IETF Logo Mail Archive

Re: [dhcwg] recommendation on DHCP6 source port numbers

"rob@deepdivenetworklng.com" <rob@deepdivenetworking.com> Thu, 29 February 2024 23:36 UTC

Return-Path: <rob@deepdivenetworking.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEFD7C14F5ED for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 15:36:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_FROM_2_EMAILS=3.004, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bqhg8-JSU4bc for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 15:36:10 -0800 (PST)
Received: from sender3-op-o18.zoho.com (sender3-op-o18.zoho.com [136.143.184.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6AC6C14F6E2 for <dhcwg@ietf.org>; Thu, 29 Feb 2024 15:36:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1709249767; cv=none; d=zohomail.com; s=zohoarc; b=Jw8tLa8g65gzPSN4ydvsI2WoJH1ZxYRCBuICRyO89iLS5Pglk3Di/L+zMpBtAIUPYrykdkIrxqCe5+KynjJUhPwX1Rl/DV8FTYPT/pyW1e7e+YOXGalLLku6BoIX7weq3EAdvir+XW6on/SgG3AznWza3tUz3RL08lM9hfrfqEE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1709249767; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=ZZ9OysBP/tajCQshbGiTZepbmXmnJMVRkKFQPboYDuo=; b=I4+PQBuRQ1FEYxbuK7U9lZ5lKtIuPFCTBG1GVCBqR5aFQ/7gjhktS82C9J002boDzrmCxkOazm/M/PvLm7GTYGe5CSazD34ry2b5fnUDX/ntgr5eZ2+w8AqO/OUf1JW5uP1z96FVmKfwIgaf0Md9GX9MpvgO2JI7wyOdrH7L/OU=
ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass smtp.mailfrom=rob@deepdivenetworking.com; dmarc=pass header.from=<rob@deepdivenetworking.com>
Received: from smtpclient.apple (c-174-174-114-65.hsd1.or.comcast.net [174.174.114.65]) by mx.zohomail.com with SMTPS id 1709249765732671.8252066396005; Thu, 29 Feb 2024 15:36:05 -0800 (PST)
From: "rob@deepdivenetworklng.com" <rob@deepdivenetworking.com>
Message-Id: <F9A7BF74-CAFA-433E-9F37-80302BA9A6B8@deepdivenetworking.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_28C548D9-D1BC-41BD-BEC0-C8980226D83C"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Thu, 29 Feb 2024 15:35:55 -0800
In-Reply-To: <CAPt1N1=bpk8HV4ADcV5p2TUMgqg6d_DYQiazGDNgD9EPi0T_qw@mail.gmail.com>
Cc: Bernie Volz <bevolz@gmail.com>, David Farmer <farmer=40umn.edu@dmarc.ietf.org>, dhcwg <dhcwg@ietf.org>
To: Ted Lemon <mellon@fugue.com>
References: <CAN-Dau3cMV8yXF=WVXrdD36oV+_FQELDsgP4cddjrFfsagpv2w@mail.gmail.com> <A51674A4-56CB-433F-BC7F-643C959B8DB3@gmail.com> <CAPt1N1=bpk8HV4ADcV5p2TUMgqg6d_DYQiazGDNgD9EPi0T_qw@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6)
X-ZohoMailClient: External
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/fRBrKRrcdxHamsf0JRB3wGC99gw>
Subject: Re: [dhcwg] recommendation on DHCP6 source port numbers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 23:36:13 -0000

Just my $.02,

In most enterprise implementations I deal with (and these range from a small school to a fortune 50 customer)  DHCP most often does go through one or more firewalls, and worse now it often can go through what cloud providers call firewalls (not all suck but for some…just wow).  So I think factoring in firewalls is critical. I again am for the locked source/destination, yet my argument is “is it our role to tell them which source port?" We certainly say which destination/listening port. But should we do any more than a recommendation on source or a tidbit on why using matching source-destination is helpful for firewalls and say monitoring/security tools?  To me Destination = MUST, Source = SHOULD (and like a weak should)

Rob


> On Feb 29, 2024, at 12:23 PM, Ted Lemon <mellon@fugue.com> wrote:
> 
> Not going through firewalls definitely seems like a feature to me. If it's intended to go through the firewall, requiring the admin to explicitly configure that makes a lot of sense.
> 
> On Thu, Feb 29, 2024 at 3:12 PM Bernie Volz <bevolz@gmail.com <mailto:bevolz@gmail.com>> wrote:
>> We’re not starting from scratch - thus if you mandate this, you make existing implementations that are operating non-compliant. And if it cannot be mandated, you cannot rely on it.
>> 
>> Also, dhcp is probably not a protocol that goes through firewalls? Firewalls likely block these ports.
>> 
>> - Bernie (from iPhone)
>> 
>>> On Feb 29, 2024, at 2:03 PM, David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
>>> 
>>> 
>>> Actually, given that return DHCP messages MUST be sent to their designated destination ports and not the source port used by the originating DHCP message, there is no advantage to using randomized source ports to prevent spoofing. Using randomized source ports only makes firewall traversal for DHCP messages more difficult.
>>> 
>>> Thanks.
>>> 
>>> On Thu, Feb 29, 2024 at 12:44 PM rob@deepdivenetworklng.com <mailto:rob@deepdivenetworklng.com> <rob@deepdivenetworking.com <mailto:rob@deepdivenetworking.com>> wrote:
>>>> I think we are in the middle of the (no end in sight argument) of;  If we make it completely predictable it is easy to monitor and punch holes for firewalls vs if we make it easily predictable it is super easy to exploit. Just look at DNS needing to randomize source ports to combat cache poisoning. I think we don't have to say it “Should" be source and destination port that is  forced. People can do that if they choose to given the current text, but we don't paint them into a corner.
>>>> 
>>>> Rob
>>>> 
>>>> 
>>>> 
>>>>> On Feb 29, 2024, at 10:39 AM, David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
>>>>> 
>>>>> If we did, that would ensure DHCP messages will make it through typical stateful firewalls without special rules.
>>>>> 
>>>>>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.
>>>>>> 
>>>>>> Clients, servers, and relay agents SHOULD send DHCP messages from their designated destination ports, as this will facilitate firewall traversal for DHCP messages. Nevertheless, DHCP messages MUST be accepted from any UDP (source) port, and regardless of the source port used, return DHCP messages MUST be sent to their designated destination port.
>>>>> 
>>>>> On Thu, Feb 29, 2024 at 12:05 PM Ole Trøan <otroan=40employees.org@dmarc.ietf.org <mailto:40employees.org@dmarc.ietf.org>> wrote:
>>>>>> Should we also make it recommended to use the designated port as the source port? With the may to send arbitrary port and a must to accept an arbitrary port?
>>>>>> 
>>>>>> O. 
>>>>>> 
>>>>>>> On 29 Feb 2024, at 18:51, David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> Ok, it's a little less wordy this time.
>>>>>>> 
>>>>>>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.
>>>>>>> 
>>>>>>> Clients, servers, and relay agents MAY send DHCP messages from any UDP (source) port they are allowed to use, including their designated destination ports. Nevertheless, regardless of the source port used, DHCP messages MUST be sent to their designated destination ports.
>>>>>>> 
>>>>>>> Thanks
>>>>>>> 
>>>>>>> On Thu, Feb 29, 2024 at 10:24 AM David Farmer <farmer@umn.edu <mailto:farmer@umn.edu>> wrote:
>>>>>>>> Would this text clarify things?
>>>>>>>> 
>>>>>>>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.
>>>>>>>> 
>>>>>>>> Clients, servers, and relay agents MAY send DHCP messages from any UDP (source) port they are allowed to use, including their designated destination ports. Nevertheless, regardless of the source port the client uses, the server or relay agent MUST send traffic to the designated destination port of the client. And vice versa, regardless of the source port used by the server or relay agent, the client MUST send traffic to the designated destination port of the server or relay agent.
>>>>>>>> 
>>>>>>>> Thanks
>>>>>>>> 
>>>>>>>> On Thu, Feb 29, 2024 at 10:03 AM Ole Troan <otroan=40employees.org@dmarc.ietf.org <mailto:40employees.org@dmarc.ietf.org>> wrote:
>>>>>>>>> Bernie,
>>>>>>>>> 
>>>>>>>>> > DHCPv6 has been successfully deployed and this is the first I recall of this kind of discussion/issue.
>>>>>>>>> > You would likely also invalidate a lot of implementations with such a change, which is not really in line with advancing this to Full Standard.
>>>>>>>>> 
>>>>>>>>> It’s a lot more important to have the specification clear and unambiguous. I think it has been shown that it isn’t.
>>>>>>>>> Happy with whatever solution there is consensus for, but the ambiguity has to be resolved I think.
>>>>>>>>> 
>>>>>>>>> O.
>>>>>>>>> _______________________________________________
>>>>>>>>> dhcwg mailing list
>>>>>>>>> dhcwg@ietf.org <mailto:dhcwg@ietf.org>
>>>>>>>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -- 
>>>>>>>> ===============================================
>>>>>>>> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>>>>>>>> Networking & Telecommunication Services
>>>>>>>> Office of Information Technology
>>>>>>>> University of Minnesota   
>>>>>>>> 2218 University Ave SE        Phone: 612-626-0815
>>>>>>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>>>>>>> =============================================== 
>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> ===============================================
>>>>>>> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>>>>>>> Networking & Telecommunication Services
>>>>>>> Office of Information Technology
>>>>>>> University of Minnesota   
>>>>>>> 2218 University Ave SE        Phone: 612-626-0815
>>>>>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>>>>>> =============================================== 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> ===============================================
>>>>> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>>>>> Networking & Telecommunication Services
>>>>> Office of Information Technology
>>>>> University of Minnesota   
>>>>> 2218 University Ave SE        Phone: 612-626-0815
>>>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>>>> =============================================== 
>>>>> _______________________________________________
>>>>> dhcwg mailing list
>>>>> dhcwg@ietf.org <mailto:dhcwg@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>>> 
>>> 
>>> 
>>> -- 
>>> ===============================================
>>> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>>> Networking & Telecommunication Services
>>> Office of Information Technology
>>> University of Minnesota   
>>> 2218 University Ave SE        Phone: 612-626-0815
>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>> ===============================================
>>> _______________________________________________
>>> dhcwg mailing list
>>> dhcwg@ietf.org <mailto:dhcwg@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/dhcwg
>> _______________________________________________
>> dhcwg mailing list
>> dhcwg@ietf.org <mailto:dhcwg@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dhcwg
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email