Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation - src LL vs GUA

Alexandre Petrescu <alexandre.petrescu@gmail.com> Thu, 19 October 2017 09:07 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 949BB134824 for <dhcwg@ietfa.amsl.com>; Thu, 19 Oct 2017 02:07:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.633
X-Spam-Level:
X-Spam-Status: No, score=-2.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pLli76tmgl_9 for <dhcwg@ietfa.amsl.com>; Thu, 19 Oct 2017 02:07:41 -0700 (PDT)
Received: from oxalide-smtp-out.extra.cea.fr (oxalide-smtp-out.extra.cea.fr [132.168.224.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1FF4134826 for <dhcwg@ietf.org>; Thu, 19 Oct 2017 02:07:40 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by oxalide-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id v9J97aTK143094; Thu, 19 Oct 2017 11:07:36 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 55199206E05; Thu, 19 Oct 2017 11:07:36 +0200 (CEST)
Received: from muguet2.intra.cea.fr (muguet2.intra.cea.fr [132.166.192.7]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 473F4206DD6; Thu, 19 Oct 2017 11:07:36 +0200 (CEST)
Received: from [10.8.34.184] (is227335.intra.cea.fr [10.8.34.184]) by muguet2.intra.cea.fr (8.15.2/8.15.2/CEAnet-Intranet-out-1.4) with ESMTP id v9J97ZVk009719; Thu, 19 Oct 2017 11:07:35 +0200
To: "Bernie Volz (volz)" <volz@cisco.com>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
References: <149869621720.6575.278128190348174876@ietfa.amsl.com> <08e4e953-3a68-d6cb-6066-f60514ef0ac5@gmail.com> <3285281858d043649d507b6bda7b8646@XCH-ALN-003.cisco.com> <1f94b780-59c1-42ce-936d-0c8a71143444@gmail.com> <37917a26062f4e4c9715d324604e4d01@XCH-ALN-003.cisco.com> <d944ac55-d67d-d7d4-8eeb-f60438fdda2d@gmail.com> <35558A79-C176-4D71-9E91-4BDB19DDD006@cisco.com> <67ba54d2-d53f-82bf-93c9-1b92631ef4e8@gmail.com> <86409a9acb7846ddbdff42c58328e7d6@XCH-ALN-003.cisco.com> <eccd5dd2-3542-fdbc-89a2-7d13d563163d@gmail.com> <2fbc8325961c49a1944e3ee216fcb032@XCH-ALN-003.cisco.com> <a3f9cd45-403a-c6f6-6e9a-98a9b651a339@gmail.com> <4c25045f863a4e368f58a5a4a3917bde@XCH-ALN-003.cisco.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <37918108-c5ed-a82d-2d97-227388ec25d0@gmail.com>
Date: Thu, 19 Oct 2017 11:07:35 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <4c25045f863a4e368f58a5a4a3917bde@XCH-ALN-003.cisco.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/k8Co_Ux07bFZLhrhwBY64til4Vs>
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation - src LL vs GUA
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Oct 2017 09:07:43 -0000


Le 18/10/2017 à 22:35, Bernie Volz (volz) a écrit :
> The server vendor is in error here ... as far as I know, clients use 
> the link-local address.

Noted.  I will continue using the LL address in src of DHCPv6 Solicit.

> The issue for the server vendor may be then how does the server tell 
> where the client is ... and, in that case, you do what was done for 
> DHCPv4 before -- you use the (non link-local) address of the 
> interface on which the request was received (since that it the 
> network on which the client is located). That's exactly what section 
> 13.1 states:
> 
>>> *  If the server receives the message directly from the client 
>>> and the source address in the IP datagram in which the message 
>>> was received is a link-local address, then the client is on the 
>>> same link to which the interface over which the message was 
>>> received is attached.
> 
> Note that the DHCP Client test equipment vendor also appears not to 
> be following standard transmission rules (i.e., to use a link-local 
> address). But, you haven't indicated (I don't think) what the 
> destination address for these DHCPv6 requests are - perhaps they
> were configured to be a GUA (and then it makes sense for the clients
> to use a GUA).

The dst address is the link-scoped multicast address.

The capture of address header of a successful DHCPv6 Solicit and DHCPv6
Advertise executed on a simulator client and simulator server is the
following:

GUA_prefix::2:0:0:4e:2201.546 > ff02::1:2.547:  [udp sum ok]
[...]
fe80::IID.547 > GUA_prefix::2:0:0:4e:2201.546:  [udp sum ok]

> To summarize: - If destination of client is link-local [multicast] 
> address, source SHOULD be link-local.

Agreed.

> (This probably could be a MUST but there might be some odd instances
>  where this is not appropriate - such as point-to-point links.

These odd instances should be described.

> Note also that I don't think there's a restriction that a source 
> address may have wider scope than a destination address.)

I think there may be an RFC about matching scopes of addresses in a same 
packet.

> - If destination of client is GLA, source MUST be GLA (otherwise, 
> replies cannot be returned to the client).

But the dst of a Solicit MUST NOT be a GLA (what I call GUA:
Globally-Unique Address).

[...]

> Again, the NORMAL case for this particular Server, is to show 
> GUA-in-src, not LL-in-src.  It is a simulator from a large equipment 
> manufacturer.  That simulator is pretended to work accordingly to the
> real network.
> 
> BV> This seems wrong on the simulator's part. But again, please 
> specify what the destination address is.

It is ff02::1:2.547.

[...]

>> I could see that if a client used a GLA and the server was the 
>> first hop (no relay),

YEs, the Server and Client are normally 'on the same link'.  There is no
Relay.

However, that link is not the typical Ethernet link.  It is a cellular link.

This link has the following nodes: User Equipment, eNodeB, SGW and PGW.

The protocol on User Equipment is native IPv6.  But this is encapsulated
by SGW and PGW in another protocol called GTP.  The GTP protocol is an
IPv4 protocol.  Further, it is an UDP protocol too.

>> it could drop it if the GLA address as it could mean it has no 
>> configuration for that "location". Remember the text from 13.1:
>> 
>>> *  If the server receives the message directly from the client 
>>> and the source address in the IP datagram in which the message 
>>> was received is not a link-local address, then the client is on 
>>> the link identified by the source address in the IP datagram

Er, a link is identified by the src address?  I think this is wrong.  A
link could be identified by a prefix.

>>> (note that this situation can occur only if the server has 
>>> enabled the use of unicast message delivery by the client and
>>> the client has sent a message for which unicast delivery is 
>>> allowed).

Er, I think it is forbidden to use unicast addresses in dst of DHCPv6
Solicit.  You seem to say this is configurable.  But the PGW cant do it.

>> Also, some servers could respond with Use Multicast unless 
>> server-unicast option has been configured.

So there is a server-unicast option?  Does this option mean that the
Solicit could be sent to the unicast address to the server, instead of
multicast?

This could solve many problems related to multicast.

>> It may be that they use the source address to determine this 
>> (rather than the destination address, which as you say really 
>> should be used when server receives packet directly)?
>> 
>> 
>> I'm confused as I think you are saying in:
>> 
>>> I explain why: about 4 distinct clients use LL in src.  If I want
>>> these clients to use GUA then I must delete the LL from the 
>>> interface.
>> 
>> That you actually want the global unicast address to be used by the
>> client, not the link-local?
> 
> I want to not modify the Clients.  The 4 Clients all use LL-in-src. 
> But the Server examples use GUA-in-src.  A Server example is a
> packet trace executed on a simulator that pretends to be like in
> reality. That simulator uses GUA-in-src.  So, I am told, if I want to
> be interoperable to that Server, I must do what that simulator does:
> put GUA-in-src.  So I delete the LL from the interface on the
> Client.
> 
> Do you think it is normal to delete the LL from the interface?
> 
> BV> That seems rather bizarre to me ... not sure how other IPv6 
> services (ND, DAD, etc.) might be impacted? BV> My recommendation is 
> to get the server vendor to fix it

I agree.

> as this is rather broken and others will have problem as well. If
> the server vendor wants to sell their server, they will need to
> correct it.

The server is already sold.  I think if they want to sell more of them
then they must be compatible with existing clients.

It is not by using client and server from same manufacturer that
interoperability is guaranteed.

>> For what it is worth, the server I work on doesn't care what the 
>> client's source address is. We monitor the destination address 
>> (when packet is received).
> 
> "Does not care" - ok.
> 
> But does it accept a Solicit with LL-in-src?
> 
> BV> Yes. That is what 100% of the clients I've ever seen send so our 
> server would not be servicing millions of IPv6 clients if it dropped 
> those packets. (And, yes, it is millions based on just one single 
> customer deployment -- and we have many more customers that are
> using IPv6.)

I agree, I see the same.

Alex
[...]