Re: [dhcwg] [Technical Errata Reported] RFC8415 (6269)

"Bernie Volz (volz)" <volz@cisco.com> Thu, 03 September 2020 15:11 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3602D3A0EF8 for <dhcwg@ietfa.amsl.com>; Thu, 3 Sep 2020 08:11:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=aKxIiBI9; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=gPYxpgyb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id maWN5qYmJA36 for <dhcwg@ietfa.amsl.com>; Thu, 3 Sep 2020 08:11:53 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C74A3A0FD0 for <dhcwg@ietf.org>; Thu, 3 Sep 2020 08:11:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12710; q=dns/txt; s=iport; t=1599145893; x=1600355493; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=e164qHIf4UNqKPBFYynMFUBLWktSDGtr05dInk9/L/o=; b=aKxIiBI9+8ZM+eATSSKf+5QRlXExBqlL//MkCVfSHFC7UzQHiUel/wd5 hH/xBFzdJQzKijir+Av+UwT6ga31QCqx+iLMrhu6vKwF+ZqaFREOFQPcP rg2LnmEBLY5GmvdFARTyDv+AZ7Gbzb2Dsm/EhLaEx6xNWFm3lG1sOT3sQ E=;
IronPort-PHdr: =?us-ascii?q?9a23=3AbREPsBAr7ONS1LIqZ4y3UyQJPHJ1sqjoPgMT9p?= =?us-ascii?q?ssgq5PdaLm5Zn5IUjD/qw00A3HQIrG5rRPjO+F+6zjWGlV55GHvThCdZFXTB?= =?us-ascii?q?YKhI0QmBBoG8+KD0D3bZuIJyw3FchPThlpqne8N0UGFtvxelCUqXq3vnYeHx?= =?us-ascii?q?zlPl9zIeL4UofZk8Ww0bW0/JveKwVFjTawe/V8NhKz+A7QrcIRx4BlL/U8?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C4CAAyB1Ff/4oNJK1fHgEBCxIMgX8?= =?us-ascii?q?LgSMvUQdwWC8sCoQug0YDjXmKC4l4hG6BQoERA1ULAQEBDAEBLQIEAQGESwI?= =?us-ascii?q?XghQCJDcGDgIDAQELAQEFAQEBAgEGBG2FXAyFcgEBAQECARIRChMBATcBBAs?= =?us-ascii?q?CAQgOAwQBASgDAgICHxEUCQgCBA4FCBqDBYF+TQMOIAGmSQKBOYhhdoEygwE?= =?us-ascii?q?BAQWFUQ0LghAJgTiCcYNnhlAbggCBVIJNPoEEgRaBbgESAQcCGjSCYTOCLZJ?= =?us-ascii?q?eATyGapwYUQqCZZUuhSWgVqAGkiICBAIEBQIOAQEFgWokZ3BwFYMkUBcCDY4?= =?us-ascii?q?fg3GKVnQ3AgYBCQEBAwl8jwoBgRABAQ?=
X-IronPort-AV: E=Sophos;i="5.76,387,1592870400"; d="scan'208,217";a="799868381"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Sep 2020 15:11:31 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 083FBVbW022538 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 3 Sep 2020 15:11:31 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 3 Sep 2020 10:11:30 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 3 Sep 2020 10:11:30 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 3 Sep 2020 10:11:30 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Yf32lctjBwV+iPhqCr/IkT0fbxMXQASGlLbUudSgGFR1jjvvvg9bGSrUOdSiu7l+/e8xe7IgMKOViI254tnQijm3QLgJORzq5tmvQElHxOo94pE/P8I9T5zMZxp5xXsoL5ip64gv9R94PO4nb/wwuE8e79N4XrfOsBMwRuaPZi6ba5mPt00lCc4vlAsiNR8mLseeIVQi9ikKkbflRTudQ6X3bdhd1nxtREnhke6cVYkiM2JDim0XP94cKY5Xink5hWptgmCHuhD618mhfa9uFfC/dRIfvtzu1ep0QwzmhhubaTJyPHQb5uQDm6Cp8Kk6q8ymXxDROb3k9m1lWALceA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e164qHIf4UNqKPBFYynMFUBLWktSDGtr05dInk9/L/o=; b=oLyOiZdCL9Hs8lAackOuM6zC9uvHlIpgw5Uw8q9khlPD8dPxViU5ouUvzrx5LPzBxHN5/yFgoFNgfCPUqMFI7lUV4X7zKuObkojSpTkYb5pGZmM685dJnNgkYRPmpLqZGLGTVgqTPUkb/5k6G69vJilDdrokMv6vR/HlU7SwEeK9dPJCrO7gdFXUFsVw7EnFeidxmowT2OmuFx4mq9YYjvhraY8VwgT8FjdeQYik0wQoHumKNQVCGE0GwfKGAGifGgaN1EDX2e04gkbFLlkO9Mvan/P+//GPweUPW2GCFMRWfdbtOWWL/fKI2rOvrbeNgYYu+kJv/YsK74kvdaGNhg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e164qHIf4UNqKPBFYynMFUBLWktSDGtr05dInk9/L/o=; b=gPYxpgybIT50K8294a9L7gpcFqdHtdbrcnzEfmTph1CBjkGAKZv1vbuH/OpBuapHSUXGi+b3CpeHq4ZBrsdvKrFRqmklXSIfSldX2SyJj0cL6JjIT8FBP6KLk7JeV768m3doe3mmg3g9vn0NkOKbCOkr+UKO7on3iBKssGJvJDg=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR11MB1522.namprd11.prod.outlook.com (2603:10b6:405:b::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.21; Thu, 3 Sep 2020 15:11:29 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::4ced:474b:c85e:9533]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::4ced:474b:c85e:9533%7]) with mapi id 15.20.3326.025; Thu, 3 Sep 2020 15:11:29 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Ted Lemon <mellon@fugue.com>
CC: "tomasz.mrugalski@gmail.com" <tomasz.mrugalski@gmail.com>, "msiodelski@gmail.com" <msiodelski@gmail.com>, "Andrew Yourtchenko (ayourtch)" <ayourtch@cisco.com>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, "jiangsheng@huawei.com" <jiangsheng@huawei.com>, "ek.ietf@gmail.com" <ek.ietf@gmail.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "tim@qacafe.com" <tim@qacafe.com>, "fhamme@united-internet.de" <fhamme@united-internet.de>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [Technical Errata Reported] RFC8415 (6269)
Thread-Index: AQHWfuTDwe7g55U7ukqqeAg+7mAHd6lSRS5QgAAzNACABJAv0A==
Date: Thu, 3 Sep 2020 15:11:28 +0000
Message-ID: <BN7PR11MB254709039DF02A88173AA96CCF2C0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <20200830154615.6CECEF4076B@rfc-editor.org> <BN7PR11MB2547CB85EBCF595FEE42A340CF510@BN7PR11MB2547.namprd11.prod.outlook.com> <6C4649AD-EB18-47E6-A5EA-440910977A26@fugue.com>
In-Reply-To: <6C4649AD-EB18-47E6-A5EA-440910977A26@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: fugue.com; dkim=none (message not signed) header.d=none;fugue.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [24.233.121.124]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4047ea17-f0d2-423a-c554-08d8501ba24b
x-ms-traffictypediagnostic: BN6PR11MB1522:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BN6PR11MB15227E5D056DBE50BB87CCD2CF2C0@BN6PR11MB1522.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mR2Fmu+1JWxD/PAjtUk6eTIQR4AxK/AuFOOb12hwzBQNlNkmjhmt5sq2Uc5AsPtKrBTTmaoQDHeV5Ph2WtXACA4L0UnyHO/TH0JnuvB2rxObLdL1Ryen+JvUe92E+rSLBssmGszGAoGhvtMfMmFnotbGiQEDMEdmsaOE6Ts0rVXD6p/FlRYFte06En4305ijuUz2DJbhMGGs6tIpV1pWv9p0vy/g3g1uOqwSsPpENzNW+1TU/twiGf2Dyu17OLWUZMCAZHxWtB7w5G1fad04kK/nG0kjxCLntSQCHkmD9xfJS9TPU4iJ0rQNqVp7PPEokdmyea1BnoISt7ja+pKubw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(39860400002)(346002)(396003)(366004)(66556008)(66476007)(66446008)(33656002)(71200400001)(54906003)(76116006)(66574015)(66946007)(64756008)(316002)(8676002)(7696005)(55016002)(6506007)(26005)(186003)(53546011)(8936002)(478600001)(52536014)(2906002)(4326008)(6916009)(83380400001)(9686003)(5660300002)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: rI+ArX+lzgE2YetMyuTlEOWrJYa8ulEtquPJ+g7pVxBr8pjJ/UzPkXsUyaSWnDatwPO06ILCDmw7z1pL6ZsBELrpYbXtAT3hYi+QMXfrRYe8MZ7q6zuUuDPwINFTU2o6ZuRXBS1Wj2J2UYx2Vu1we7BEQr0Ljt2SYAQ/UJdnf0QmZwzdaYH8tEQkbq1MBajsJkenkS61iBlhJ5v//sFkRQADAYoTHvzRQkrpkoSRAjflGHWmQn18NxeRMia6I83ygHZtc0wuItPPxpg4fops2jaGrLBYcjmXWJu1F8ny2I24ZZkp2bU8ZwX7HC/2EDkV4Cjvb/QtP2YRWY2L+VbuOb58a+6UAc1TJpjt7pn7XtPBKzM9UQN6yNw0/g6LlQ8B+jwVpLsSg7iz+2TLi5GRVvK0ivWOrkBQp4LYAAEV+ln00+oUlNFwhL9BBL80nBAGnXEzFrOCS7oLRnw4XEtTgm2kdvNb64ejbD8Q+Mji9JePXbFOA6nwebP0Trw9MeWPck16H3kIL7zzae5DiFzOTNZSsDYkqnn8Xa45bINcGT+Emm6m/Cf/8GSY6gMzVrEJBgJDdmhsTpIndT0xMMMKDYPq/5xRRc8z9AcDQ8mdEd4v9kdwDPwX2yyEi8dixFZrSh4a4g9dh9O9a+YaBFFBfA==
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB254709039DF02A88173AA96CCF2C0BN7PR11MB2547namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4047ea17-f0d2-423a-c554-08d8501ba24b
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2020 15:11:28.8200 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K33Go7pmfQX98Dj2QblURMFJ9ScOy0SA13EbOZ5LtZU1W3chMSUs+5azeF0KZazl
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1522
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/oedStrUGR8PAFPsCJwkXxF70L3s>
X-Mailman-Approved-At: Thu, 03 Sep 2020 08:13:47 -0700
Subject: Re: [dhcwg] [Technical Errata Reported] RFC8415 (6269)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2020 15:11:55 -0000

FYI – I removed the RFC Errata System email address from this.

> Another option would be to require the client to honor the “Server Unicast” option from the transaction to which the Reconfigure applies.

I’m not sure this would be needed as I think the language in RFC8415 already encourages use of the Server Unicast if received, possible to use (i.e., client has address of sufficient scope it can use as source), applies to server (i.e. from Server Identifier matches – this isn’t actually clearly stated anywhere if I recall but of course makes sense), and message permits?

I think however that the problem is that for Reconfigure is that it could come from a completely different server than the “original transaction” was from.

I really wonder how large an issue this is and how frequently Server Unicast is even used. Perhaps in retrospect, a feature we might have considered removing.


  *   Bernie

From: Ted Lemon <mellon@fugue.com>
Sent: Monday, August 31, 2020 1:21 PM
To: Bernie Volz (volz) <volz@cisco.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>rg>; tomasz.mrugalski@gmail.com; msiodelski@gmail.com; Andrew Yourtchenko (ayourtch) <ayourtch@cisco.com>om>; mcr+ietf@sandelman.ca; jiangsheng@huawei.com; twinters@iol.unh.edu; ek.ietf@gmail.com; Eric Vyncke (evyncke) <evyncke@cisco.com>om>; tim@qacafe.com; fhamme@united-internet.de; dhcwg@ietf.org
Subject: Re: [Technical Errata Reported] RFC8415 (6269)

On Aug 31, 2020, at 10:46 AM, Bernie Volz (volz) <volz@cisco.com<mailto:volz@cisco.com>> wrote:
While we could debate whether to allow Server Unicast option in a Reconfigure message itself, I think it best not to do this as it could be a security risk (though perhaps it is marginal if the attacker already knows the nonce). But that would be a change over the existing specification as best I can determine.

Another option would be to require the client to honor the “Server Unicast” option from the transaction to which the Reconfigure applies.