don’t care or are using other tools, use SLAAC. Do we really need something in between?
>>> 
>>> - Bernie Volz
>>> 
>>>>> On Aug 12, 2022, at 9:03 PM, Michael Richardson <mcr@sandelman.ca> wrote:
>>>>> 
>>>> 
>>>> This document seems to require many changes to many systems.
>>>> Do I hear that Google is willing to do this for Android?
>>>> I am very enthusiastic about having better information.
>>>> 
>>>> It works only if all the devices implement it, it's not that useful until all
>>>> the devices do it.  Until that happens, then it's completely useless to the
>>>> helpdesk.
>>>> It requires updates to DHCPv6 server, assuming that there is one, which if
>>>> you are using SLAAC... you probably don't even have one.
>>>> It does not require updates to the core routers, which is the only
>>>> interesting part.  {But, in homes and small offices, and remotely supported
>>>> small offices with a b2b ISP..., that's all the same openwrt box.}
>>>> 
>>>> It seems that if one already had an SNMP or YANG/NETCONF feed from the
>>>> routers for the Neighbor Entry Cache, that feeding that into the "database"
>>>> would be good.
>>>> 
>>>> Warren eventually says that he thinks this would be *more* complicated, and I
>>>> read his slide 10.... and come-on.   You hacked up something that needs to be
>>>> clearly coded correctly in the router.  Yes, it's chatty, but it doesn't need
>>>> to tell about every state transition.
>>>> BUT, even if it did, who cares if you can't read it scrolling on your screen.
>>>> That's what the networking monitoring system is for.  Actually, I think you
>>>> just proved how easily this could be done even without code changes to the routers.
>>>> 
>>>> So, I don't think that I agree at all.  The best part about linking it to the NCE
>>>> is that if the NCE is bad, overwhelmed or has been forged, then the client
>>>> machine probably doesn't get connectivity anyway.  There is some fate sharing here.
>>>> 
>>>> Another way would be to send the proposed DHCPv6 message along the DHCPv6-relay
>>>> path.  This is very much akin to the Accounting records that radius sends.
>>>> Doing it this way links the v6 address more directly to the MAC address,
>>>> while not requiring the host to actually know what it is doing.
>>>> 
>>>> As Lorenzo says in the chat, it needs to be tied in "whatever" L2 security
>>>> mechanisms they already have, but I'm not really sure how this should involve
>>>> the client system.
>>>> 
>>>> And...if I was going to upload all the source code, the first thing I'd do is send
>>>> one of these messages saying that I'm either the CEO, or the new hire, and then do it.
>>>> 
>>>> --
>>>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>>>           Sandelman Software Works Inc, Ottawa and Worldwide
>>>> _______________________________________________
>>>> dhcwg mailing list
>>>> dhcwg@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dhcwg
> 
>>> _______________________________________________
>>> dhcwg mailing list
>>> dhcwg@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email