Re: [dhcwg] Stephen Farrell's No Objection on draft-ietf-dhc-dhcpv6-failover-protocol-04: (with COMMENT)

kkinnear <kkinnear@cisco.com> Thu, 02 February 2017 15:28 UTC

Return-Path: <kkinnear@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A9D12966F; Thu, 2 Feb 2017 07:28:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.721
X-Spam-Level:
X-Spam-Status: No, score=-17.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAySzByEUBmI; Thu, 2 Feb 2017 07:28:16 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD82012966C; Thu, 2 Feb 2017 07:28:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3404; q=dns/txt; s=iport; t=1486049296; x=1487258896; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=Z/2cop4PRCHGySr0Ee4eWvT/j5bPGnMPbQFoDPkrGG4=; b=hRFk0pMvtESOVq+cC7vQkF0HB+RDNTLaFgdUlqfomYO+1aTXEJxAtAIY 7FPcsef5XTnF4oNf38oLgxquI7lzmR10U8Mjj0x5ediFKcgC1jyYTFTOO z5bhWPpi5kSwOF8qRinrZU3LZ86i4JlqTsWhIDtC9A2QQ7CInAEA7ry6g Q=;
X-IronPort-AV: E=Sophos;i="5.33,325,1477958400"; d="scan'208";a="380588381"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 02 Feb 2017 15:28:15 +0000
Received: from [161.44.67.129] ([161.44.67.129]) (authenticated bits=0) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id v12FSE8O028361 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Feb 2017 15:28:14 GMT
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: kkinnear <kkinnear@cisco.com>
In-Reply-To: <148599922705.18700.14648245113952484559.idtracker@ietfa.amsl.com>
Date: Thu, 2 Feb 2017 10:28:13 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <2BD6519B-F6AC-4630-8666-13D3ED54054C@cisco.com>
References: <148599922705.18700.14648245113952484559.idtracker@ietfa.amsl.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.3124)
X-Authenticated-User: kkinnear@cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/jH7OWxsEGDkaLTAXR2GAyNxX51I>
Cc: Bernie Volz <volz@cisco.com>, dhc-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-dhc-dhcpv6-failover-protocol@ietf.org, dhcwg@ietf.org, Kim Kinnear <kkinnear@cisco.com>
Subject: Re: [dhcwg] Stephen Farrell's No Objection on draft-ietf-dhc-dhcpv6-failover-protocol-04: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 15:28:17 -0000

Stephen,

Thanks for your review!

I've responded to your comments, indented, below...

> On Feb 1, 2017, at 8:33 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>; wrote:
> 
> Stephen Farrell has entered the following ballot position for
> draft-ietf-dhc-dhcpv6-failover-protocol-04: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv6-failover-protocol/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 
> - I support Ben's discuss about "secure mode" - a few
> more details are needed, in particular how a pair
> decide to use/not-use TLS - are there different ports
> or a STARTTLS equivalent - I can't see that defined
> here. (Is it inherited from RFC7653? If so, maybe you
> need to say?)


	Yes, Section 9.1 of RFC 7653 discusses exactly this issue (in
	part due to your review comments from July 2015, as it
	happens).  I believe the discussion there is sufficient.

	I substantially enhanced the Security Considerations section
	as a result of Ben Campbell's comments.  One paragraph that I
	added discussed secure and insecure mode.  I will expand that
	paragraph to point in more detail towards RFC 7653 as follows:


  "DHCPv6 failover can operate in secure or insecure mode.  Secure
  mode (using TLS) would be indicated when the TCP connection between
  failover partners is open to external monitoring or interception.
  Insecure mode should only be used when the TCP connection between
  failover partners remains within set of protected systems.  Details
  of such protections are beyond the scope of this document.  Failover
  servers MUST use the approach documented in Section 9.1 of [RFC7653]
  to decide to use or not to use TLS."


> 
> - For the DNS update stuff - is there no need to use
> TSIG secrets? If there is, how is that sync'd between
> the pair of DHCP servers?  If it is sync'd then don't
> you need to say that TLS is a MUST for such
> connections? If there is no support for TSIG, is that
> likely to work?
> 
> 

	Surely, TSIG is important.  Each DHCP server in a failover
	pair has its own relationship with the relevant DNS servers,
	and needs to be configured with the correct TSIG secrets to
	update those DNS servers.  The configuration of a DHCP server
	to communicate with a DNS server is a configuration issue, and
	outside of the scope of the failover protocol.  

	In the (now blessedly distant) past, we spent years working on
	the DHCPv4 failover protocol trying to shoehorn configuration
	information into the protocol, and it never worked.  DHCP
	servers need *lots* of configuration, and we have most
	consciously decided that synchronizing that configuration
	between failover partners is not the purpose of the DHCPv6
	failover protocol.

Thanks again for your review!

Kim