Re: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - summary

Lishan Li <lilishan48@gmail.com> Wed, 19 April 2017 14:06 UTC

Return-Path: <lilishan48@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E84A61295A0; Wed, 19 Apr 2017 07:06:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTRw2nKphGGE; Wed, 19 Apr 2017 07:06:02 -0700 (PDT)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C07D1129A8D; Wed, 19 Apr 2017 07:06:01 -0700 (PDT)
Received: by mail-qt0-x22e.google.com with SMTP id y33so19707071qta.2; Wed, 19 Apr 2017 07:06:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WRo1/CoriVJstt/cfVoENbVYpom9oTQ2GlVM/Kc22EM=; b=P1siCVbmrn9MMfkh1K7v2CbHZvR1J5UoYXTofaJfwzjLRZD2i7G+qmjuB6f0hlCciC TG4YyhRRJNjS1JpE4s/tGQYhEAcel8xEcDiyPm1ksfGiWl6Vh53fVbxX8ldHTBCL6xCj EZWYPgzq+rI9xV6+rxc8s3xjC/K4eZWkujzED9lvBrAvi3sM/znJi4efpHexmwRViRYx ixDEqTzWhPcNNSgGmqUvmnOcGayNoB1v/181nTM37mwsd+YH9OX+q2jKCPrQTOI3+Wp3 I4Th8uVa8hPSbl2hTgnbxAiixORfZY/6PfWapeEuYrvb1nsJzYCssn7bT1YWMWgGmSSU CZpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WRo1/CoriVJstt/cfVoENbVYpom9oTQ2GlVM/Kc22EM=; b=M7f3+zo8PQvR6Dc6QhROVhd7ZDIkFVRn1LnlaA2RgVIM6m5TrJw5db36ptPklUEbn5 7jRUwYuU7ziKngJRGxWB351ZJZ8waS8EcaRqGp89XtwoTGyxQWyazgZKxzxXbyIrtRD8 tN9bCq8pZox6aRZGVS+732C0BDDqCRX08lljpfMp/RxNqtz85M21gAbKBjkzl1RalLP/ JSwtdiKz6y+35JsqgaZwMAGUhjpQZcrRO3cz1GyzIXVmlTCGzfD37xXJMbiw3tGZLMi3 +GDFD566ViCRHkgo4ggTC+cWzcltS2u7jLm5NETxOZ5t4yFsK0r65PI8Vwibaic/pR+B kvMA==
X-Gm-Message-State: AN3rC/6d8ObvfbThUgYuB9uOW7Eimx6bhPR+fq/UvjRFdJGra+6ch9jH wS4T7hnFMqqlxsUtq7GwVfybLVUOVQ==
X-Received: by 10.237.35.162 with SMTP id j31mr2622895qtc.117.1492610760898; Wed, 19 Apr 2017 07:06:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.58.71 with HTTP; Wed, 19 Apr 2017 07:06:00 -0700 (PDT)
In-Reply-To: <913306d77da44ee48136f4e86e26b433@XCH15-06-08.nw.nos.boeing.com>
References: <e08be0f6-f1b4-4f57-6cdf-ddd546f8b793@gmail.com> <1380758a-b7d0-bb73-bf58-4e318e88a6d0@gmail.com> <257f4b807afa44d5841e7764859f150c@XCH15-06-08.nw.nos.boeing.com> <CAJ3w4NcCwUS2CAk=C6wfz+6vJViTPmevBQgCgiH1obbNxcxfbA@mail.gmail.com> <913306d77da44ee48136f4e86e26b433@XCH15-06-08.nw.nos.boeing.com>
From: Lishan Li <lilishan48@gmail.com>
Date: Wed, 19 Apr 2017 22:06:00 +0800
Message-ID: <CAJ3w4NeBVEp8g2SaVTQTNYbaH0RsoBjZuryJmiL6pL-X0Kktmg@mail.gmail.com>
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
Cc: Tomek Mrugalski <tomasz.mrugalski@gmail.com>, dhcwg <dhcwg@ietf.org>, draft-ietf-dhc-sedhcpv6 authors <draft-ietf-dhc-sedhcpv6@ietf.org>
Content-Type: multipart/alternative; boundary="001a113e7f5430fa8c054d858630"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/iHTmQpUP0gTCA83rvIz9YcwpNo4>
Subject: Re: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - summary
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2017 14:06:04 -0000

It is the first time to be discussed.
In fact, I have no idea to update it. I just think that: The client's
private key and server's
private key is owned by themself and cannot be shared with L2 snooping
device.

However, this incompatibility cannot be the reason to stop this work.
Firstly, we can
think out some update method for SAVI. Secondly, in some scenario where
SAVI is
not deployed but DHCPv6 security needs to be protected, secure DHCPv6 can
work.

Best Regards,
Lishan

2017-04-19 21:51 GMT+08:00 Templin, Fred L <Fred.L.Templin@boeing.com>:

> Ø  I have considered this problem. Yes, secure DHCPv6 is incompatible
> with SAVI.
>
> Ø  If secure DHCPv6 is implemented, SAVI cannot work well and have to be
> updated.
>
>
>
> OK, so you knew this but has it been discussed already on the lists or is
>
> this the first time it has come up for discussion? Because this seems like
>
> a rather significant incompatibility to me. And, when you say SAVI has
>
> to be updated, how do you see that happening? Must the encryption keys
>
> held by the client and/or server be shared with the L2 snooping device?
>
>
>
> Thanks - Fred
>
>
>
>
>
> *From:* Lishan Li [mailto:lilishan48@gmail.com]
> *Sent:* Wednesday, April 19, 2017 6:46 AM
> *To:* Templin, Fred L <Fred.L.Templin@boeing.com>
> *Cc:* Tomek Mrugalski <tomasz.mrugalski@gmail.com>; dhcwg <dhcwg@ietf.org>;
> draft-ietf-dhc-sedhcpv6 authors <draft-ietf-dhc-sedhcpv6@ietf.org>
> *Subject:* Re: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - summary
>
>
>
> Hi,
>
>
>
> I have considered this problem. Yes, secure DHCPv6 is incompatible with
> SAVI.
>
> If secure DHCPv6 is implemented, SAVI cannot work well and have to be
> updated.
>
>
>
> Best Regards,
>
> Lishan
>
> 在 2017年4月19日,下午9:41,Templin, Fred L <Fred.L.Templin@boeing.com> 写道:
>
>
>
> Hi,
>
> RFC7513 seems to suggest DHCP snooping, i.e., some L2 device on the link
> from
> the DHCP server or relay to the client examines the contents of DHCP
> messages.
> Unfortunately, sedhcpv6 mandates encryption making snooping impossible.
>
> Does it mean that Secure DHCPv6 will be incompatible with SAVI?
>
> Thanks - Fred
> fred.l.templin@boeing.com
>
>
> -----Original Message-----
> From: dhcwg [mailto:dhcwg-bounces@ietf.org] On Behalf Of Tomek Mrugalski
> Sent: Wednesday, April 05, 2017 12:07 PM
> To: dhcwg <dhcwg@ietf.org>
> Cc: draft-ietf-dhc-sedhcpv6 authors <draft-ietf-dhc-sedhcpv6@ietf.org>
> Subject: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - summary
>
> It took a little bit more than planned, but the extra time gave us a
> couple more comments.
>
> We did receive a number of in depth reviews with technical comments. In
> general, several people praised the significantly improved quality and
> clarity of the document. Nobody said that is opposed to this work. So
> from that perspective this last call is a success.
>
> However, both chair and at least one co-author feel that an important
> concern has not been addressed yet. There currently are no known
> implementations or prototypes of this draft. For a typical DHCP draft
> that adds an option or two that would probably be fine, but for this
> particular draft it is not. For two reasons: First, we feel that this is
> an essential piece of the whole DHCPv6 ecosystem and as such require
> much more scrutiny then an average draft. Second, security is a complex
> matter and any unclear aspects would gravely damage the
> interoperability. Jinmei had put it well: "I suspect the current spec
> still has some points that are critically unclear, which you would
> immediately notice once you tried to implement it."
>
> Given that, we declare that more effort is needed before this work is
> deemed ready for IESG. At the same time, chairs would like to strongly
> applaud authors' efforts to improve this work. This version is
> significantly better than its predecessors. Thank you for your hard
> work. You are doing excellent work. Please continue.
>
> Also, to address the concern of missing implementations, chairs would
> like to announce a DHCP hackathon in Prague. Details are TBD, but the
> primary goal will be to have at least two independent implementations of
> that draft. The hackathon will take place the weekend before IETF
> meeting (that's July 15-16). A separate announcement will be sent soon.
>
> That is well over 3 months away. Authors and supporters of this work,
> please seriously consider dedicating some of your time implementing
> prototypes and attending the hackathon, if you can. If you can't we will
> organize some means for participating remotely.
>
> Thank you to the authors and to everyone who commented.
>
> Bernie & Tomek
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>
>
>
>
>