Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation - src LL vs GUA

"Bernie Volz (volz)" <volz@cisco.com> Wed, 18 October 2017 20:35 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 361021343C3 for <dhcwg@ietfa.amsl.com>; Wed, 18 Oct 2017 13:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0qeVkjC0Sxwt for <dhcwg@ietfa.amsl.com>; Wed, 18 Oct 2017 13:35:11 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A6F132620 for <dhcwg@ietf.org>; Wed, 18 Oct 2017 13:35:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22354; q=dns/txt; s=iport; t=1508358911; x=1509568511; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=vGCuE1aqENKwVWI7uocHmbgVXyO+yjX47Ljfvdwyh4Q=; b=N6IB9yTkVmLRTVkhxuGX9SBxOkCNCMF9Uy7j+pn5HWB9bsSoFqAaF0gh NN8F5viLugqH3reUSr2LKm6ORsf/GM1SNDzh/qEc0/t4uMgA26HyvupEa 9tjX0nhOVo/F23c2I7u+NcTbsFqwUuHCCRi4cZpg8Mjg7LCdwgC+3+mLV Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CaAACpuedZ/5FdJa1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg19kbicHg3OKH5ExiEmNaoIUChgLgV6DOgIahF8/GAECAQEBAQE?= =?us-ascii?q?BAWsohR0BAQEDAQEBIRE6CwUHBAIBCBEEAQEBAgIfBAMCAgIfBgsUAQgIAgQOB?= =?us-ascii?q?QiKAAMNCBCrFoInh0ANg1kBAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYEPgiCCB4M?= =?us-ascii?q?6AYMvgl6CARAtD4JtgmEFiiSWazwCj3KEcIIdhXaLDo0FiEECERkBgTgBHziBW?= =?us-ascii?q?3oVSYJkglwcGYFOdohKgTKBEQEBAQ?=
X-IronPort-AV: E=Sophos;i="5.43,398,1503360000"; d="scan'208";a="18977971"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Oct 2017 20:35:10 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id v9IKZASm008056 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 18 Oct 2017 20:35:10 GMT
Received: from xch-aln-003.cisco.com (173.36.7.13) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 18 Oct 2017 15:35:09 -0500
Received: from xch-aln-003.cisco.com ([173.36.7.13]) by XCH-ALN-003.cisco.com ([173.36.7.13]) with mapi id 15.00.1320.000; Wed, 18 Oct 2017 15:35:09 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>
CC: "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation - src LL vs GUA
Thread-Index: AQHTSBpFO3Bh3/i+xk+Llo298YhKFKLpuoSAgABdvgD//7IAAIAAajsA//+x0nCAAHb8gP//rpBg
Date: Wed, 18 Oct 2017 20:35:09 +0000
Message-ID: <4c25045f863a4e368f58a5a4a3917bde@XCH-ALN-003.cisco.com>
References: <149869621720.6575.278128190348174876@ietfa.amsl.com> <08e4e953-3a68-d6cb-6066-f60514ef0ac5@gmail.com> <3285281858d043649d507b6bda7b8646@XCH-ALN-003.cisco.com> <1f94b780-59c1-42ce-936d-0c8a71143444@gmail.com> <37917a26062f4e4c9715d324604e4d01@XCH-ALN-003.cisco.com> <d944ac55-d67d-d7d4-8eeb-f60438fdda2d@gmail.com> <35558A79-C176-4D71-9E91-4BDB19DDD006@cisco.com> <67ba54d2-d53f-82bf-93c9-1b92631ef4e8@gmail.com> <86409a9acb7846ddbdff42c58328e7d6@XCH-ALN-003.cisco.com> <eccd5dd2-3542-fdbc-89a2-7d13d563163d@gmail.com> <2fbc8325961c49a1944e3ee216fcb032@XCH-ALN-003.cisco.com> <a3f9cd45-403a-c6f6-6e9a-98a9b651a339@gmail.com>
In-Reply-To: <a3f9cd45-403a-c6f6-6e9a-98a9b651a339@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.131.33.59]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/n4hBZp4jwBUAtQoFc-kxMlea9nA>
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation - src LL vs GUA
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2017 20:35:18 -0000

The server vendor is in error here ... as far as I know, clients use the link-local address.

The issue for the server vendor may be then how does the server tell where the client is ... and, in that case, you do what was done for DHCPv4 before -- you use the (non link-local) address of the interface on which the request was received (since that it the network on which the client is located). That's exactly what section 13.1 states:

>> *  If the server receives the message directly from the client and 
>> the source address in the IP datagram in which the message was 
>> received is a link-local address, then the client is on the same link 
>> to which the interface over which the message was received is 
>> attached.

Note that the DHCP Client test equipment vendor also appears not to be following standard transmission rules (i.e., to use a link-local address). But, you haven't indicated (I don't think) what the destination address for these DHCPv6 requests are - perhaps they were configured to be a GUA (and then it makes sense for the clients to use a GUA).


To summarize:
- If destination of client is link-local [multicast] address, source SHOULD be link-local. (This probably could be a MUST but there might be some odd instances where this is not appropriate - such as point-to-point links. Note also that I don't think there's a restriction that a source address may have wider scope than a destination address.)
- If destination of client is GLA, source MUST be GLA (otherwise, replies cannot be returned to the client).

A few more comments inline below (BV>).

- Bernie

-----Original Message-----
From: dhcwg [mailto:dhcwg-bounces@ietf.org] On Behalf Of Alexandre Petrescu
Sent: Wednesday, October 18, 2017 4:08 PM
To: Bernie Volz (volz) <volz@cisco.com>
Cc: dhcwg@ietf.org
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation - src LL vs GUA



Le 18/10/2017 à 20:13, Bernie Volz (volz) a écrit :
>> But I need guidance to the following question: if the Client sends a 
>> Solicit with a LL in src, MUST the Server reply to it?  (yes/no is 
>> the needed guidance).
> 
> A server may not respond to a client for a variety of reasons, but 
> we'll assume none of those apply here (hence "MUST" is dangerous).
> 
> I don't see why a server would drop a Solicit just because there is a 
> LL in src -- I would think that would be the NORMAL case and hence the 
> server would respond. (Of course, we assume that LL is valid here and 
> can be used.)

Again, the NORMAL case for this particular Server, is to show GUA-in-src, not LL-in-src.  It is a simulator from a large equipment manufacturer.  That simulator is pretended to work accordingly to the real network.

BV> This seems wrong on the simulator's part. But again, please specify what the destination address is. And see comments earlier that src can be wider scope than destination without causing issues in general -- though of course section 13.1 bullet 3 applies.

> I could see that if a client used a GLA and the server was the first 
> hop (no relay), it could drop it if the GLA address as it could mean 
> it has no configuration for that "location". Remember the text from
> 13.1:
> 
>> *  If the server receives the message directly from the client and 
>> the source address in the IP datagram in which the message was 
>> received is not a link-local address, then the client is on the link 
>> identified by the source address in the IP datagram (note that this 
>> situation can occur only if the server has enabled the use of unicast 
>> message delivery by the client and the client has sent a message for 
>> which unicast delivery is allowed).
> 
> Also, some servers could respond with Use Multicast unless 
> server-unicast option has been configured. It may be that they use the 
> source address to determine this (rather than the destination address, 
> which as you say really should be used when server receives packet 
> directly)?
> 
> 
> I'm confused as I think you are saying in:
> 
>> I explain why: about 4 distinct clients use LL in src.  If I want 
>> these clients to use GUA then I must delete the LL from the 
>> interface.
> 
> That you actually want the global unicast address to be used by the 
> client, not the link-local?

I want to not modify the Clients.  The 4 Clients all use LL-in-src.  But the Server examples use GUA-in-src.  A Server example is a packet trace executed on a simulator that pretends to be like in reality.  That simulator uses GUA-in-src.  So, I am told, if I want to be interoperable to that Server, I must do what that simulator does: put GUA-in-src.  So I delete the LL from the interface on the Client.

Do you think it is normal to delete the LL from the interface?

BV> That seems rather bizarre to me ... not sure how other IPv6 services (ND, DAD, etc.) might be impacted?
BV> My recommendation is to get the server vendor to fix it as this is rather broken and others will have problem as well. If the server vendor wants to sell their server, they will need to correct it.


> For what it is worth, the server I work on doesn't care what the 
> client's source address is. We monitor the destination address (when 
> packet is received).

"Does not care" - ok.

But does it accept a Solicit with LL-in-src?

BV> Yes. That is what 100% of the clients I've ever seen send so our server would not be servicing millions of IPv6 clients if it dropped those packets. (And, yes, it is millions based on just one single customer deployment -- and we have many more customers that are using IPv6.)

Alex

> 
> - Bernie
> 
> -----Original Message----- From: Alexandre Petrescu 
> [mailto:alexandre.petrescu@gmail.com] Sent: Wednesday, October 18,
> 2017 1:42 PM To: Bernie Volz (volz) <volz@cisco.com> Cc:
> dhcwg@ietf.org Subject: Re: [dhcwg] I-D Action:
> draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix 
> Delegation - src LL vs GUA
> 
> 
> 
> Le 18/10/2017 à 18:31, Bernie Volz (volz) a écrit :
>> Actually, the guidance is already there? See section 13.1.
>> 
>> *  If the server receives the message directly from the client and 
>> the source address in the IP datagram in which the message was 
>> received is a link-local address, then the client is on the same link 
>> to which the interface over which the message was received is 
>> attached.
>> 
>> *  If the server receives the message directly from the client and 
>> the source address in the IP datagram in which the message was 
>> received is not a link-local address, then the client is on the link 
>> identified by the source address in the IP datagram (note that this 
>> situation can occur only if the server has enabled the use of unicast 
>> message delivery by the client and the client has sent a message for 
>> which unicast delivery is allowed).
> 
> That is useful guidance if the question was about on which link this 
> Client was.  In my case the link involves GTP, UDPv4 and IPv6.
> 
> But I need guidance to the following question: if the Client sends a 
> Solicit with a LL in src, MUST the Server reply to it?  (yes/no is the 
> needed guidance).
> 
> I explain why: about 4 distinct clients use LL in src.  If I want 
> these clients to use GUA then I must delete the LL from the interface.
> 
> Alex
> 
>> 
>> In the relay case, the client's source address doesn't really come 
>> into play at all. So, in the case technically the client could use 
>> either. But since the client has no idea whether a relay will be 
>> present, it should follow these rules.
>> 
>> The document has been submitted to the AD for publication. If you 
>> have concerns or issues, you can always make the AD aware of these or 
>> await the IETF Last-Call period to raise your issues.
>> 
>> - Bernie
>> 
>> -----Original Message----- From: Alexandre Petrescu 
>> [mailto:alexandre.petrescu@gmail.com] Sent: Wednesday, October 18,
>> 2017 12:01 PM To: Bernie Volz (volz) <volz@cisco.com> Cc:
>> dhcwg@ietf.org Subject: Re: [dhcwg] I-D Action:
>> draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix 
>> Delegation - src LL vs GUA
>> 
>> 
>> 
>> Le 18/10/2017 à 16:25, Bernie Volz (volz) a écrit :
>>> Hi Alex:
>>> 
>>> Does it really matter what the Client’s source address
>> 
>> Yes it is guidance that I need.
>> 
>> Alex
>> 
>> is as long as
>>> the client can receive packets sent to that address (by a relay or 
>>> server that is on that link)? These are link-local packets and so no 
>>> router should be involved in them (that’s what the relay agent is 
>>> there for – to forward the packets to servers not on the local 
>>> link).
>>> 
>>> - Bernie
>>> 
>>> On 10/18/17, 10:06 AM, "Alexandre Petrescu" 
>>> <alexandre.petrescu@gmail.com> wrote:
>>> 
>>> Bernie,
>>> 
>>> Le 13/07/2017 à 19:38, Bernie Volz (volz) a écrit : [...]
>>> 
>>>> Regarding Link Local vs GLA in Solicit, I think following the 
>>>> specification would be recommended. Use link-local.
>>> 
>>> But the I-D 3315bis says this:
>>>> Clients and servers exchange DHCP messages using UDP [RFC0768]. The 
>>>> client uses a link-local address or addresses determined through 
>>>> other mechanisms for transmitting and receiving DHCP messages.
>>> ^^^^^^^^^^^^^^^^
>>> 
>>> This "other mechanisms" means that a GUA generated with SLAAC could 
>>> be used as an src in a DHCPv6 Solicit.
>>> 
>>> 
>>> [...]
>>>> Note also that section 13.1 (for the unicast, GLA case) assumes the 
>>>> message was not multicast (section 18.4 about UseMulticast Status 
>>>> talks about "Reception of Unicast Messages").
>>> 
>>> Hm, that lokks like a relatively less explicit if not outright 
>>> silent assumption(?)  Or maybe I did not look well enough in the 
>>> I-D?
>>> 
>>> There is a particular equipment manufacturer's simulator software, 
>>> and potentially real hardware, that uses GUA in src and dst 
>>> multicast with link scope ff02::1:2.547, in the DHCPv6 Solicit.
>>> 
>>> If this behaviour is standard (src GUA and dst ff02::1:2) then it 
>>> should be in the draft.  If it's not standard: it should get 
>>> corrected in the simulated and in the real implementation.
>>> 
>>> Because other software than the one from the particular equipment 
>>> manufacturer uses src LL and dst ff02::1:2.
>>> 
>>> Side note:
>>> 
>>>> I think section 13.1 was written with the assumption that 
>>>> determining the destination address of a packet is harder than 
>>>> obtaining the source address; hence the assumption is that if a GLA 
>>>> is used as the source address, it was not a multicast [to the 
>>>> link-local multicast address]. Today, kernels typically provide the 
>>>> ability to get the destination address, not just the source address 
>>>> (though it takes a bit more code to do so).
>>> 
>>> The picture may be different on point-to-point links like cellular 
>>> links.  It's multicast, but it's just two nodes and they are always 
>>> seeing each other.  Besides, one of the nodes allocates an address 
>>> to the other node by other means than SLAAC, and it knows it.
>>> 
>>> Alex
>>> 
>>>> 
>>>> 
>>>>> I can say e.g. some (I believe Cisco) client puts a GUA in the src 
>>>>> of aDHCPv6 Solicit.
>>>> 
>>>> That's a bit of a broad statement as Cisco has many different 
>>>> devices (and many different operating systems and versions) ... 
>>>> perhaps if you could indicate which device(s) and software versions 
>>>> you've found this to be the behavior on, I can perhaps follow up.
>>>> 
>>>> I will also add that in many cases when devices are doing DHCPv6, 
>>>> they will only have a LL so it may also depend on the network 
>>>> configuration.
>>>> 
>>>> - Bernie
>>>> 
>>>> -----Original Message----- From: Alexandre Petrescu 
>>>> [mailto:alexandre.petrescu@gmail.com] Sent: Thursday, July 13,
>>>> 2017 12:01 PM To: Bernie Volz (volz) <volz@cisco.com> Cc: 
>>>> dhcwg@ietf.org Subject: Re: [dhcwg] I-D Action: 
>>>> draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix 
>>>> Delegation
>>>> 
>>>> Bernie,
>>>> 
>>>> Le 12/07/2017 à 23:33, Bernie Volz (volz) a écrit :
>>>>> Hi:
>>>>> 
>>>>>> What is the Hop Limit that a Solicit should contain in the
>>>>>> IPv6 header?
>>>>> 
>>>>> ND uses hop limit of 255 so the destination can check that it is 
>>>>> 255 on receipt (whereas 1 could have been anything and forwarded 
>>>>> many times).
>>>>> 
>>>>> But I'm not sure if that is a the best practice when you don't 
>>>>> want the packet forwarded. I would think that if the destination 
>>>>> is a link-local multicast, it really doesn't matter as nothing 
>>>>> should forward the packet (and if something is misconfigured to 
>>>>> forward the packet, you're probably in deeper trouble than just 
>>>>> with DHCPv6).
>>>>> 
>>>>> RFC 4861 has:
>>>>> 
>>>>> 11.2.  Securing Neighbor Discovery Messages
>>>>> 
>>>>> The protocol reduces the exposure to the above threats in the 
>>>>> absence of authentication by ignoring ND packets received from 
>>>>> off-link senders.  The Hop Limit field of all received packets is 
>>>>> verified to contain 255, the maximum legal value.
>>>>> Because routers decrement the Hop Limit on all packets they 
>>>>> forward, received packets containing a Hop Limit of 255 must have 
>>>>> originated from a neighbor.
>>>>> 
>>>>> I don't know off hand if there's any place this is documented 
>>>>> (what to use for hop limit with link-local).
>>>> 
>>>> I think your explanation makes sense about ND.
>>>> 
>>>> But, about DHCP, I need to know whether a DHCP Solicit with 
>>>> HopLimit 1 is valid or not.
>>>> 
>>>> As I said earlier, some DHCP clients set it at 255 whereas others 
>>>> at 1.
>>>> 
>>>> In some setting, the DHCP Solicit is encapsulated in IPv4.
>>>> Some of the decapsulation RFCs say that the HopLimit is 
>>>> decremented.
>>>> 
>>>> In that setting, it is not clear whether decrementing the hop limit 
>>>> happens, or not.
>>>> 
>>>> But I want to make sure the client which sets HopLimit at 1
>>>> (odhcp6c) is the right way to do.
>>>> 
>>>> I think a good place to clarify this is in the DHCP spec.
>>>> 
>>>> The spec could say that the HopLimit has some preferred value.
>>>> 
>>>>>> Is IA_NA with empty fields a valid option in a Prefix Delegation 
>>>>>> Solicit, or must IA_NA be absent altogether?
>>>>>> (the intention is to only request the Prefix, because the address 
>>>>>> comes from RA).
>>>>> 
>>>>> Not sure what an "empty" IA_NA is. Whether you include an IA_NA or 
>>>>> not with IA_PD is the client's choice. If it what's an address 
>>>>> (such as for management) on the upstream link, than it should 
>>>>> include an IA_NA. This is covered in the text in 6.3 (IA_PD only) 
>>>>> vs 6.4 (IA_PD and IA_NA, typically).
>>>> 
>>>> Noted.
>>>> 
>>>>>> Is ORO with empty fields illegal in a Prefix Delegation Solicit? 
>>>>>> (the intention is to get the DNS server from RA, but some client 
>>>>>> puts an empty ORO there).
>>>>> 
>>>>> An empty ORO is fine (it should not cause problems, but is 
>>>>> obviously useless). Though if they are following the rfc3315bis 
>>>>> and doing what they should, there would not be an empty ORO.
>>>> 
>>>> Noted.
>>>> 
>>>>>> Is it ok to use a GUA in the src address of a Solicit Prefix 
>>>>>> Delegation?
>>>>> 
>>>>> See 13.1 of draft-ietf-dhc-rfc3315bis-09 ... the source address 
>>>>> here should be link-local.
>>>> 
>>>> Well, that contradicts some trial.
>>>> 
>>>> I can say e.g. some (I believe Cisco) client puts a GUA in the src 
>>>> of a DHCPv6 Solicit.  Other DHCP clients have this optional between 
>>>> LLA or GUA.  The operator I work with wants it to be a GUA.
>>>> 
>>>> As such, I dont know what is the way forward: should the spec get 
>>>> updated?  shoudl the operator change?  should the Cisco 
>>>> implementation change?
>>>> 
>>>> Alex
>>>> 
>>> 
>>> 

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg