Re: [dhcwg] Comments on draft-gandhewar-dhc-relay-initiated-release-00.txt and draft-gandhewar-dhc-v6-relay-initiated-release-00.txt
Sunil Gandhewar <sgandhewar@juniper.net> Tue, 04 August 2015 14:53 UTC
Return-Path: <sgandhewar@juniper.net>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02F91A0143 for <dhcwg@ietfa.amsl.com>; Tue, 4 Aug 2015 07:53:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id inyspyHsAFVO for <dhcwg@ietfa.amsl.com>; Tue, 4 Aug 2015 07:53:54 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0736.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C67F51A01D6 for <dhcwg@ietf.org>; Tue, 4 Aug 2015 07:52:40 -0700 (PDT)
Received: from BLUPR0501MB1043.namprd05.prod.outlook.com (10.160.35.142) by BLUPR0501MB1044.namprd05.prod.outlook.com (10.160.35.143) with Microsoft SMTP Server (TLS) id 15.1.225.19; Tue, 4 Aug 2015 14:52:22 +0000
Received: from BLUPR0501MB1043.namprd05.prod.outlook.com ([10.160.35.142]) by BLUPR0501MB1043.namprd05.prod.outlook.com ([10.160.35.142]) with mapi id 15.01.0225.018; Tue, 4 Aug 2015 14:52:22 +0000
From: Sunil Gandhewar <sgandhewar@juniper.net>
To: "Bernie Volz (volz)" <volz@cisco.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: Comments on draft-gandhewar-dhc-relay-initiated-release-00.txt and draft-gandhewar-dhc-v6-relay-initiated-release-00.txt
Thread-Index: AdDOBUDbRxBUVYvET6+lvnoej2ZZ3gAAMSvgAALW15AAAQTO8AAr15dw
Date: Tue, 04 Aug 2015 14:52:22 +0000
Message-ID: <BLUPR0501MB1043E2B1D6D7F989B89C1F3AC2760@BLUPR0501MB1043.namprd05.prod.outlook.com>
References: <BLUPR0501MB1043459A62E93FD0442F8253C2770@BLUPR0501MB1043.namprd05.prod.outlook.com> <489D13FBFA9B3E41812EA89F188F018E1CC23471@xmb-rcd-x04.cisco.com> <BLUPR0501MB104311B2C33604B0D73699FDC2770@BLUPR0501MB1043.namprd05.prod.outlook.com> <489D13FBFA9B3E41812EA89F188F018E1CC23686@xmb-rcd-x04.cisco.com>
In-Reply-To: <489D13FBFA9B3E41812EA89F188F018E1CC23686@xmb-rcd-x04.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sgandhewar@juniper.net;
x-originating-ip: [116.197.184.13]
x-microsoft-exchange-diagnostics: 1; BLUPR0501MB1044; 5:wSr8UjTUAjDbKfYWrqO3rtCTyZUGWaVOSNVh8qGS2V3zeTXHftbuZkjym3PPeyc4t4jchPkaKdAYSDsRSUGo/AVWbqepiTHcUAVMwyArAX3wN78iST4Lf97Sm36GImQEFSjRSTDqbHcWASMR+3JO3Q==; 24:BBeVG7XwfdKAWVLyPodwnBPP9TPLTXEzOrL68GMWOCvxIPDus89eTg4JvrM0rJrXFMGJf/f/lbswiDDorUwb2qFm8JsutHvZu7TjQ6a7G1w=; 20:sgBszU8wpJlzE/F2ADGn486hG51dFsn0Rb2Fg3lnJynMkS/bG/0XN8ekRPDAsjPwEfQ+tN+ETACp65+VyXmMRw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR0501MB1044;
x-microsoft-antispam-prvs: <BLUPR0501MB1044909C43F2C246C0AFC0B8C2760@BLUPR0501MB1044.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BLUPR0501MB1044; BCL:0; PCL:0; RULEID:; SRVR:BLUPR0501MB1044;
x-forefront-prvs: 0658BAF71F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(189002)(377454003)(51914003)(86362001)(81156007)(5001860100001)(54356999)(5002640100001)(2656002)(99286002)(102836002)(77096005)(5001830100001)(87936001)(230783001)(93886004)(189998001)(2950100001)(2501003)(68736005)(106356001)(105586002)(5001960100002)(107886002)(33656002)(15975445007)(5003600100002)(74316001)(19625215002)(4001540100001)(50986999)(76176999)(101416001)(97736004)(92566002)(5001770100001)(18717965001)(16236675004)(19580395003)(19580405001)(19300405004)(66066001)(19609705001)(2900100001)(76576001)(40100003)(122556002)(64706001)(46102003)(77156002)(62966003)(4001430100001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR0501MB1044; H:BLUPR0501MB1043.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
Content-Type: multipart/alternative; boundary="_000_BLUPR0501MB1043E2B1D6D7F989B89C1F3AC2760BLUPR0501MB1043_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2015 14:52:22.9119 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0501MB1044
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/lmnI8zjNHiI9klz0qVuCm6yXlDc>
Cc: Sunil Gandhewar <sgandhewar@juniper.net>
Subject: Re: [dhcwg] Comments on draft-gandhewar-dhc-relay-initiated-release-00.txt and draft-gandhewar-dhc-v6-relay-initiated-release-00.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 14:53:59 -0000
Hi Bernie, I think since multiple client data can be combined into one packet, it improves on packet-flooding DoS attacks. I understood now the case where device is behind the CPE. I am wondering what might be better way to document this. I am trying to cover both the caases below, the one Ian pointed out and the one you explained below. Do you think more explainatory examples are needed here? Does this description below would be enough to exclude the cases due to the network? Please suggest. Thanks a lot Bernie. Applicability Statement (section 1.1 under Introduction): With the Relay Initiated Release, the DHCP client's binding gets cleared from Relay towards the Server. There is no way to inform this to the client. If client maintains the state across reboots (e.g. client does not send release on power down and remembers the address and lease period on it's reboot/wakeup), it may start using the address for the remaining lease period. This will cause network issues as Relay and Server had cleared the binding whereas client is still using it's old state. This document is not applicable where client remembers states across it's reboot. For Relay Initiated Release to function properly, client MUST reestablish the binding on every power-on. The binding MUST come back with the normal mechanism on every power on. In the network topology where DHCP client is not directly connected to the relay, when the network connection goes down relay would initiate the release and clear the binding for the client in the network. When the network connection comes back up, client has not actually powered off/on, and so client will continue to use the address it was using. Relay Initiated Release should not be used in such cases where there is no clear way to distinguish between network issue and client actually went off. Relay Initiated Release is useful in the cases where there is a way to clearly know that the client actually went down, replaced or moved and will re-establish the binding when comes back. Regards, Sunil Gandhewar Juniper Networks, Inc. sgandhewar@juniper.net<mailto:sgandhewar@juniper.net> From: Bernie Volz (volz) [mailto:volz@cisco.com] Sent: Monday, August 03, 2015 11:31 PM To: Sunil Gandhewar; dhcwg@ietf.org Subject: RE: Comments on draft-gandhewar-dhc-relay-initiated-release-00.txt and draft-gandhewar-dhc-v6-relay-initiated-release-00.txt > Regarding security considerations, multiple client data can be combined into one message under Client_Data_option. Thus it can avoid too many messages i.e. need not be one message per client. I understand that combining. But your security considerations doesn't really mean anything with this respect. This does nothing related to Denial of Service. I am thinking about the DOCSIS case where there is a CPE in the home connect to a cable modem. In this case, the CPE gets a lease just as the CM does. And while your document doesn't explicitly mention this case, I think it can easily be seen to extend to it - i.e., a Relay Agent (CMTS in DOCSIS) that determines the modem is no longer 'on-line', might decide it can discard BOTH the modem and CPE leases (since the CPE lease is associated with that modem) and that could be a mistake when the CPE may have no knowledge that the modem went offline and therefore the relay 'released' its lease. When the modem goes back online, it will get a new lease; but the CPE never knew this happened and therefore does not obtain a new lease or take steps to 'confirm' its existing lease. You might not be directly considering that case, but without proper language in the document, there is nothing to preclude using these capabilities in that case. - Bernie From: dhcwg [mailto:dhcwg-bounces@ietf.org] On Behalf Of Sunil Gandhewar Sent: Monday, August 03, 2015 1:48 PM To: Bernie Volz (volz); dhcwg@ietf.org<mailto:dhcwg@ietf.org> Subject: Re: [dhcwg] Comments on draft-gandhewar-dhc-relay-initiated-release-00.txt and draft-gandhewar-dhc-v6-relay-initiated-release-00.txt Hi Bernie, Thanks for the quick reply. There can be network issues and protocol issues, although one leads to other. The issue is due to the client not sending Release when it's done. In the scenario you described, devices may be having private network address from the server running on the modem, right? Whereas the modem will actually get the public address from the network. I agree that in some network topology there is no way of knowing this to the device. Hence I added the applicability statement as per your suggestion. When I and Ole Troan were discussing, he told the network case he worked with where end device runs BFD and sends BFD packets on the interface towards the BNG with destination address of it's own. So BNG kind of loops-back the BFD packets. That way end device detects network connectivity. What do you suggest, does the applicability statement I added is enough? Or shall I describe these network cases in that section? I accept the comment regarding the interface-id. >>> I think the text needs to be more clear what this should contain. Should it include the IA_NA, IA_TA, IA_PD options or just IAADDR and IAPREFIX? (The fact that one of the status codes is NoBinding might imply IA_NA/IA_TA/IA_PD, but not sure.) Yes it means all the tyoes of IAs i.e. IA_NA, IA_TA and IA_PD. Should I mention that more specifically? Regarding security considerations, multiple client data can be combined into one message under Client_Data_option. Thus it can avoid too many messages i.e. need not be one message per client. Regards, Sunil Gandhewar Juniper Networks, Inc. sgandhewar@juniper.net<mailto:sgandhewar@juniper.net>
- [dhcwg] Comments on draft-gandhewar-dhc-relay-ini… Sunil Gandhewar
- Re: [dhcwg] Comments on draft-gandhewar-dhc-relay… Bernie Volz (volz)
- Re: [dhcwg] Comments on draft-gandhewar-dhc-relay… Sunil Gandhewar
- Re: [dhcwg] Comments on draft-gandhewar-dhc-relay… Bernie Volz (volz)
- Re: [dhcwg] Comments on draft-gandhewar-dhc-relay… Sunil Gandhewar
- Re: [dhcwg] Comments on draft-gandhewar-dhc-relay… JOSHI, SHRINIVAS ASHOK (SHRINIVAS ASHOK)
- Re: [dhcwg] Comments on draft-gandhewar-dhc-relay… Bernie Volz (volz)
- Re: [dhcwg] Comments on draft-gandhewar-dhc-relay… Sunil Gandhewar