Re: [dhcwg] Comments on draft-ietf-dhc-addr-notification-00
Bernie Volz <bevolz@gmail.com> Thu, 03 August 2023 01:28 UTC
Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F04AC1519A0; Wed, 2 Aug 2023 18:28:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W7FRUg6hVE1e; Wed, 2 Aug 2023 18:28:37 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 731ADC1516EB; Wed, 2 Aug 2023 18:28:37 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id af79cd13be357-76cc4d495deso25563785a.0; Wed, 02 Aug 2023 18:28:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691026116; x=1691630916; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=3RuYCp+Uo+jW2GO+ZDNKAks6c3R1ajxa8Gj+nrjTmhQ=; b=fSG3sVaUypIvOE6GHya99ZRBYbz8ET+PE8pvhEH1lUBcxft6K/oohCgvzbAGMN0Zcx Iad3tlDBBHgwsehUUmTrooKBfTmToibvQyI3wUW7m3FIkucluDq7GPlzfe9HF2yYlcVJ hMowBPRzh1HbUfsykMa+l3A7nWhXV+crQaXsJ3ANXZ81EM5cqUhliKlfysDclbZoYGhA Ut9BbIDzUk18FKaP+DGArFJAAIyaUhK3DTEUm7Gm8TjG1EXuTniAlPpZFYQIJVx6CHes utx7Hj4JBn+Z4z64cse9MxwHdEInmfri+LLlZP4BU/RsK8R1HywGp8PH5QHcUgbXkaoT ND0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691026116; x=1691630916; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3RuYCp+Uo+jW2GO+ZDNKAks6c3R1ajxa8Gj+nrjTmhQ=; b=kHp98a56cbSE5hqMbOaQtYL7EzcZOG5zQX02/Ht/E3I6xGvghsLolMQYGXK272maNi wQ/iso6Ts+OP9Q27CLIyiY9ydNhdavxcZDS7dD95P7sngmywHLrxgmDG6jWmfH7C+pJ0 SmMfcwNOjohSC+qGjjSqWRRMw/M0Zq5TqiQmADqEmzWXzEcfcMczXQFL9luhG5icDkLe B/H5lSfcnRP0BaM/PMgH4RTI2INiIE5t8xYfJYqergKQxyRqfY0uEMZFWqJbJ8+GWu8V kKM57VjxMc1XW8B/ftGaPQYEx3Q17BCnqLTJ+lCem+CDX1oiJjR5beurWXiOe+S4wyLD fJPQ==
X-Gm-Message-State: ABy/qLYLdxTU0/tWsAPs1HWsFnMLyeNunvLSpY2Iv+bvAl6KuUMqY14G LfRAUxgLQ6voXxmzr0alA2p6k9YY/Q==
X-Google-Smtp-Source: APBJJlG5UKXPu3DenpTTdE1QkJOcL1ox9jffvR9ENlC/3AVt6CIBXHtEOYygCLDy0LjBQgMzk16qug==
X-Received: by 2002:a05:620a:4054:b0:765:5a1f:89 with SMTP id i20-20020a05620a405400b007655a1f0089mr22846039qko.13.1691026115824; Wed, 02 Aug 2023 18:28:35 -0700 (PDT)
Received: from smtpclient.apple (d-24-233-121-124.nh.cpe.atlanticbb.net. [24.233.121.124]) by smtp.gmail.com with ESMTPSA id h11-20020a05620a13eb00b0076c72dad35dsm5338792qkl.63.2023.08.02.18.28.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 02 Aug 2023 18:28:35 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 02 Aug 2023 21:28:24 -0400
Message-Id: <DA4EAFF0-D900-4BED-B016-35409FE19169@gmail.com>
References: <CAFU7BARi2D3xr9_ZOD8rx4hdfs1PKymQrFAOaiUGdF1nTi4g4A@mail.gmail.com>
Cc: draft-ietf-dhc-addr-notification@ietf.org, dhcwg <dhcwg@ietf.org>
In-Reply-To: <CAFU7BARi2D3xr9_ZOD8rx4hdfs1PKymQrFAOaiUGdF1nTi4g4A@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
X-Mailer: iPad Mail (20F75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/kghxHhZcmKwzOmz5yyaaEVfKWYg>
Subject: Re: [dhcwg] Comments on draft-ietf-dhc-addr-notification-00
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2023 01:28:42 -0000
Hi. Thanks. A few further comments on -01: In section 4.1: Unlike other types of messages, which are sent from the link-local address of the client, then ADDR-REG-INFORM message MUST be sent from the address being registered. This is primarily for "fate sharing" Then should be the. In section 4.1.1: * the message does not include the IA Address option, or the IP address in the IA Address option does not match the source address of the original ADDR-REG-INFORM message sent by the client. If may be wise to help server implementers to understand where this “source address of original”? If not relayed, the IPv6 source address; if relayed, the innermost Relay-Forw’s message peer-address field? I just fear someone reading this may miss this subtle difference and we end up with broken implementationsm when relays are involved? In section 4.3: The client MUST refresh the registration every AddrRegRefresh seconds, where AddrRegRefresh is min(1/3 of the Valid Lifetime filed in the very first PIO received to form the address; 4 hours). Is it normal for clients to retain this initial Valid Lifetime? What happens if a client updates its software to support this work but that doesn’t involve a reboot? My guess is you want this value used as it might be less likely to be ending soon if there is a renumber event coming (where the lifetime left might be minutes)? Or, why is this very first so critical? In section 7: This document defines two new DHCPv6 messages, ADDR-REG-INFORM message (TBA1) described in Section 4, and ADDR-REG-REPLY (TBA2) described in Section 5, that requires an allocation out of the registry of Message Types defined at http://www.iana.org/assignments/ dhcpv6-parameters/. The sections were renumbered and so both are in section 4 now … section 4.1 & 4.2? If you use xml2rfc, perhaps you should use section anchors and references to the anchors so renumbering automatically fixes the text? - Bernie (from iPad) > On Aug 2, 2023, at 2:39 AM, Jen Linkova <furry13@gmail.com> wrote: > > Hi Bernie, > > Thank you for the review and comments! > We've just submitted the -01 version which should address your comments. > See below. > >> On Fri, Jul 28, 2023 at 2:16 AM Bernie Volz <bevolz@gmail.com> wrote: >> It is very common operational practice, especially in enterprise >> networks, to use IPv4 DHCP logs for troubleshooting or security >> purposes. Examples of this include a helpdesk dealing with a ticket >> BV> Perhaps "help desk"? > > Ack, fixed. > >> This operational practice relies on the DHCP server knowing the IP >> address assignments. Therefore, the practice does not work if static >> IP addresses are manually configured on devices or self-assigned >> addresses (such as when self-configuring an IPv6 address using SLAAC >> [RFC4862]) are used. >> >> The lack of this parity with IPv4 is one of the reasons which may be >> hindering IPv6 deployment, especially in enterprise networks. >> >> This document provides a mechanism for a device to inform the DHCPv6 >> server that it has a self-configured IPv6 address (or has a >> statically configured address), and thus provides parity with IPv4 in >> this aspect. >> BV> I'm not sure how strong this argument is. In IPv4, the network does >> BV> not learn of "static" addresses; the reason it works better in IPv4 >> BV> is that (almost) all clients implement DHCPv4 - whereas some (Google) >> BV> have decided not to implement DHCPv6 and hence that is reason this >> BV> is needed for IPv6. > > Not having stateful DHCPv6 is a valid deployment model (not possible > in the IPv4 world though). > For example, the IETF network provides stateless DHCPv6 only. Such > networks might want to collect information about SLAAC assigned > addresses. > Such networks might want to know about devices and their addresses. > > Also, even in a presence of stateful DHCPv6 (and RAs with M flag set), > the host might (and, AFAIK, most of implementations do) form both > DHCPv6-provided and SLAAC addresses. More specifically, if the network > is IPV6-only, even if in the presence of DHCPv6 servers, > DHCPv6-enabled hosts can generate checksum-neutral 464xlat addresses > via SLAAC. > > In addition to that, there are cases when running a stateful DHCPv6 > server might be an overkill (phone hotspots etc). > > Do you think we need more text in the draft about this? > >> 3. Registration Mechanism Overview >> After successfully assigning a self-generated IPv6 address on one of >> its interfaces, a client implementing this specification SHOULD >> multicast an ADDR-REG-INFORM message in order to inform the DHCPv6 >> server that this self-generated address is in use. >> BV> Perhaps say "(see Figure 1)" or "as shown in Figure 1"? > > Fixed. > >> 4. DHCPv6 ADDR-REG-INFORM Message > >> The ADDR-REG-INFORM message MUST NOT contain server-identifier option >> BV> Use "Server Identification option" as that is official name? > > Fixed, thank you! > >> and MUST contain the IA Address option. The ADDR-REG-INFORM message >> is dedicated for clients to initiate an address registration request >> toward an address registration server. Consequently, clients MUST >> NOT put any Option Request Option(s) in the ADDR-REG-INFORM message. >> Clients MAY include other options, such as the Client FQDN Option >> [RFC4704]. >> >> BV> I think some text here would be useful as to what should be placed in >> BV> the preferred/valid lifetime values (are both used or is preferred perhaps >> BV> set to 0 as it really isn't applicable to registration). > > Oh thank you, that's a good point. The server does need to know the > preferred lifetime (see Section 6.3, Registration Expiry and Refresh), > so we added the text to clarify that the client needs to put the > actual lifetime values into those fields. > >> Also, do static >> BV> addresses have different (valid) lifetimes than RA (PIO) derived ones >> BV> (which likely use the remaining preferred/valid lifetimes from the PIO >> BV> times)? > > Most likely, but I'm not sure it matters - the client shall populate > the field with whatever lifetimes are currently set for the address. > >> The ADDR-REG-INFORM message MUST contain an IA Address option for the >> address being registered. >> BV> This is "ADDR-REG-REPLY" message. > > Fixed. > >> BV> What should be put in lifetimes in IA Address option? Should these >> BV> just be values received by server or should fields be set to 0 and >> BV> ignored by client receiving the message? > > The draft updated to explicitly specify that the server must just copy > the option. > >> * The IA-Address option does not match the address being registered >> BV> Add period? Or should this be list that uses semicolons? > > Fixed. > >> 6.1. DHCPv6 Address Registration Request >> >> The client sends a DHCPv6 ADDR-REG-INFORM message to the address >> registration server to the All_DHCP_Relay_Agents_and_Servers >> multicast address (ff02::1:2). The client MUST only send the packet >> on the network interface that has the address being registered (i.e. >> if the client has multiple interfaces with different addresses, it >> should only send the packet on the interface with the address being >> BV> This "should only" is a bit weird given the MUST. But I think the >> BV> idea is similar to that in RFC8415 section 17.1? Maybe suggest >> BV> readers refer to that section? > > We've rephrased it, PTAL. > >> registered). The client MUST send the packet from the address being >> registered. This is primarily for "fate sharing" purposes - for >> BV> I think highlighting this difference from the normal client behavior >> BV> to use the link-local address is important to make it stand out? >> BV> Perhaps say, "Note that the client MUST NOT send this message using its >> BV> link-local address as for normal DHCPv6 client behavior as in RFC8415."? > > Sure, the text has been added. > >> example, if the network implements some form of L2 security to >> prevent a client from spoofing other clients' addresses this prevents >> an attacker from spoofing ADDR-REG-INFORM messages. The client MUST >> send separate messages for each address being registered. >> BV> Would repeating that only one IA Address option with the address >> BV> being registered MUST be included here be useful? > > Done, the draft is now saying that the INFORM MUST contain exactly one > AI Address option. > >> After receiving this ADDR-REG-INFORM message, the address >> registration server SHOULD verify that the address being registered >> is "appropriate to the link" as defined by [RFC8415]. If the server >> believes that address being registered is not appropriate to the >> BV> "that [the] address"? > > Thanks, fixed! > >> link [RFC8415], it MUST drop the message, and SHOULD log this fact. >> If the address is appropriate, the server: >> >> * SHOULD register or update a binding between the provided Client >> Identifier and IPv6 address in its database; >> BV> Add something about registering or extending an existing reservation >> BV> by the [valid] lifetime in the IA Address option? Also, maybe mention >> BV> the 0 case? I.E., if [valid] lifetime is zero, remove any existing >> BV> reservation? > > Text added. > >> BV> When creating/updating a registration, obviously it should only occur >> BV> if there is not already a registration for a different client. > > > Make sense, text added to log the event if the same address is > registered by another client. > >> * SHOULD log the address registration information (as is done >> normally for clients which have requested an address), unless >> configured not to do so; >> >> * SHOULD mark the address as unavailable for use and not include it >> in future ADVERTISE messages. >> BV> should replace . with ; as list not done? > > We replaced all of those with dots. > >> * SHOULD send back an ADDR-REG-REPLY message. >> >> If the DHCPv6 server does not support the address registration >> function, it MUST drop the message, and SHOULD log this fact. >> BV> Do we really want to recommend "SHOULD log this fact"? This makes >> BV> all existing implementations that may not log unknown messages >> BV> violate a SHOULD? Do we even this paragraph? > > You are right, the text is removed. > >> DHCPv6 relay agents and switches that relay address registration >> messages directly from clients SHOULD include the client's link-layer >> address in the relayed message using the Client Link-Layer Address >> option ([RFC6939]) >> BV> Needs period to end sentence. > > Fixed. > >> BV> I wonder if missing from this section is anything about delaying the >> BV> initial address registration request? Once an RA with the M or O bits >> BV> is sent on a network that might not have had either set, the server >> BV> could receive a flood of registration requests if there is no initial >> BV> delay. Perhaps when clients reboot, this isn't as much of a problem as >> BV> it may take the client some (random) time to finalize the SLAAC address >> BV> before sending out, but in other cases (such as setting M or O that >> BV> hadn't been set before) could cause a storm? May just be better to >> BV> always require SOL_MAX_DELAY random initial interval? Or add a new >> BV> ADDR_REG_MAX_DELAY? > > I believe this would not be necessary. The client would not register > an address until DAD is completed. > DAD Neighbor Solicitations are sent with random delay > (https://datatracker.ietf.org/doc/html/rfc4862#section-5.4.2), so the > hosts would not move their tentative addresses to 'preferred' state at > the same time anyway. > >> 6.2. DHCPv6 Address Registration Acknowledgement >> >> The server SHOULD acknowledge receipt of an ADDR-REG-INFORM message >> by sending a ADDR-REG-REPLY message back, using the address being >> registered as the destination address for the packet. >> BV> This is a bit simplistic. If not relayed, this would be the case. >> BV> If relayed, the path must be via the normal relayed path and the >> BV> relay closest to the client would use the peer-address field which >> BV> contains the client's address. (The server would use the relayed >> BV> packet's IPv6 source address -- basically, in all cases the IPv6 >> BV> source address of the packet received by the server is used.) > > Yes, you are right. If the INFORM message is not relayed, the REPLY's > destination address is the address being registered. > For the relayed messages the server would craft Relay-reply. Please > review the new text, I hope it's better now. > >> 6.3. Registration Expiry and Refresh >> >> The client MUST refresh the registration every AddrRegRefresh >> seconds, where AddrRegRefresh is min(1/3 of the Valid Lifetime filed >> in the very first PIO received to form the address; 4 hours ). >> BV> Perhaps the above is also what should be sent in the [preferred] >> BV> lifetime (see comment below and earlier on lifetimes and how they >> BV> are to be interpreted) or some multiple of this value to allow >> BV> "time" for update communication to happen? Also, this "Valid >> BV> Lifetime" here is a bit odd given text below about preferred lifetime? >> If the address registration server does not receive such a refresh >> after the preferred lifetime has passed, it SHOULD remove the record >> of the Client-Identifier-to-IPv6-address binding. >> BV> Is it preferred or valid lifetime? Whatever you chose, might require >> BV> some adjustment to my comments earlier (use preferred vs valid)? > > We are now using the valid lifetime everywhere. > >> 9. IANA Considerations >> >> This document defines a new DHCPv6 message, the ADDR-REG-INFORM >> message (TBA1) described in Section 4, that requires an allocation >> out of the registry of Message Types defined at >> http://www.iana.org/assignments/dhcpv6-parameters/ >> BV> What about ADDR-REG-REPLY (TBA2)? Also, add period to end of sentence? > > Fixed. > > -- > SY, Jen Linkova aka Furry
- [dhcwg] Codepoint for draft-ietf-dhc-addr-notific… Lorenzo Colitti
- Re: [dhcwg] Codepoint for draft-ietf-dhc-addr-not… Erik Kline
- Re: [dhcwg] Codepoint for draft-ietf-dhc-addr-not… Lorenzo Colitti
- Re: [dhcwg] Codepoint for draft-ietf-dhc-addr-not… Ole Trøan
- Re: [dhcwg] Codepoint for draft-ietf-dhc-addr-not… Bernie Volz
- [dhcwg] Comments on draft-ietf-dhc-addr-notificat… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Jen Linkova
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Lorenzo Colitti
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Michael Richardson
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Michael Richardson
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Michael Richardson
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Li HUANG
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Michael Richardson
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Lorenzo Colitti
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Lorenzo Colitti
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Michael Richardson
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Jen Linkova
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Jen Linkova
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Jen Linkova
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Jen Linkova
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Michael Richardson
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Lorenzo Colitti
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Lorenzo Colitti
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Bernie Volz
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Michael Richardson
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Michael Richardson
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Li HUANG
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Lorenzo Colitti
- Re: [dhcwg] Comments on draft-ietf-dhc-addr-notif… Lorenzo Colitti