[dhcwg] [Iot-directorate] Iotdir last call partial review of draft-ietf-dhc-mac-assign-06

"Bernie Volz (volz)" <volz@cisco.com> Tue, 26 May 2020 20:47 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A55303A076C; Tue, 26 May 2020 13:47:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=d60kKnqE; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=0u8nbMMS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aDIUwfVjYnN5; Tue, 26 May 2020 13:47:21 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA2EB3A0764; Tue, 26 May 2020 13:47:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6392; q=dns/txt; s=iport; t=1590526041; x=1591735641; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=DmnLnYA/VhO3MJoFKuQx36sc5+n+IhFJYLh0O+92NIg=; b=d60kKnqEQKqEG9hysRkXk9liTt1X7JXDOA3aOHMR9XUKS5AU00kosVxo Z2GfeAlOE/koHtf0QQW38wU1JBS9y0tHw65fD9/yxWfeuOruCeovOgbP0 pMVa0cZvhlmoqv7072eVFfYoDbgbIudttC2+w5VF+R7mPXs0FYM9Zvh+4 k=;
IronPort-PHdr: =?us-ascii?q?9a23=3A3OgS7R/19cd/9v9uRHGN82YQeigqvan1NQcJ65?= =?us-ascii?q?0hzqhDabmn44+7ZRCN7vR2h1iPVoLeuLpIiOvT5qbnX2FIoZOMq2sLf5EEUR?= =?us-ascii?q?gZwd4XkAotDI/gawX7IffmYjZ8EJFEU1lorHq6KkNSXs35Yg6arni79zVHHB?= =?us-ascii?q?L5OEJ8Lfj0HYiHicOx2qiy9pTfbh8OiiC6ZOZ5LQ69qkPascxFjA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CaBQB0f81e/4QNJK1mHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgUeBVCMGKAdvWC8sCoQbg0YDjUOJeo5CgUKBEANVCwEBAQw?= =?us-ascii?q?BASUIAgQBAYREAheBeCQ4EwIDAQELAQEFAQEBAgEFBG2FVgyFcgEBAQEVERE?= =?us-ascii?q?MAQE3AQsGARkEAQEDAiYCBB8RFQgJAQQBDQUIGoMFgksDLgEOA6MCAoE5iGF?= =?us-ascii?q?2gTKDAQEBBYE2AgENQYMrDQuCDgMGgQ4qgmSJYBqCAIEQAUOBT1CDCkkBAQE?= =?us-ascii?q?BAQGBLAESAQkaFQ+CbjOCLY5IDgSDDKB5SgqCVIgpi1cEhHWCY4kChQiNFZB?= =?us-ascii?q?OiW6CTJEoAgQCBAUCDgEBBYFpImZYEQdwFYMkUBgNkEAMFxVuAQiCQ4UUhUJ?= =?us-ascii?q?0AjUCBgEHAQEDCXyKFiyBCQGBDwEB?=
X-IronPort-AV: E=Sophos;i="5.73,437,1583193600"; d="scan'208";a="499759543"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 May 2020 20:47:20 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 04QKlK30011115 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 May 2020 20:47:20 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 26 May 2020 15:47:20 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 26 May 2020 15:47:20 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 26 May 2020 15:47:20 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K0zCkPQB1M/1fp5wczatvf0fefyNKCQEsPsPlxTbPz1ZVeAheBn2mMKGU31UkrJ0vuSUJpgfT1HrQCipzF4+EaWoriN2D4JCiK0CbLlxwZKQvY69T7hSmYEMmEKd8Jtv/YqCPzyCKRiyhnjhNdOICkVkJfdDoIvIOqjlNBbnlynIQHuBqyNsavNYimxImN/1JXX60t5RUEjfCJyfTl8QI2XJSVB4n5r8bpvzg60HcNm7xVOixyjp+gxuSqzjnQ7pyPBhhvW6bFoQt6Kcid5jN/sNM7iCbDlkRyAopST2Bt8wG6UFMSf0K/YcjFeEEDCA9kCBnpD0/iRMewZOGXTnuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DmnLnYA/VhO3MJoFKuQx36sc5+n+IhFJYLh0O+92NIg=; b=drJQxPvnky7oKBTyuhcNeMaEIdqj3WJxkIP+xb54zXgNpubhvOw3VrYJMMDcXeCxw1h54XSJ58fpm2DgoNUD33l4Lw09dvOUpimQKMRO0sH7kLlrIvVzQrJV+UF5XHKX1d7RZJHYZTb3C2j1EWDqVgBx4gvz0yvgN1oHG0xCbF5RwVFkXjwCwLN8v2ZVcet7BE6oBBG3i0dqJd9kSHdI5jDWTsnD1HnpRavnJUfR24mrAgkkgmstI3sHZ4Bcyq5r6Iu+VLmWbzIQnJBYCpela1MP3I2B7juI+D8J537LVEAJs+80nG9DV+RbxXtUnFgI2JWR0OquCGOKxYzu8aa+tA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DmnLnYA/VhO3MJoFKuQx36sc5+n+IhFJYLh0O+92NIg=; b=0u8nbMMSj189ccMhlPmIO6uCtKxAM06FxZCxvgr0lpzb01L3DBP8Tu+uSg4cp9lgKsCn54HBkZB8xiWYSU3NbBzRiGFNEWPPMKPZTf7XibEg+hXGhaWtkq+t0q+GYVebR7oQsa4nc9Gzjk0y3EafUqbRTu2Mw1SDkugHPuZmDyg=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN7PR11MB2785.namprd11.prod.outlook.com (2603:10b6:406:ac::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.24; Tue, 26 May 2020 20:47:19 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::7d1c:98b:2131:d35]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::7d1c:98b:2131:d35%3]) with mapi id 15.20.3045.016; Tue, 26 May 2020 20:47:19 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Samita Chakrabarti <samitac.ietf@gmail.com>
CC: "draft-ietf-dhc-mac-assign@ietf.org" <draft-ietf-dhc-mac-assign@ietf.org>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>, Ian Farrer <ianfarrer@gmx.com>
Thread-Topic: [Iot-directorate] Iotdir last call partial review of draft-ietf-dhc-mac-assign-06
Thread-Index: AdYznILUrVwHF3y9Q9yoeEfqrB2cjw==
Date: Tue, 26 May 2020 20:47:19 +0000
Message-ID: <BN7PR11MB2547E35FBB803AFF5BA8102CCFB00@BN7PR11MB2547.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [24.233.121.124]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8df92607-5068-40c2-7f9b-08d801b5fb87
x-ms-traffictypediagnostic: BN7PR11MB2785:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BN7PR11MB2785350D4577FD131B29589BCFB00@BN7PR11MB2785.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 041517DFAB
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ISXiZjFhvPZxxGhV7EhToboNc0TDcbbCdg+DCCr0lTn/bPczhI9QT60pZmEBxmfvmVrU5SU1EYo95ymO64+/Dn6hOCwadF72be84RdZ6KQVI85hoRxR8w8SllkJnldrQtVyq2dkGIQ/jkcklCClMp94wZaxS+WQYrfy9IpA+kQ+LTgjtfEEAZ/69IqiGlxm29eb88mFRLUh9ECWECn99YRC4WvmTVaB6IKNy1fKf7lkvbWGlXPEfUP1VYUMFDFJuFlT0cSz4O88t9rZAix/u2azUaoI0koYtqWP3un9VKGVE7Dh5dnm5cqsJvCB8tV3PaV1erEQ8b2JwT3bph1YtN9oKdTe7ggwjlgoXxmOqZ71n4XTjynBkk2Dm4aBme/5QobnRM1dPkdJLqK0rueXGS2n5hBHJZCifZIkJc7nu69UOOlkyjhqObzLSF7B3kKyA
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(136003)(39860400002)(366004)(376002)(396003)(186003)(5660300002)(26005)(86362001)(66946007)(52536014)(966005)(7696005)(71200400001)(66556008)(64756008)(6506007)(53546011)(66446008)(76116006)(66476007)(54906003)(478600001)(316002)(4326008)(33656002)(110136005)(55016002)(2906002)(9686003)(8936002)(8676002)(518174003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: ss8//WmfESb80771IvJiUTflKWmA6uAeXk+am6jbsS/ZbEMUi0JV0bm8+mjsV/guSBuKXe8lmu/st4XG9m5Oox+YsbqGELUIQddSIO263vh9KxiPspg2NQJwltPNE+/O6AObrpEDEfIl3FXC31HXAxhxnQbELEEntGtyb9HYPXuEIR4Ja2O35ANph2MFQJ31Ow3Ht7QWy4r6U8BVFFlFVLmwnZcSqXUcIlDZcr8MXeM1N9+lz4Om40pAv23cfZf3cuuqnqLDFV4FrZ7vLfCyDXjuGugH8g2lByzhAc7zS2eGQky0gYTKa3dCjta7lNxjz1mAfSiygA6CLfGRMrNQwh1v7ViKfWXJ2sEDgxIEjsMiOjYA9h+Fya/cLAKDjxoloH5Zv4FzZuUTpLzEVW5ylCoOOOIl1Ry4wRrjdHyT0z8piRt78ivisk9cGogz6gyGsNbiritzjEZ257FqfZXlU4ZpanpohPFuf/Pt2sPLfptEiRiLwoNaOcTnAeq1ehry
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8df92607-5068-40c2-7f9b-08d801b5fb87
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 May 2020 20:47:19.2145 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PufrA0AI6nwQPC1ALMt3HUlnmF/c0j1G5RV4RrsGVN7A5/wmaShMb1nsGW4l7BD/
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2785
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/pYHgtN3S_LgDEdYTWJFSakC5O0o>
Subject: [dhcwg] [Iot-directorate] Iotdir last call partial review of draft-ietf-dhc-mac-assign-06
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 20:47:24 -0000

Hum ... I never seemed to have received the original email - https://mailarchive.ietf.org/arch/msg/iot-directorate/AlkuS7PgeTwQStM9eFsf4gbOhSw.

Some comments below (BV>).

---
I took a quick glance at the draft from IoT point of view (only partial review ).

Section 4.2 talks about the IoT use case as Direct Client Mode -- where they
talk about cheap devices which may not have unique UUID associated with it.

Note that a client that operates as above that does not have a
   globally unique link-layer address on any of its interfaces MUST NOT
   use a link-layer based DUID (DHCP Unique Identifier), i.e., DUID-LLT
   or DUID-LL.  For more details, refer to Section 11 of [RFC8415].

1. However,  it is not clear what  source initial link-layer address should be
used by these devices. should it point to section 6? will that suffice?

BV> There are two different issues here. One is the DUID this device would use for DHCPv6 - we were just pointing out here that these devices must not use Link Layer based DUIDs (hence, they should use DUID-EN or DUID-UUID). In terms of the "initial link-layer address", I'm not sure that a reference to section 6 (I assume of the dhc-mac-assign draft) would be useful? In section 4.2, we already say "Upon first boot, the device uses a  temporary address, as described in [IEEE-802.11-02-109r0], to send initial DHCP packets to available DHCP server", so I'm not sure what is missing?

2. Moreover,  how safe the mechanism would be if the Security section says that
mechanism defined in this draft may be used by a bad actor ?

BV> I'm also not sure what would be needed here? I guess we could point out that randomly selecting an initial mac-address and trusting a DHCPv6 server to assign an address is very insecure? But that's pretty much covered by https://tools.ietf.org/html/rfc8415#section-22. Perhaps more clarity on what should be added would help?

3. It appears to me the mechanisms are designed for VMs behind an hypervisor
and then IoT usages are added. My concerns are two fold for challenged low
capability IoT devices -- 1) will they be able to handle the complicated option
processing described here? 2) How to mitigate the security vulnerability for
IoT devices as direct clients?  (The security section does not talk about
mitigation)

Should there be a simpler option processing structure without TLV option
processing ( i,e a fixed structure part + then TLV part for optional
information]?

BV> The TLV structure is what DHCPv6 is based on. I'm not really sure that this is that complicated and if it is ... this is OPTIONAL - a IOT device could consider using it; of course, if it really is low end perhaps it is not the best technique for it? The IEEE was also working on a specification for doing link-layer address assignment and theirs (when available) would most likely be at a much lower layer in the "stack" and may be better optimized for the IOT case (and may also cover the initial allocation issue that exists with DHCPv6). So the IOT case was indeed not the first priority, as that likely would be better accommodated by IEEE.

BV> I don't know if Carlos might have some more data on the IEEE work, as my contacts at IEEE seem to have dried up.

- Bernie


-----Original Message-----
From: Éric Vyncke via Datatracker <noreply@ietf.org> 
Sent: Saturday, May 23, 2020 2:55 AM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dhc-mac-assign@ietf.org; dhc-chairs@ietf.org; dhcwg@ietf.org; Tomek Mrugalski <tomasz.mrugalski@gmail.com>om>; Ian Farrer <ianfarrer@gmx.com>om>; ianfarrer@gmx.com; samitac.ietf@gmail.com
Subject: Éric Vyncke's Yes on draft-ietf-dhc-mac-assign-06: (with COMMENT)

Éric Vyncke has entered the following ballot position for
draft-ietf-dhc-mac-assign-06: Yes

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dhc-mac-assign/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you for this useful and easy to read document.

Please also address the IoT Directorate review by Samita Chakrabarti:
https://datatracker.ietf.org/doc/review-ietf-dhc-mac-assign-06-iotdir-lc-chakrabarti-2020-05-11/

Regards

-éric