IETF Logo Mail Archive

Re: [dhcwg] Questions about layer two relay agents in dhcpv4...

Pavan Kurapati <pavan.kurapati@gmail.com> Sun, 15 August 2010 05:57 UTC

Return-Path: <pavan.kurapati@gmail.com>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BCB63A688A for <dhcwg@core3.amsl.com>; Sat, 14 Aug 2010 22:57:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxCNreBNvp5w for <dhcwg@core3.amsl.com>; Sat, 14 Aug 2010 22:57:54 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id EED153A67E6 for <dhcwg@ietf.org>; Sat, 14 Aug 2010 22:57:53 -0700 (PDT)
Received: by iwn3 with SMTP id 3so495301iwn.31 for <dhcwg@ietf.org>; Sat, 14 Aug 2010 22:58:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=VhyWgr1s/C9TD5rXEa7DFgEZJVSCjuyUKVa+zTBpxPg=; b=N8cvRzBEx8PAPCLsYJ7Jp1bOlUa5QvqVt1mq82FHfbKWZQBzMjmioLljNLCRoaVanG 0SuEC9cc1+BQ002I0j4EHsQAGJWDO7k4QHZhO/14jIb5UdU/Dxro/+uNJkBh2xzItN+O vbSNm5H1dv3ENEXufPbV90Or02XOMrWsbVC3w=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=deOITwlOPDPqvRbwGfmeBMEo49lIKWH/5s74uRv6EhKev5Dhj+nPZ59VX5/p9vjVWN yShu6SUJwsLlTgqUHcpiizd+DZsQBzWtAoinlgbr2CYpAzIF0GoWopP1fOyut1tfOAsJ SBr935naw9Fc/fVLAVJa7ArcoyeIMKTBlQN34=
MIME-Version: 1.0
Received: by 10.42.36.139 with SMTP id u11mr889285icd.36.1281851910165; Sat, 14 Aug 2010 22:58:30 -0700 (PDT)
Received: by 10.42.7.12 with HTTP; Sat, 14 Aug 2010 22:58:30 -0700 (PDT)
In-Reply-To: <8B2420CE-026D-465D-9256-B2DA76310CE1@fugue.com>
References: <8B2420CE-026D-465D-9256-B2DA76310CE1@fugue.com>
Date: Sun, 15 Aug 2010 11:28:30 +0530
Message-ID: <AANLkTim7DnhAL+rWALCnxHGjWdytA7vQardcvKKSLr-6@mail.gmail.com>
From: Pavan Kurapati <pavan.kurapati@gmail.com>
To: Ted Lemon <mellon@fugue.com>
Content-Type: multipart/alternative; boundary="90e6ba180fecc296cc048dd66760"
Cc: "dhcwg@ietf.org Group" <dhcwg@ietf.org>
Subject: Re: [dhcwg] Questions about layer two relay agents in dhcpv4...
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Aug 2010 05:57:55 -0000

Hi Ted,
 While I agree to the concern that you mentioned below (of MTU and security
aspect if RAIO is not stripped) the reason behind the text was not because
it would take a different path. If we assume that layer 2 relay agents
intercept only broadcasted messages and add RAIO, DHCPDISCOVER and
DHCPREQUEST will be intercepted (since they are broadcast) and RAIO  will be
added by the L2RA. However if the DHCP server is unicasting the DHCPOFFER
and DHCPACK respectively to the clients, it will not be intercepted by the
l2ra hence the RAIO may leak to the client.

Having said that, in actual deployments, L2RAs usually intercept the
messages whether it is unicast or broadcast hence this situation generally
would not arise. We had put that text in place after receiving some reviews
that there are L2 relays existing which do not intercept the unicast
messages.

Thanks,
Pavan


On Sat, Aug 14, 2010 at 11:58 PM, Ted Lemon <mellon@fugue.com> wrote:

> I'm in the process of writing the section in the relay agent encapsulation
> draft that describes how relay agents forward messages toward clients.   In
> doing so, I encountered a fairly serious problem with the current l2ra
> specification.   It looks like the authors of the l2ra specifications, and
> possibly also implementors of existing l2ra devices, have had some
> experience with this, so rather than just writing new text, I wanted to pose
> some questions.
>
> First, the l2ra draft says that an l2ra may intercept a message and append
> a relay agent information option (RAIO) to it.   If that happens, then on
> the way back, if the message is unicast, the l2ra may or may not intercept
> the message and strip the RAIO.   If it does not, the client will receive
> the RAIO.
>
> This is an obvious no-no.   But I'm convinced this text is there for a
> reason.   I presume that the reason is that the authors envisioned a
> scenario where the message from the client to the server would pass through
> the l2ra, but on the way back it would take a different path, and hence
> could not be intercepted.
>
> There's no way to support this scenario with relay agent encapsulation,
> because the client will be unable to process a RELAYREPLY message.   And I
> think it's wrong to support this scenario even with regular l2ra, because
> while the client probably can process the packet, RFC3046 allows the DHCP
> server to make the message bigger than the default maximum message size, as
> long as the message, stripped of the RAIO, would be smaller.   So in that
> case the message the client received would be out of spec--too big.   Also,
> potentially there might be a problem with information leakage, where the
> client would gain access to RAIO information it shouldn't have access to.
>
> So my question is this: is it true that the text in the l2ra draft that
> allows the l2ra to not strip the RAIO is motivated by the possibility that
> the reply from the server might take a different path back to the client?
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>

v2.23.0 | Report a Bug | By Email