Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
Alan DeKok <aland@deployingradius.com> Mon, 19 December 2022 17:13 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: expand-draft-ietf-opsawg-add-encrypted-dns.all@virtual.ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id B007BC14F606; Mon, 19 Dec 2022 09:13:02 -0800 (PST)
X-Original-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4702C1524C9; Mon, 19 Dec 2022 09:13:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmR4Dl8v207U; Mon, 19 Dec 2022 09:12:57 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37906C14F606; Mon, 19 Dec 2022 09:12:51 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 6423D1D1; Mon, 19 Dec 2022 17:12:47 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <BY5PR11MB4196E89DEC6393A84923CC17B5E59@BY5PR11MB4196.namprd11.prod.outlook.com>
Date: Mon, 19 Dec 2022 12:12:45 -0500
Cc: "draft-ietf-opsawg-add-encrypted-dns.all@ietf.org" <draft-ietf-opsawg-add-encrypted-dns.all@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EDA5C486-7261-4668-ABF0-83871D9E1E2B@deployingradius.com>
References: <BY5PR11MB4196E89DEC6393A84923CC17B5E59@BY5PR11MB4196.namprd11.prod.outlook.com>
To: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Resent-From: alias-bounces@ietf.org
Resent-To: rwilton@cisco.com, mohamed.boucadair@orange.com, aland@freeradius.org, warren@kumari.net, dhcwg@ietf.org, zhoutianran@huawei.com, bevolz@gmail.com, jclarke@cisco.com, kondtir@gmail.com, henk.birkholz@sit.fraunhofer.de
Resent-Message-Id: <20221219171302.B007BC14F606@ietfa.amsl.com>
Resent-Date: Mon, 19 Dec 2022 09:13:02 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/gb0uGTA4nm0tTaoWPGiykxSLXoU>
Subject: Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2022 17:13:02 -0000
On Dec 19, 2022, at 11:53 AM, Rob Wilton (rwilton) <rwilton=40cisco.com@dmarc.ietf.org> wrote: > It isn't really clear to me why some of the registries are needed, specifically the ones in 8.4.1 and 8.4.2. Why not allow any v4 or v6 DHCP attribute to be carried within the DHCPv6-Options or DHCPv4-Options field? The original intent of the document was to define a limited set of DHCP options which could be carried in RADIUS. i.e. option X would map to RADIUS attribute Y. After some discussion, this was deemed to be unworkable, and changed to the current method. The previous limitations were still kept, however. While it is useful, I could see issues with allowing any DHCP option to be transported in RADIUS. I'll have to dig deeper to get into details. > > (2) p 4, sec 3. DHCP Options RADIUS Attributes > > Absent any explicit configuration on the DHCP server, RADIUS supplied > data by means of DHCP*-Options Attributes take precedence over any > local configuration. > > This point may be worth discussing. Naturally, I would explicit configuration to a network device to generally take precedent over implicitly learned configuration from the network. I'm not sure which options are "implicitly learned" from the network. One set is configured in the device, and another is configured on a per-user / per-session basis. This allows for sane defaults, with specific over-rides where those are needed. If the options configured on the device always take precedence over the per-session options (via RADIUS), then there isn't much point in sending per-session options. > (3) p 6, sec 3.2. DHCPv4-Options Attribute > > Permitted DHCPv4 options in the DHCPv4-Options Attribute are > maintained by IANA in the registry created in Section 8.4.2. > > Comparing this text to the description for v6, this description is silent on whether multiple instances of the same DHCPv4 option MAY be included. Should that be specified here? Likely, yes. The RADIUS attributes are simply carrying DHCP options, as if they were in a DHCP packet. So all of the DHCP rules about option handling should apply here. > > (4) p 10, sec 7. Table of Attributes > > The following table provides a guide as what type of RADIUS packets > that may contain these attributes, and in what quantity. > > Am I right that this is just a duplication of what is described in section 3? If so, perhaps change "guide" to "informative guide" and include text to refer back to the canonical definition in section 3. Sure. This table is traditional in RADIUS RFCs, so the text here mirrors previous RADIUS RFCs. > (8) p 3, sec 3. DHCP Options RADIUS Attributes > > These attributes use the "Long Extended Type" format in order to > permit the transport of attributes encapsulating more than 253 octets > of data. DHCP options that can be included in the DHCP*-Options > RADIUS attributes are limited by the maximum packet size of 4096 > bytes. In order to accommodate deployments with large options, > implementations are RECOMMENDED to support a packet size up to 65535 > bytes. > > I didn't find this text clear. E.g., limit is 4k but should support up to 64K. Which implementations should support larger packet sizes? Is this RADIUS implementations? It's a limitation of RADIUS. Everything RADIUS has to support 4K packets. Later RFCs allow for 64K packets. > > (9) p 5, sec 3.1. DHCPv6-Options Attribute > > This field contains a list of DHCPv6 options. Multiple instances > of the same DHCPv6 option MAY be included. Consistent with > Section 17 of [RFC7227], this document does not impose any option > order when multiple options are present. > > Is there any requirement to merge multiple instances of options together, presumably they are logically just concatenated today. The rules for DHCP options processing should apply. > (12) p 8, sec 5. Applicability to Encrypted DNS Provisioning > > Figure 1: An Example of RADIUS IPv6 Encrypted DNS Exchange > > As a minor comment, I wonder whether it would be helpful to also include RADIUS client in the NAS box description? Yes. > > (13) p 12, sec 8.4.1. DHCPv6 > > IANA is requested to create a new sub-registry entitled "DHCPv6 > Options Permitted in the RADIUS DHCPv6-Options Attribute" in the > "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry > [DHCP-RADIUS]. > > Do we need to define the definition of columns for this (and the v4 equivalent) registries. E.g., do the values need to match another registry? Perhaps just names? It would be good to avoid duplicating multiple columns, as they could get out of sync. Alan DeKok.
- [dhcwg] AD review of draft-ietf-opsawg-add-encryp… Rob Wilton (rwilton)
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Alan DeKok
- Re: [dhcwg] AD review of draft-ietf-opsawg-add-en… mohamed.boucadair
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Rob Wilton (rwilton)
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Alan DeKok
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… mohamed.boucadair
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Rob Wilton (rwilton)
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… mohamed.boucadair
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Rob Wilton (rwilton)