IETF Logo Mail Archive

Re: [dhcwg] recommendation on DHCP6 source port numbers

"rob@deepdivenetworklng.com" <rob@deepdivenetworking.com> Thu, 29 February 2024 23:29 UTC

Return-Path: <rob@deepdivenetworking.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50371C18DBBC for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 15:29:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.899
X-Spam-Level:
X-Spam-Status: No, score=-3.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_FROM_2_EMAILS=3.004, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ju-Ws2iUgxOz for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 15:29:00 -0800 (PST)
Received: from sender4-op-o10.zoho.com (sender4-op-o10.zoho.com [136.143.188.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6235CC14F61E for <dhcwg@ietf.org>; Thu, 29 Feb 2024 15:29:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1709249337; cv=none; d=zohomail.com; s=zohoarc; b=ZnJpymMYe2oQEin0pl2K9EUJFuLbFIT0vKnYbK+DAdd7l3dpYzccqH4mC/a6JyumUIlYDs7Hxx1h7N6dlrFHCiKt4fy0CoiOoJ0zq7QcJjjQ+KNj6CoRFOAP0kbuUBLKyxfF9B1rE95MVfrwT++CnUYbHPxNS0IpZIe3uMGzulo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1709249337; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=NXu2uvNXy/ggcrJPGxUE1o20n0UUC+1gIjAhbu2xyBw=; b=NA2QIwpPx0dYHSkOwQtxsysiZRjYWJVD4K287kAaSNlZHv0P5I9h+v84XKdO/IDptrnmWwMdKA6K5mMMYAE+P9PPtDQMWk8p+s5YglqaW4slojskZEJtbaplsgd0TJu7n33KDBfqNSYAUFnTJzSE8MFiCk+Fc6o2KTp2m9M6HHg=
ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass smtp.mailfrom=rob@deepdivenetworking.com; dmarc=pass header.from=<rob@deepdivenetworking.com>
Received: from smtpclient.apple (c-174-174-114-65.hsd1.or.comcast.net [174.174.114.65]) by mx.zohomail.com with SMTPS id 1709249336781959.7228243045719; Thu, 29 Feb 2024 15:28:56 -0800 (PST)
From: "rob@deepdivenetworklng.com" <rob@deepdivenetworking.com>
Message-Id: <E4494DF6-D1F4-4613-BA4C-9A74F4B6989B@deepdivenetworking.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_24CEBB62-733B-453B-9BFA-C4F7B6C9DA8D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Thu, 29 Feb 2024 15:28:45 -0800
In-Reply-To: <CAN-Dau3cMV8yXF=WVXrdD36oV+_FQELDsgP4cddjrFfsagpv2w@mail.gmail.com>
Cc: Ole Trøan <otroan@employees.org>, dhcwg <dhcwg@ietf.org>
To: David Farmer <farmer@umn.edu>
References: <CAN-Dau3m2_L7J9T9VBk7oyHTK0EeMeuiv+jNpuMGE3m1T623=A@mail.gmail.com> <CC99EB8A-3350-4682-B273-D0656AD8F7F4@employees.org> <CAN-Dau1SPXgyHg_fkmU6rTxWpt-edAWA9hM2kR1qyP8t1XW+_Q@mail.gmail.com> <A477E0AF-F68A-4528-A907-CF0C9F7448F2@deepdivenetworking.com> <CAN-Dau3cMV8yXF=WVXrdD36oV+_FQELDsgP4cddjrFfsagpv2w@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6)
X-ZohoMailClient: External
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/mInBq_Iz0yu3TTzZ2YPaL1TNGPQ>
Subject: Re: [dhcwg] recommendation on DHCP6 source port numbers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 23:29:04 -0000

David,
I can see that argument. But we also didn't think randomized source ports were going to be important for DNS... I guess I don't see why we should be declaring what an implementer does on the source port side. To me for this specific case, to me our job is only declaring the destination/listening ports and at best making a recommendation about source ports.. 

> On Feb 29, 2024, at 11:02 AM, David Farmer <farmer@umn.edu> wrote:
> 
> Actually, given that return DHCP messages MUST be sent to their designated destination ports and not the source port used by the originating DHCP message, there is no advantage to using randomized source ports to prevent spoofing. Using randomized source ports only makes firewall traversal for DHCP messages more difficult.
> 
> Thanks.
> 
> On Thu, Feb 29, 2024 at 12:44 PM rob@deepdivenetworklng.com <mailto:rob@deepdivenetworklng.com> <rob@deepdivenetworking.com <mailto:rob@deepdivenetworking.com>> wrote:
>> I think we are in the middle of the (no end in sight argument) of;  If we make it completely predictable it is easy to monitor and punch holes for firewalls vs if we make it easily predictable it is super easy to exploit. Just look at DNS needing to randomize source ports to combat cache poisoning. I think we don't have to say it “Should" be source and destination port that is  forced. People can do that if they choose to given the current text, but we don't paint them into a corner.
>> 
>> Rob
>> 
>> 
>> 
>>> On Feb 29, 2024, at 10:39 AM, David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
>>> 
>>> If we did, that would ensure DHCP messages will make it through typical stateful firewalls without special rules.
>>> 
>>>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.
>>>> 
>>>> Clients, servers, and relay agents SHOULD send DHCP messages from their designated destination ports, as this will facilitate firewall traversal for DHCP messages. Nevertheless, DHCP messages MUST be accepted from any UDP (source) port, and regardless of the source port used, return DHCP messages MUST be sent to their designated destination port.
>>> 
>>> On Thu, Feb 29, 2024 at 12:05 PM Ole Trøan <otroan=40employees.org@dmarc.ietf.org <mailto:40employees.org@dmarc.ietf.org>> wrote:
>>>> Should we also make it recommended to use the designated port as the source port? With the may to send arbitrary port and a must to accept an arbitrary port?
>>>> 
>>>> O. 
>>>> 
>>>>> On 29 Feb 2024, at 18:51, David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
>>>>> 
>>>>> 
>>>>> Ok, it's a little less wordy this time.
>>>>> 
>>>>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.
>>>>> 
>>>>> Clients, servers, and relay agents MAY send DHCP messages from any UDP (source) port they are allowed to use, including their designated destination ports. Nevertheless, regardless of the source port used, DHCP messages MUST be sent to their designated destination ports.
>>>>> 
>>>>> Thanks
>>>>> 
>>>>> On Thu, Feb 29, 2024 at 10:24 AM David Farmer <farmer@umn.edu <mailto:farmer@umn.edu>> wrote:
>>>>>> Would this text clarify things?
>>>>>> 
>>>>>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and relay agents receive DHCP messages on UDP (destination) port 547.
>>>>>> 
>>>>>> Clients, servers, and relay agents MAY send DHCP messages from any UDP (source) port they are allowed to use, including their designated destination ports. Nevertheless, regardless of the source port the client uses, the server or relay agent MUST send traffic to the designated destination port of the client. And vice versa, regardless of the source port used by the server or relay agent, the client MUST send traffic to the designated destination port of the server or relay agent.
>>>>>> 
>>>>>> Thanks
>>>>>> 
>>>>>> On Thu, Feb 29, 2024 at 10:03 AM Ole Troan <otroan=40employees.org@dmarc.ietf.org <mailto:40employees.org@dmarc.ietf.org>> wrote:
>>>>>>> Bernie,
>>>>>>> 
>>>>>>> > DHCPv6 has been successfully deployed and this is the first I recall of this kind of discussion/issue.
>>>>>>> > You would likely also invalidate a lot of implementations with such a change, which is not really in line with advancing this to Full Standard.
>>>>>>> 
>>>>>>> It’s a lot more important to have the specification clear and unambiguous. I think it has been shown that it isn’t.
>>>>>>> Happy with whatever solution there is consensus for, but the ambiguity has to be resolved I think.
>>>>>>> 
>>>>>>> O.
>>>>>>> _______________________________________________
>>>>>>> dhcwg mailing list
>>>>>>> dhcwg@ietf.org <mailto:dhcwg@ietf.org>
>>>>>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>>>>> 
>>>>>> 
>>>>>> -- 
>>>>>> ===============================================
>>>>>> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>>>>>> Networking & Telecommunication Services
>>>>>> Office of Information Technology
>>>>>> University of Minnesota   
>>>>>> 2218 University Ave SE        Phone: 612-626-0815
>>>>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>>>>> =============================================== 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> ===============================================
>>>>> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>>>>> Networking & Telecommunication Services
>>>>> Office of Information Technology
>>>>> University of Minnesota   
>>>>> 2218 University Ave SE        Phone: 612-626-0815
>>>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>>>> =============================================== 
>>> 
>>> 
>>> -- 
>>> ===============================================
>>> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>>> Networking & Telecommunication Services
>>> Office of Information Technology
>>> University of Minnesota   
>>> 2218 University Ave SE        Phone: 612-626-0815
>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>> =============================================== 
>>> _______________________________________________
>>> dhcwg mailing list
>>> dhcwg@ietf.org <mailto:dhcwg@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/dhcwg
>> 
> 
> 
> -- 
> ===============================================
> David Farmer               Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota   
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================

v2.23.0 | Report a Bug | By Email