IETF Logo Mail Archive

Re: [dhcwg] recommendation on DHCP6 source port numbers

"rob@deepdivenetworklng.com" <rob@deepdivenetworking.com> Thu, 29 February 2024 18:44 UTC

Return-Path: <rob@deepdivenetworking.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7D4C180B7F for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 10:44:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_FROM_2_EMAILS=3.004, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lGeNZmIi5YFP for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 10:44:43 -0800 (PST)
Received: from sender4-op-o10.zoho.com (sender4-op-o10.zoho.com [136.143.188.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7D18C180B6E for <dhcwg@ietf.org>; Thu, 29 Feb 2024 10:44:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1709232281; cv=none; d=zohomail.com; s=zohoarc; b=Mq8KnyHVyw0LkHbqzt/EPKGQxiiaaZJo3kjcBP5HDyaNbH+KNPUmMUerCW63LB1lxydg3YdBLBCMyXxSojlLwDp37dJ/AZVM97JRyiMIEY/ZSY3s1/1p/Kv6LUw/o3BBfLpIdouUxLhA011/s74GsXheqgzw4KHfkmbTCCpg60I=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1709232281; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=N4yTOfSP6JFLD89VevWP3VosVEIQJZTBXHTT0R6EHak=; b=oH2Th4e2ZdFUEqOr2/rqbSF4nqSxSpyGX6tiSLfCh0gXc0MRB3x7MbDVXwsN1oyFyjRLzHEJwTBYzUp/XUqc5JdlVptSi+Rs+nzHRO04jdduEH//jz3eZiUKlsMce+J/x7KNXaR7HZQuCLt4bTpZyzhe13o2Na8hiwtRERiLw4k=
ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass smtp.mailfrom=rob@deepdivenetworking.com; dmarc=pass header.from=<rob@deepdivenetworking.com>
Received: from smtpclient.apple (c-174-174-114-65.hsd1.or.comcast.net [174.174.114.65]) by mx.zohomail.com with SMTPS id 1709232279267122.22226602778471; Thu, 29 Feb 2024 10:44:39 -0800 (PST)
From: "rob@deepdivenetworklng.com" <rob@deepdivenetworking.com>
Message-Id: <A477E0AF-F68A-4528-A907-CF0C9F7448F2@deepdivenetworking.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1C06BEED-BD3C-4FA6-AEAC-01223D654F6F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Thu, 29 Feb 2024 10:44:28 -0800
In-Reply-To: <CAN-Dau1SPXgyHg_fkmU6rTxWpt-edAWA9hM2kR1qyP8t1XW+_Q@mail.gmail.com>
Cc: Ole Trøan <otroan=40employees.org@dmarc.ietf.org>, dhcwg <dhcwg@ietf.org>
To: David Farmer <farmer=40umn.edu@dmarc.ietf.org>
References: <CAN-Dau3m2_L7J9T9VBk7oyHTK0EeMeuiv+jNpuMGE3m1T623=A@mail.gmail.com> <CC99EB8A-3350-4682-B273-D0656AD8F7F4@employees.org> <CAN-Dau1SPXgyHg_fkmU6rTxWpt-edAWA9hM2kR1qyP8t1XW+_Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6)
X-ZohoMailClient: External
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/jKjDIqqWzAQkHIWs1fSFQIIebsk>
Subject: Re: [dhcwg] recommendation on DHCP6 source port numbers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 18:44:44 -0000

I think we are in the middle of the (no end in sight argument) of;  If we make it completely predictable it is easy to monitor and punch holes for firewalls vs if we make it easily predictable it is super easy to exploit. Just look at DNS needing to randomize source ports to combat cache poisoning. I think we don't have to say it “Should" be source and destination port that is  forced. People can do that if they choose to given the current text, but we don't paint them into a corner.

Rob



> On Feb 29, 2024, at 10:39 AM, David Farmer <farmer=40umn.edu@dmarc.ietf.org> wrote:
> 
> If we did, that would ensure DHCP messages will make it through typical stateful firewalls without special rules.
> 
>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.
>> 
>> Clients, servers, and relay agents SHOULD send DHCP messages from their designated destination ports, as this will facilitate firewall traversal for DHCP messages. Nevertheless, DHCP messages MUST be accepted from any UDP (source) port, and regardless of the source port used, return DHCP messages MUST be sent to their designated destination port.
> 
> On Thu, Feb 29, 2024 at 12:05 PM Ole Trøan <otroan=40employees.org@dmarc.ietf.org <mailto:40employees.org@dmarc.ietf.org>> wrote:
>> Should we also make it recommended to use the designated port as the source port? With the may to send arbitrary port and a must to accept an arbitrary port?
>> 
>> O. 
>> 
>>> On 29 Feb 2024, at 18:51, David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
>>> 
>>> 
>>> Ok, it's a little less wordy this time.
>>> 
>>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.
>>> 
>>> Clients, servers, and relay agents MAY send DHCP messages from any UDP (source) port they are allowed to use, including their designated destination ports. Nevertheless, regardless of the source port used, DHCP messages MUST be sent to their designated destination ports.
>>> 
>>> Thanks
>>> 
>>> On Thu, Feb 29, 2024 at 10:24 AM David Farmer <farmer@umn.edu <mailto:farmer@umn.edu>> wrote:
>>>> Would this text clarify things?
>>>> 
>>>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.
>>>> 
>>>> Clients, servers, and relay agents MAY send DHCP messages from any UDP (source) port they are allowed to use, including their designated destination ports. Nevertheless, regardless of the source port the client uses, the server or relay agent MUST send traffic to the designated destination port of the client. And vice versa, regardless of the source port used by the server or relay agent, the client MUST send traffic to the designated destination port of the server or relay agent.
>>>> 
>>>> Thanks
>>>> 
>>>> On Thu, Feb 29, 2024 at 10:03 AM Ole Troan <otroan=40employees.org@dmarc.ietf.org <mailto:40employees.org@dmarc.ietf.org>> wrote:
>>>>> Bernie,
>>>>> 
>>>>> > DHCPv6 has been successfully deployed and this is the first I recall of this kind of discussion/issue.
>>>>> > You would likely also invalidate a lot of implementations with such a change, which is not really in line with advancing this to Full Standard.
>>>>> 
>>>>> It’s a lot more important to have the specification clear and unambiguous. I think it has been shown that it isn’t.
>>>>> Happy with whatever solution there is consensus for, but the ambiguity has to be resolved I think.
>>>>> 
>>>>> O.
>>>>> _______________________________________________
>>>>> dhcwg mailing list
>>>>> dhcwg@ietf.org <mailto:dhcwg@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>>> 
>>>> 
>>>> -- 
>>>> ===============================================
>>>> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>>>> Networking & Telecommunication Services
>>>> Office of Information Technology
>>>> University of Minnesota   
>>>> 2218 University Ave SE        Phone: 612-626-0815
>>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>>> =============================================== 
>>> 
>>> 
>>> -- 
>>> ===============================================
>>> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>>> Networking & Telecommunication Services
>>> Office of Information Technology
>>> University of Minnesota   
>>> 2218 University Ave SE        Phone: 612-626-0815
>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>> =============================================== 
> 
> 
> -- 
> ===============================================
> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota   
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> =============================================== 
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org <mailto:dhcwg@ietf.org>
> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email