Re: [dhcwg] Discusses on draft-ietf-dhc-relay-server-security-04

"Bernie Volz (volz)" <volz@cisco.com> Tue, 11 April 2017 20:46 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99BD7128D6F; Tue, 11 Apr 2017 13:46:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1evWksPSDwIm; Tue, 11 Apr 2017 13:46:24 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B28BE127876; Tue, 11 Apr 2017 13:46:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7402; q=dns/txt; s=iport; t=1491943582; x=1493153182; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=mp0PEOkwFJhCQXqO5jg094+Ebny9FP0IHUKeixgyPnE=; b=llb+sRoNiH+T7VeUgQpfIaaiMlpl78XCtp5YWMsH10OiLcn/mDJw7lFv 299y5jHZEfSB49PqbypN5rKoz09wJ6r/+SpprVNpINZb73KZDKVrJoSe2 EcCsRj/03ZLKWU2KkuP485+OhkdNvEbxVa8CjhhnNdaXhHWCI1/uNeCXa s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ChAwAUQO1Y/4sNJK1cGgEBAQECAQEBA?= =?us-ascii?q?QgBAQEBg1OBc4NfihORMJV3gg+GJByDST8YAQIBAQEBAQEBayiFFgYjET4HEgE?= =?us-ascii?q?GAhoCJgIEMBUSBA6KFYtFnV2CJop5AQEBAQEBAQEBAQEBAQEBAQEhgQuHSgmCY?= =?us-ascii?q?oRAFoMGLoIxBZx/AZJdgX+JC4Y6iGSLHAEfOIEFWxVSAYRJHIFjiRWBDQEBAQ?=
X-IronPort-AV: E=Sophos;i="5.37,187,1488844800"; d="scan'208";a="229913171"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Apr 2017 20:46:21 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v3BKkLtm023710 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 11 Apr 2017 20:46:21 GMT
Received: from xch-aln-003.cisco.com (173.36.7.13) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 11 Apr 2017 15:46:21 -0500
Received: from xch-aln-003.cisco.com ([173.36.7.13]) by XCH-ALN-003.cisco.com ([173.36.7.13]) with mapi id 15.00.1210.000; Tue, 11 Apr 2017 15:46:20 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: The IESG <iesg@ietf.org>
CC: "draft-ietf-dhc-relay-server-security@ietf.org" <draft-ietf-dhc-relay-server-security@ietf.org>, Tomek Mrugalski <tomasz.mrugalski@gmail.com>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: Discusses on draft-ietf-dhc-relay-server-security-04
Thread-Index: AQHSswSs71iIwTeLpU2y2ac6ttYMYA==
Date: Tue, 11 Apr 2017 20:46:20 +0000
Message-ID: <5320BC41-545C-4510-89AC-9C62460E80CA@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.131.33.12]
Content-Type: text/plain; charset="utf-8"
Content-ID: <20B6EB33314F4A4E9084F929FE5845DD@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/qnnivWPwr7Wx-wmFz5adg4YBDTI>
Subject: Re: [dhcwg] Discusses on draft-ietf-dhc-relay-server-security-04
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2017 20:46:26 -0000

Hi:

Regarding the discusses:

1. Eric Rescorla Discuss (2017-04-07)
What's not clear to me from reading this document is whether anyone
actually does IPsec for DHCP relaying. If so, what configurations do
they run it in? If not, will they do so as the result of this
document?
 
Answer: I do not know if anyone actually uses IPsec. The RFC3315 mechanism was optional and did not provide encryption so it may not have ever been used. Therefore, I do not know what anyone actually does today (if anything). Those using DHCP that I am aware of with relays do not.

The hope is that more would use this more robust version, and those operators that find it important to do so will require it of their relay and server vendors by purchasing implementations that support this to-be-RFC.

2. Warren Kumari Discuss (2017-04-08)
This document says that it "replaces the text in RFC3315 Section 21.1.", but it does not have an Updates tag. It is also contains a large blob of RFC3315, with clear explanation of what exactly changed.

ANSWER: If we said Updates, that would mean it would likely become a new required standard for those implementing RFC 3315. For many DHCP items, we only use the Updates tag when there is a “required” change in earlier documents. This is not “required” – it is an optional feature that vendors can chose to implement and operators can choose to use/require of their vendors to implement. Regarding the text, much of it is similar to what was in RFC 3315 because it is specifying the full IPsec specification. The main things that changed are that it is required (if you want to claim conformance to this to-be-RFC, whereas if you say you comply with 3315 there is no requirement to implement IPsec) and the use of encryption.


The writeup says "Even though this I-D introduces changes to RFC3315, the WG doesn't want to enforce IPsec encryption on every DHCPv6 server. Therefore, it does not update RFC3315." -- so, if I'm writing a new DHCPv6 implementation, do I need to support this? The document reads like it tries to update 3315, but the writeup says otherwise -- once published, no-one will read the shepherd writeup. I think that the document itself needs to be clearer that this is an optional extension (so if I want to buy an implementation which does this, I ask for RFC3315 and RFCxxxx).

ANSWER: Whether you implement this IPsec requirement in the to-be-RFC is an implementation choice. There is no requirement to implement this to-be-RFC. And operators that wish to use IPsec must require their vendors to implement this to-be-RFC. So there would be implementation that comply with RFC 3315 and this-to-be-RFC. This will make it clear to anyone desiring relays or servers whether they can use IPsec based on whether they implement this-to-be-RFC. This is not much different than other DHCP extensions – such as Bulk or Active Leaseuquery – these are not part of the base specification but OPTIONAL features documented in other RFCs.


I also do not understand the relationship between this document (which talks about text RFC3315), and draft-ietf-dhc-rfc3315bis (which is currently in WGLC) -- if rfc3315bis is almost done, should this reference that instead? Or should rfc3315bis simply incorporate this?

ANSWER: 3315bis has this exact same text EXCEPT it is optional. When working on 3315bis we did not feel that it was worth documenting the old IPsec “rules” from 3315 as they were weak and not very useful. But again, we did not want to make IPsec required as part of 3315bis. Also, we wanted this to-be-RFC to be available sooner than 3315bis might be. We could certainly discuss REMOVING IPsec text from 3315bis and just referring to this to-be-RFC. That in the end may be cleaner.


Comment (2017-04-08)
I found the document confusing -- it says that it REQUIRES IPsec for DHCPv4 and DHCPv6, but it reads like it is requiring that operators enable this, not that implementations have to support this; what exactly is is trying to do? 
I think that it would be much clearer if it said that implementations of this document must support IPsec and that operators are recommended to enable it (assuming that it what it means).

ANSWER: Is it both – for vendors to implement and for operators to use. It requires both because of key management. If you prefer we can certainly add a sentence or reword some existing text to says “implementations of this document must support IPsec and that operators are recommended to enable it”. Perhaps replace:

   For DHCPv6 [RFC3315], this specification REQUIRES IPsec encryption of
   relay to relay and relay to server communication and replaces the
   text in RFC3315 Section 21.1.

   For DHCPv4 [RFC2131], this specification REQUIRES IPsec encryption of
   relay to server communication.

With something like:

   For DHCPv6 [RFC3315], this specification REQUIRES relay and server
   implementations to support IPsec encryption of relay to relay and
   relay to server communication as documented below (this replaces
   the text in RFC3315 Section 21.1).

   For DHCPv4 [RFC2131], this specification REQUIRES relay and server
   implementations to support IPsec encryption of relay to server
   communication as documented below.

   This specification RECOMMENDS that operators enable IPsec for this 
   communication.

- Bernie Volz