Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-access-network-identifier-10: (with DISCUSS)
Benoit Claise <bclaise@cisco.com> Thu, 10 December 2015 07:53 UTC
Return-Path: <bclaise@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD0D31A1A0B; Wed, 9 Dec 2015 23:53:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g7BYYwLHWX1N; Wed, 9 Dec 2015 23:53:36 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 167221A19E9; Wed, 9 Dec 2015 23:53:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22277; q=dns/txt; s=iport; t=1449734015; x=1450943615; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=kqmAVqmliWhAYa0vq/S5HjYY70p5VxnRL1m+iFodFVc=; b=lNd4Nr9bGOrqJa1Czgyl/D2N4jFKugdcXX9wbOGN+L74Cn9M97EG0uQw uTf03JGHYYsTr0jER2KgC6F9usnnRyF9+E7VKdTjG4OqS4WPy1Im9KwQ5 622AFoPYGzA0y79pJ+9oVNvbdJsZvqFuT0xqp1Mc0Yn2rn7VG/AuTqEJP k=;
X-IronPort-AV: E=Sophos;i="5.20,407,1444694400"; d="scan'208,217";a="607125377"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Dec 2015 07:53:33 +0000
Received: from [10.60.67.86] (ams-bclaise-8915.cisco.com [10.60.67.86]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id tBA7rWN6006828; Thu, 10 Dec 2015 07:53:32 GMT
To: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
References: <D28C940C.1FA5DF%sgundave@cisco.com> <D28C9CDC.1FA630%sgundave@cisco.com> <D28CA317.1FA673%sgundave@cisco.com>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <56692F7C.7070303@cisco.com>
Date: Thu, 10 Dec 2015 08:53:32 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <D28CA317.1FA673%sgundave@cisco.com>
Content-Type: multipart/alternative; boundary="------------000202070300080900000807"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/gid05W0Ngg9Wpnlcofww-IHjxrM>
Cc: "Bernie Volz (volz)" <volz@cisco.com>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "draft-ietf-dhc-access-network-identifier.shepherd@ietf.org" <draft-ietf-dhc-access-network-identifier.shepherd@ietf.org>, IESG <iesg@ietf.org>, "draft-ietf-dhc-access-network-identifier.ad@ietf.org" <draft-ietf-dhc-access-network-identifier.ad@ietf.org>, "<dhcwg@ietf.org>" <dhcwg@ietf.org>, "draft-ietf-dhc-access-network-identifier@ietf.org" <draft-ietf-dhc-access-network-identifier@ietf.org>
Subject: Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-access-network-identifier-10: (with DISCUSS)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 07:53:39 -0000
Hi Sri, > Hi Benoit, > > Thank you for your review. Please see inline. Please let us know if > you are OK with the suggested text for resolving the issues. > > > > > I would like to discuss the following point. > You define the "Vendor ID" and then the Operator Enterprise ID. Why don't you reuse the RFC 6757 Operator-Identifier? > > Sri] I believe we made a mistake here. Thanks for catching this. There > is just Operator Id and not vendor id. > OLD: > Vendor ID The Vendor ID is the SMI Network Management Private > Enterprise Code of the IANA-maintained Private Enterprise Numbers > registry [SMI]. > NEW: > Operator-Identifier The Operator-Identifier is the Structure of > Management Information (SMI) Network Management Private Enterprise > Code of the IANA- maintained "Private Enterprise Numbers" registry > [SMI <https://tools.ietf.org/html/rfc6757#ref-SMI>]. It identifies the > operator running the network attached to a specific interface of the > mobile access gateway. > OLD: > Operator Enterprise ID The operator's Vendor ID (as described in > Section 3) is Private Enterprise Number (PEN) [SMI]. > NEW: > Operator Enterprise ID The operator's Enterprise ID (as described in > Section 3) is a Private Enterprise Number (PEN) [SMI]. Ack. Make sure to mention that the definition is identical to RFC 6757 Fine with the rest of the comments. Regards, Benoit > > I'm been confused by the following text and the figure 1, as it doesn't mention the dhcp relay-agents and servers > > The PMIPv6 extension as specified in [RFC6757] defines PMIPv6 options > to carry access network identifiers in PMIPv6 signaling from Mobile > Access Gateway (MAG) to LMA. MAG can learn this information from > DHCP options as inserted by DHCP Relay agent before MAG. If MAG > relays DHCP messages to LMA as specified in [RFC5844] this > information can be inserted by MAG towards LMA in the forwarded DHCP > messages. > > Figure 1 illustrates an example Proxy Mobile IPv6 deployment where > Access Points (AP) acting as a DHCP relay agent inserts access > network identifiers in DHCP messages relayed from the connected > clients. The mobile access gateway learns this information over DHCP > and delivers the information elements related to the access network > to the local mobility anchor over Proxy Mobile IPv6 signaling > messages. In this example, the additional information could comprise > the SSID of the used IEEE 802.11 network and the identities of the > operators running the IEEE 802.11 access network infrastructure. > > Discussing with Sri and Mark, I discovered my source of confusion. > There are two cases, as discussed inhttps://tools.ietf.org/html/rfc5844#section-3.4: > > This specification supports the following two DHCP deployment > configurations. > > o DHCP relay agent co-located with the mobile access gateway. > > o DHCP server co-located in the mobile access gateway. > > Either the DHCP server is on the LMA, and the MAG just forwards the DHCP message to the LMA. The LMA receives the > access network identifiers from DHCP (the MAG just forwards the DHCP message, modified by the AP) > Or the DHCP server is on the MAG, and then the PMIPv6 extension carries the access network identifiers to the LMA, learned with DHCP from the AP. > However, in the context of WLAN-EPC interworking, the only supported mode is DHCP server collocation on the MAG. Hence the figure 1 focuses on this case. > > The text and the figure should be improved IMO. > > [Sri] Sure. We can identify the DHCP Relay function on the AP and the > DHCP Server on the MAG. > > > OLD: > Figure 1 illustrates an example Proxy Mobile IPv6 deployment where > Access Points (AP) acting as a DHCP relay agent inserts access network > identifiers in DHCP messages relayed from the connected clients. The > mobile access gateway learns this information over DHCP and delivers > the information elements related to the access network to the local > mobility anchor over Proxy Mobile IPv6 signaling messages. In this > example, the additional information could comprise the SSID of the > used IEEE 802.11 network and the identities of the operators running > the IEEE 802.11 access network infrastructure. > > NEW: > Figure 1 illustrates an example Proxy Mobile IPv6 deployment where > Access Points (AP) acting as a DHCP relay agent inserts access network > identifiers in DHCP messages relayed from the connected clients. The > DHCP Server collocated on the mobile access gateway learns this > information over DHCP and delivers the information elements related to > the access network to the local mobility anchor over Proxy Mobile IPv6 > signaling messages. In this example, the additional information could > comprise the SSID of the used IEEE 802.11 network and the identities > of the operators running the IEEE 802.11 access network infrastructure. > > > - I agree with Al Morton, in his OPS-DIR review. > This draft specifies the optional capability in DHCP to identify > access network ID and operator ID for the possible application of policy > on operator-specific handling, traffic management, or differentiated > services. Often these are carefully planned and controlled networking > capabilities, so some form of ID integrity protection would be welcome. > Thus, it's worrisome when the authors remind us in the Security > Considerations section (9): > [Sri] Ok. > OLD: > DHCP server administrators are strongly advised to configure DHCP > servers that use this option to communicate with their relay agents > using IPsec, as described in Section 21.1 of [RFC3315]. > NEW: > DHCP server administrators are strongly advised to configure DHCP > servers that use this option to communicate with their relay agents > using IPsec security association(s) offering integrity protection, as > described in Section 21.1 of [RFC3315]. > ...DHCP itself is inherently unsecure and > thus link-layer confidentiality and integrity protection should be > employed to reduce the risk of disclosure and tampering. > > maybe s/should/SHOULD/ ? or stronger? Other solutions or explanation welcome. > [Sri] Ok. > DHCP itself is inherently insecure and thus link-layer confidentiality > and integrity protection should be employed to reduce the risk of > disclosure and tampering. > NEW: > DHCP itself is inherently insecure and thus link-layer confidentiality > and integrity protection SHOULD be employed to reduce the risk of > disclosure and tampering. > > > > .
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Benoit Claise
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Sri Gundavelli (sgundave)
- Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-… Ben Campbell