IETF Logo Mail Archive

Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem

Bernie Volz <bevolz@gmail.com> Sat, 13 August 2022 14:45 UTC

Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF9B3C13CCD2 for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:45:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.103
X-Spam-Level:
X-Spam-Status: No, score=-7.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frWvcL414Js9 for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:45:44 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF909C14F72C for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:45:44 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id h22so2735076qtu.2 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:45:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc; bh=UFb1eQdtVeK007PUC1iAAEpjS3EDPqGIOsOPzzepg98=; b=hjDkLKiHOhiCIW6XKrbvhuhRicHRX8qHLyNDqrNtRgVYaRUiKLh5L6rkePmuc9MeI+ H/yaYE7YivmFQK6XLm0IYOdi3KFTRFm/9jCdeQgpP+W63ufQPZoYFWOkaLQBHeLjBMQC EzXBeGgCK5aVd/Bt2y66hibnVA2T5hoWRg7aE/mWGnYCK1XqkKoIE4W00UgEZbNrss8h hGPAz+nL1EG7rZ3iomo+BK3AJmiK5WPb4Aaieyn0O3MmG4BJaNzUJIvObyjhVhW+5D9+ +2gbfW2g7ZU3MQqWBrQy2i7ohxyeqWn5b4DN9CC6UjpAbLk+i6wgl7mYpeeRaXLu2D2y j1jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc; bh=UFb1eQdtVeK007PUC1iAAEpjS3EDPqGIOsOPzzepg98=; b=AIQXDZa7InSX6NBYh+j3Vleld5HazwC6YyFi3nTFl6q5oaXel3yboPU15188Tm1EWs XYk2j4uiKaLJJrou4ii6C9jP0oG4xI7Ed06Kpxq4HXUa2Bs7e9nojz4PthvD97YFM+vi 4tPLEFotER9E250KbyO4OmI30qeQLbvUHRTtn4Scvo52xTaRn724xC6A6mA5bO+fFn3B C5ZOJM5uCrCRKe5DWxPIG/xc9XzCyVKfNKDLm3FhrmgIVXhDeWcZHyPMtACoZzBRxVmT A1PYOgYIipi/rgmPdhiBAjAQbI7WFHphejGmkPFMvoMERBURZq1O/3VKd4yqEptXXmNO L7+w==
X-Gm-Message-State: ACgBeo2cC3hhhPZlV1zWHP+AaKjpSbQSQGdMv2bve2+0MO9Ne8LysjDi cQ+/mNwZTEC2AkClCs0Y4c0+X9MYLg==
X-Google-Smtp-Source: AA6agR4pMJL2iIaQKx4DKJJPmhvSLjlEPQdA2OTwlpGv3M9ZMUrJOkrLLHDzWASCF5exCpNs2e3Lsw==
X-Received: by 2002:ac8:4e51:0:b0:344:5515:6fb2 with SMTP id e17-20020ac84e51000000b0034455156fb2mr1069858qtw.368.1660401943479; Sat, 13 Aug 2022 07:45:43 -0700 (PDT)
Received: from smtpclient.apple (d-24-233-121-124.nh.cpe.atlanticbb.net. [24.233.121.124]) by smtp.gmail.com with ESMTPSA id l1-20020a05620a28c100b006b935e96f0bsm4183555qkp.12.2022.08.13.07.45.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Aug 2022 07:45:42 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-987EA7D0-2F2E-4BDC-A710-5DFD6D85F5B4"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 13 Aug 2022 10:45:41 -0400
Message-Id: <1BCD0027-AC0A-470E-8673-58956220D5E2@gmail.com>
References: <6C6A01B5-3FDB-4500-A3F2-5C15A8F2D322@fugue.com>
Cc: Michael Richardson <mcr@sandelman.ca>, dhcwg@ietf.org
In-Reply-To: <6C6A01B5-3FDB-4500-A3F2-5C15A8F2D322@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: iPad Mail (19G71)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/l0ughPtFBpULTHnUrmwzvl08D3s>
Subject: Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 14:45:48 -0000

A client can request any number of addresses … IA_NA has IAID.

- Bernie (from iPad)

> On Aug 13, 2022, at 10:25 AM, Ted Lemon <mellon@fugue.com> wrote:
> 
> The reason that DHCPv6 IA_NA has not gotten full implementation in clients is because it can be used to force clients to use a single stable address. I know you’ve heard this said before, Bernie.
> 
> This is why I would argue for deprecating IA_NA—it threatens the whole IPv6 addressing architecture and makes it more likely that homes will wind up having single addresses as is currently the case with IPv4.
> 
> IOW this is a compromise position: people have said they want DHCPv6 address assignment because they want to track clients, not because they want to constrain them to single addresses. If that’s so, then having clients implement this behavior would address that problem without throwing the baby out with the bathwater.
> 
> On the other hand, maybe that was never the issue in the first place, in which case this proposal will force people to advocate for what they really want, and force us to have the addressing architecture discussion.
> 
> It’s really unfortunate that DHCPv6 has found itself in the position of being the place in which this battle has been fought for lo these many years, but there’s not much we can do to change that, unfortunately.
> 
> Sent from my iPad
> 
>>> On Aug 13, 2022, at 10:21 AM, Bernie Volz <bevolz@gmail.com> wrote:
>>> 
>> I understand this “control” difference. But why should a client care whether it gets address A or B? If there is a requirement to provide a client a specific address, DHCPv6 servers support reservations (typically based on client id, DUID, but there are other possibilities). And clients can suggest addresses, and a server generally could allow that address to be used unless there is a specific conflict?
>> 
>> - Bernie
>> 
>>>> On Aug 13, 2022, at 10:14 AM, Ted Lemon <mellon@fugue.com> wrote:
>>>> 
>>> If a client wants to do DNS registration, the DNSSD service registration protocol might be a good option: https://datatracker.ietf.org/doc/draft-ietf-dnssd-srp/
>>> 
>>> As to why not use DHCPv6 IA_NA, the answer is that this allows the DHCP server to control the client’s address, whereas registering the address doesn’t give the DHCP server that sort of control. This is a significant difference, and is why a client implementation might choose to include registration, but not IA_NA allocation.
>>> 
>>> Sent from my iPad
>>> 
>>>>> On Aug 13, 2022, at 7:43 AM, Bernie Volz <bevolz@gmail.com> wrote:
>>>>> 
>>>> 
>>>> These are great points Michael.
>>>> 
>>>> For the earlier (circa 2014) draft that was similar, draft-ietf-dhc-addr-registration, the reason a client would have implemented it was to get its information in DNS (as there would presumably be a reason it needed this, such as to allow other devices to communicate with it). With this new draft, there is really zero benefit to the client. I’m not promoting a shift to this DNS registration as that had its own issues.
>>>> 
>>>> If you want “notification”, why not just require DHCPv6 for address assignments? If you don’t care or are using other tools, use SLAAC. Do we really need something in between?
>>>> 
>>>> - Bernie Volz
>>>> 
>>>>>> On Aug 12, 2022, at 9:03 PM, Michael Richardson <mcr@sandelman.ca> wrote:
>>>>>> 
>>>>> 
>>>>> This document seems to require many changes to many systems.
>>>>> Do I hear that Google is willing to do this for Android?
>>>>> I am very enthusiastic about having better information.
>>>>> 
>>>>> It works only if all the devices implement it, it's not that useful until all
>>>>> the devices do it.  Until that happens, then it's completely useless to the
>>>>> helpdesk.
>>>>> It requires updates to DHCPv6 server, assuming that there is one, which if
>>>>> you are using SLAAC... you probably don't even have one.
>>>>> It does not require updates to the core routers, which is the only
>>>>> interesting part.  {But, in homes and small offices, and remotely supported
>>>>> small offices with a b2b ISP..., that's all the same openwrt box.}
>>>>> 
>>>>> It seems that if one already had an SNMP or YANG/NETCONF feed from the
>>>>> routers for the Neighbor Entry Cache, that feeding that into the "database"
>>>>> would be good.
>>>>> 
>>>>> Warren eventually says that he thinks this would be *more* complicated, and I
>>>>> read his slide 10.... and come-on.   You hacked up something that needs to be
>>>>> clearly coded correctly in the router.  Yes, it's chatty, but it doesn't need
>>>>> to tell about every state transition.
>>>>> BUT, even if it did, who cares if you can't read it scrolling on your screen.
>>>>> That's what the networking monitoring system is for.  Actually, I think you
>>>>> just proved how easily this could be done even without code changes to the routers.
>>>>> 
>>>>> So, I don't think that I agree at all.  The best part about linking it to the NCE
>>>>> is that if the NCE is bad, overwhelmed or has been forged, then the client
>>>>> machine probably doesn't get connectivity anyway.  There is some fate sharing here.
>>>>> 
>>>>> Another way would be to send the proposed DHCPv6 message along the DHCPv6-relay
>>>>> path.  This is very much akin to the Accounting records that radius sends.
>>>>> Doing it this way links the v6 address more directly to the MAC address,
>>>>> while not requiring the host to actually know what it is doing.
>>>>> 
>>>>> As Lorenzo says in the chat, it needs to be tied in "whatever" L2 security
>>>>> mechanisms they already have, but I'm not really sure how this should involve
>>>>> the client system.
>>>>> 
>>>>> And...if I was going to upload all the source code, the first thing I'd do is send
>>>>> one of these messages saying that I'm either the CEO, or the new hire, and then do it.
>>>>> 
>>>>> --
>>>>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>>>>           Sandelman Software Works Inc, Ottawa and Worldwide
>>>>> _______________________________________________
>>>>> dhcwg mailing list
>>>>> dhcwg@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dhcwg
> 
>>>> _______________________________________________
>>>> dhcwg mailing list
>>>> dhcwg@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email