Re: [dhcwg] [v6ops] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements

"Bernie Volz (volz)" <volz@cisco.com> Tue, 13 October 2020 13:44 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17E673A0FD2; Tue, 13 Oct 2020 06:44:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Ott9PxSt; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=yb2v7weh
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V1hO3EAg0SUi; Tue, 13 Oct 2020 06:44:49 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF6DF3A0CDB; Tue, 13 Oct 2020 06:44:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6726; q=dns/txt; s=iport; t=1602596689; x=1603806289; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=TGju4Ihr25zfBSiXhE5CI8MSgmEEyjVcxBPWIVUNCLY=; b=Ott9PxSt54r3h6nsv4dXG254lvpXtkh6pfLlV4kpjuJvYmPwYujr72mQ oUqRFqFpcKyvHv0QaGwVbup7L+jr2k/RYe2Ab1AajDZgyIsiI9swlX5Tu 5CP4SUYXYLV4rWJshExCO3cuPlm7uQ3N5MgWZaw/3U07+kLK/U190Jyst 8=;
X-IPAS-Result: =?us-ascii?q?A0CbBgCaroVf/40NJK1gHgEBCxIMQIFEC4FSUQdwWS8sC?= =?us-ascii?q?oQzg0YDjVGKEY5qgS6BJQNVCwEBAQ0BARgLCgIEAQGBVYJ1AheBawIlNAkOA?= =?us-ascii?q?gMBAQEDAgMBAQEBBQEBAQIBBgRthVwMhXIBAQEBAgEBARAREQwBASwLAQQHB?= =?us-ascii?q?AIBCBEEAQEBAgIfBwICAh8GCxUICAIEAQ0FCBqDBYJLAw4gAQ6dPwKBOYhhd?= =?us-ascii?q?oEygwEBAQWFGQ0LghADBoEOKoJyg26GVhuCAIEQRIJNPoIaQgEBgWEVD4JxM?= =?us-ascii?q?4ItkCuDIqNIUgqCaZVfhS2hPZMmjV2SSQIEAgQFAg4BAQWBVDoqgS1wFTuCa?= =?us-ascii?q?VAXAg2OHwwXFIM6hRSFQnQ3AgYBCQEBAwl8jDsBgRABAQ?=
IronPort-PHdr: =?us-ascii?q?9a23=3ARUDXFRaoGTPign8JtPPjMQz/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el21QaRD4re+7RPjO+F+6zjWGlV55GHvThCdZFXTB?= =?us-ascii?q?YKhI0QmBBoG8+KD0D3bZuIJyw3FchPThlpqne8N0UGF8PuIVbVpy764TsbAB?= =?us-ascii?q?6qMw1zK6z8EZLTiMLi0ee09tXTbgxEiSD7b6l1KUC9rB7asY8dho4xJw=3D=?= =?us-ascii?q?3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.77,370,1596499200"; d="scan'208";a="554222620"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Oct 2020 13:44:47 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 09DDilE4023261 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 13 Oct 2020 13:44:47 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 13 Oct 2020 08:44:47 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 13 Oct 2020 08:44:46 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 13 Oct 2020 09:44:46 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O2Ge6hCZh/dlTk52Yf4I9vfzivHA/hK8wh7cWMSX7AoswMMgPtf4JpqcwhsnuVNMKveAAlZfezlS/TXwsHzzmHowy3x87DAIHSYsBqQALBCOBVIQU34Bsf7ZYZEOghIZg5xGKlGw+bkkCLfm9dCaW9Z02JiyWGfHQzcuNAPx/B2yNyVWlwm506hvJeN6UwYTX6+exi46hEKZCiK7VUReOCs4DqbAPBZqvlnt5vvBvujRYsy4eYMwVDAkILbdyz08M09SP7fV16Y7PmwpAxfr681pyIYD5UybVlgCKyehLHqBD7Wn/iIZFyECCIh3dOl61QngY0LNxkurxFNqcgqiLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TGju4Ihr25zfBSiXhE5CI8MSgmEEyjVcxBPWIVUNCLY=; b=ecPc0OIY8JVa9xCk8k1bgNfcc3nbbS6JMBBNlzZG1oYLD7SO91s7jOyks3m/YT1/IpIDXe7P4FfN5JmtuulmAl+xi9/yqRBchBU6LQhF1GXpfGf2xZa/1lRx80AHLwAQMwVNpK7qIBLDVh6cr9y4Gp9TVuaVnAyQ1HIRwSYCNL7YX2U0aSU2nRa4Z8LBXcqnw0UUSQ63kBMdQGwuK3SdQG0NYnVKGWW3qdGcsGUZjEMm/rA/Pm6i82lsQ74lyCk946UVr6vjqmLFDAEcXkg2zunSJvaiUCitfq3m0WiKv8OQx6iKXYgZ+lL38MOsnXJ/7563thWQvRvnQ2SEyLHTYw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TGju4Ihr25zfBSiXhE5CI8MSgmEEyjVcxBPWIVUNCLY=; b=yb2v7wehxq2rDvdMpNyOu4ZvClWXTY0DhdDasSLCLxnkuRm+blUNUMID6yw/DYR2dfzyx1AaYc+LTIHzzIDMD9hUYvutse6VdKrckLOpE2nsZu2jRUjmwoiQ0WRDFgVB+0v1DDHv46llhW4e4Trv7M7Xl9PVZi51QG/qv3Undhg=
Received: from BYAPR11MB2549.namprd11.prod.outlook.com (2603:10b6:a02:c4::33) by SJ0PR11MB5056.namprd11.prod.outlook.com (2603:10b6:a03:2d5::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.28; Tue, 13 Oct 2020 13:44:45 +0000
Received: from BYAPR11MB2549.namprd11.prod.outlook.com ([fe80::2cd2:d609:5fb7:4d27]) by BYAPR11MB2549.namprd11.prod.outlook.com ([fe80::2cd2:d609:5fb7:4d27%5]) with mapi id 15.20.3455.027; Tue, 13 Oct 2020 13:44:45 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "ianfarrer@gmx.com" <ianfarrer@gmx.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Jen Linkova <furry13@gmail.com>
CC: dhcwg <dhcwg@ietf.org>, 6man <ipv6@ietf.org>, v6ops list <v6ops@ietf.org>
Thread-Topic: [dhcwg] [v6ops] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements
Thread-Index: AQHWoWMb7h/SuZNgk0iBKtkQ2d57eamVg+CA
Date: Tue, 13 Oct 2020 13:44:45 +0000
Message-ID: <BYAPR11MB25496B31F581D4E32D46542ACF040@BYAPR11MB2549.namprd11.prod.outlook.com>
References: <5F6947F2-F7DF-4907-8DD5-28C2B20A91DE@gmx.com> <CAFU7BAT87uhUKZM-G9MjCgtmGbdCwXorP3SfMJm7_Ax7pvwDjg@mail.gmail.com> <f2a9e0188cd84f52adce279cfb04cbcc@boeing.com> <D259F559-8528-428A-A9DF-0D9FB07E6BE4@gmx.com> <BN7PR11MB2547029C572CB32F3C593AD7CF0B0@BN7PR11MB2547.namprd11.prod.outlook.com> <ff36a6d9f0834b5bbf331c6c40df16b8@boeing.com> <A0B74F43-07A4-47C2-B773-3F2071CFCED3@cisco.com> <CAFU7BARUKw_c2c9+3k9kJ0UqrATTruGKPGkVb5NPTo=vspb0NA@mail.gmail.com> <19432.1602258078@localhost> <644565BC-5818-4244-A34A-1B39C3FC9175@gmx.com>
In-Reply-To: <644565BC-5818-4244-A34A-1B39C3FC9175@gmx.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmx.com; dkim=none (message not signed) header.d=none;gmx.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 96ab03e1-92ea-45be-b789-08d86f7e2527
x-ms-traffictypediagnostic: SJ0PR11MB5056:
x-microsoft-antispam-prvs: <SJ0PR11MB5056406DA8A636C50E359DCCCF040@SJ0PR11MB5056.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qYu5b20xfvKdCmpTSWtVlr+Y+yl/qtO8KLMwDExwZjSHXHwBqI7KFtgpZDqC2nlQPgK7QrlnhB7wyDB7Aj30U3E6xo8cTKyfHUaKCJEuzs9YwMiIPwct6syu65Kk6YhHs62AYaAooHdZV4DcpWsQiafIVh8SRzNFh7P+wCo+Y6zhXBOGIO7+RkV1+RV9qoZyrSajJEjlT2Cl6Jr4xjIgKPyKsZowhIVQm+hygg+L+8aaMGCMT/bv1W4zZJvC01DKBnA0JOBRiVih1Gljv8BkuFZRvbZs2Fkm+kMgBnvt2hQ2mIWS3OKVorr2vf4nPd6m4gSjWSSleLGv5+YA/ACjkmgoK/TW3p2CN39C3hCIpaWcT8hm8BBNCRw/96zttFw1qzQw3B73tnW+d7cImiYc1wYpc4WQoXRJMBXsjgxBru9VCRd6mKxVxYhnUnd6TRnHMppk4cMs3LRJ4p3F+fA3jQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2549.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(376002)(346002)(39860400002)(366004)(136003)(8676002)(110136005)(55016002)(9686003)(186003)(6506007)(53546011)(66574015)(966005)(478600001)(54906003)(316002)(26005)(7696005)(33656002)(66476007)(76116006)(66556008)(64756008)(66946007)(52536014)(2906002)(4326008)(66446008)(86362001)(5660300002)(83080400001)(83380400001)(8936002)(71200400001)(518174003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: hZkMU/umU+Ms0MAI8ot5fVyiRNP9+tEDMAbJTKLBNCdrLMseKzYNSbj8PPPzmu4/w0tFrZ4AS9iX0w5wrsA7kpTL2g28tWwKomJpsz+PqotSuOZkiRlf2ImV8PRfebcXOug/ltlXKGeKC7FoJucAEIJrJQgRZ+POc6b0lnFla1BIDQzce/ulqapg7UByiJxUoLPeVM2e5+Dn50RbA2I2GKRByKIBLbqVlwG03+XLE4n/VcQwq0R9J9AtbbDzJdMR5FixQ0xrhGYVtHILp/fhHN/glxYotqKlCeY28Po16YFjWZaIlzvYObizpxSOng41q5lq2u5MWnmDL8LnSF2X0FA1tXXndA9MPVErBta5npMH8s29eLW4XnDTYuAeeYZ5DWTUwQMriXf6XLTlwsivFBBJbagYmPO2LGKVh7H5S4GdKmdG5kaGGwpSQhOyGniKNG/X+NLLH4fRp3a/sH6EpFtm32l9lghc33x0B4ORbdCbkBvQCuPxAsrQPWQCi/3/ZF0jgz5Fa4itfgOKmxQiziItcDfuk1ZovxndVyolK6bmalkJCnE94MFAqx4wE6g/y1eLFhXRLFJIN/CXO2co1VIxgWn/KWLRQluzuDZghmWLs6TE84r8CUcTG+CKaxjyXrf5hCIYaviE9Ej0luPwMA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2549.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 96ab03e1-92ea-45be-b789-08d86f7e2527
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2020 13:44:45.1098 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VhCIptX6nIKmE2q0Qre+eFxz6/cOZFSfdQTFq6IFP0lMFLpduo3bjpRoI0o1ECN9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5056
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/ouFLp-bdKYekckIHNrsEBREYgxg>
Subject: Re: [dhcwg] [v6ops] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2020 13:44:51 -0000

Hi:

Do we know that this is "client" traffic? And what is the "client" - especially given in the case that Jen showed.

For a RFC4443 Destination Unreachable address, the IPv6 destination address field is as follows:

   IPv6 Fields:

   Destination Address

                  Copied from the Source Address field of the invoking
                  packet.

So, are you changing this?

If not, perhaps we just say:

R-4
To prevent routing loops, the relay SHOULD implement a configurable policy to drop traffic received from an uplink interface as follows:  For point-to-point links, when the packet's ingress and egress interfaces match. For multi-access links, when the packet's ingress and egress interface match, and the source MAC and next-hop MAC addresses match. An ICMPv6 Type 1, Code 6 (Destination Unreachable, reject route to
destination) error message MAY be sent as per [RFC4443], section 3.1.  The ICMP policy SHOULD be configurable.

- Bernie

-----Original Message-----
From: ianfarrer@gmx.com <ianfarrer@gmx.com> 
Sent: Tuesday, October 13, 2020 9:16 AM
To: Michael Richardson <mcr+ietf@sandelman.ca>ca>; Jen Linkova <furry13@gmail.com>
Cc: Bernie Volz (volz) <volz@cisco.com>om>; dhcwg <dhcwg@ietf.org>rg>; 6man <ipv6@ietf.org>rg>; v6ops list <v6ops@ietf.org>
Subject: Re: [dhcwg] [v6ops] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements

Hi,

Thanks for all of the discussion on this. We’ve reworked the requirement as follows:

R-4
To prevent routing loops, the relay SHOULD implement a configurable policy to drop client traffic as follows:  For point-to-point links, when the packet's ingress and egress interfaces match. For multi-access links, when the packet's ingress and egress interface match, and the source MAC and next-hop MAC addresses match. An ICMPv6 Type 1, Code 6 (Destination Unreachable, reject route to
destination) error message MAY be sent back to the client.  The ICMP policy SHOULD be configurable.

Thanks,
Ian

> On 9. Oct 2020, at 17:41, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Jen Linkova <furry13@gmail.com> wrote:
>> I think there is confusion re: the scenario we are talking about. 
>> I've attached the diagram for the case which concerns me.
>> So:
>> - The Relay R has an interface eth0 connected to a switch S.
>> - Devices A and B are connected to the same switch and using R as a 
>> default gateway.
>> - The prefix 2001:db8::/56 was delegated to a client A via the relay R.
> 
> a friendly amendment to your example to aid in human comprehension:
>     } - The prefix 2001:db8:0000:0123:/64 was delegated to a client A via the relay R.
>     }  - R installs a route for 2001:db8:0000:0123:/64 towards A via eth0.
> 
>> - The device B (which has an address NOT from the delegated prefix, 
>> but from another /64 assigned to that common link, let's sat
>> 2001:db8:cafe::/64) sends a packet to an address from the delegated
> 
> now, my brain can more clearly see that 2001:db8:cafe::/64 is not 
> within 2001:db8:0000:0123:/64, while I had to use a few extra brain 
> cells to see that it wasn't in that ::/56 :-)
> 
>> What I'd expect to happen (with DHCP-PD or without - e.g. if R has a 
>> static route towards A, not a dynamic route produced by PD):
>> - the packet is sent to A. Well, if A does not have a route to
>> 2001:db8::42 then indeed a routing loop might happen. But if A does 
>> have a route, the packet will be delivered.
> 
>> What seems to be required by R4:
>> - R detects that the packet is received via eth0 and needs to be sent 
>> back to eth0. R4 seems to require such packets to be dropped.
>> So if B would never be able to communicate to any address in the 
>> delegated prefix, right?
> 
>> Am I missing anything?
> 
> I think that you got it right.
> 
>>> Perhaps the missing piece of the rule is don’t send it back to where it came from, based on link layer addresses (or link if point-to-point).
> 
>> Yes. If R4 was saying 'drop the packet if it comes from the same 
>> link-layer address you are going to send it back' - it would make 
>> total sense. But I don't think routers do *that*.
> 
> Yes, if we made the check on L2 address, then it would work.
> And I agree that routers are exactly doing that.
> 
> I think that it also works if B is a router with additional interfaces 
> downstream, unless there are multiple paths.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------