IETF Logo Mail Archive

Re: [dhcwg] recommendation on DHCP6 source port numbers

Bernie Volz <bevolz@gmail.com> Fri, 01 March 2024 10:45 UTC

Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98B3EC14F5ED for <dhcwg@ietfa.amsl.com>; Fri, 1 Mar 2024 02:45:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zGPA_Xs8vh4L for <dhcwg@ietfa.amsl.com>; Fri, 1 Mar 2024 02:45:36 -0800 (PST)
Received: from mail-oo1-xc35.google.com (mail-oo1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA34FC15106F for <dhcwg@ietf.org>; Fri, 1 Mar 2024 02:45:36 -0800 (PST)
Received: by mail-oo1-xc35.google.com with SMTP id 006d021491bc7-5a0d96012d0so943017eaf.3 for <dhcwg@ietf.org>; Fri, 01 Mar 2024 02:45:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709289935; x=1709894735; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=ycx+qvzzYFq8ieYoEQ0iH+xlkPhSKjTG3DiSFZPTsbg=; b=jyh2hgNmR18h7qjsfS7niyWDXfmttvjzwDpUvM15Vmn3bssSmhAaHKac0W65mdF5fc 53ze4PriwF70AJENW4YtAcLoZn4XTCCciTQIGJ+MEMQZJ7Cn6tO7eZw26fde5qI3wJja 3JsTt3scQ3lCJ0IEqyJblQS0UDxp4JC5iwHPffmb4xBQXbMXBR5gm9mgqS59/6ze5r7w pF0L+t3Q5ZoYesVYn8oD2ASI/9M74JbMeQCTNkIgnlk0aAQBBHMliKM4Yn297L4hF0ja s4TjUaLPWVvs0H6uD5ycphASfEpT+ZczlEvu6te+Wttfe545aCEkmmP2UJMTfCriw/iO peBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709289935; x=1709894735; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ycx+qvzzYFq8ieYoEQ0iH+xlkPhSKjTG3DiSFZPTsbg=; b=toZWW8BKPRgvqWePGNm++p/dqgoo+C3QSzw1A8Cqp/YtGJjFSjISkhQlCGECAj27kn MGSEkY2BYqiu+gwcMQfZe7oITAC6c4hOWMX2hy1gIpGuCbGTBhe56PHAoylY18hVOmzb 73KVhFceI4D6Ugl23YWxUYoKPImiDrIwCabIqosOG1N6H17+Ypu1EBbUw/F5+BF/URic OYRRI1RtJJCJA+H9INFQ9R6Ujf57pgBAN5VIgK4zzgg2mXPXkznPs3/voQd8Lj5JPufN 3txIYCizcH32nLXo0HQbmFIykm1rh7GwAVPeyG8SzKCazACqKvSiHpdmLbwQu+qPvwFN i5Gg==
X-Forwarded-Encrypted: i=1; AJvYcCWOBPUrFxasHX9L/ijdamzIGMpe1CYQJrPX1A/DZ5BNxyTj7+t2YBoghzFVjj7UjigEkzY304yWFGNQRXTNaQ==
X-Gm-Message-State: AOJu0Yz4Owlcpwie3h4WPfS/PfZbvVu2niKLJbUzYGJXEUviepNbTqmW ktGKBxJIKGdfdVHH2ydCTyM/++vT3tr4qVYfUPGWdqra0FM/XdKgLerw1JlIr0lr
X-Google-Smtp-Source: AGHT+IHglKzq7YNOho0LgYF20PxeUUTIbp8mkYnSsf1pkHSbRN1nrtn9JElyNAscwU0269UB9nJSWw==
X-Received: by 2002:a05:6359:420c:b0:17b:b541:2f1 with SMTP id kn12-20020a056359420c00b0017bb54102f1mr1027087rwb.19.1709289934854; Fri, 01 Mar 2024 02:45:34 -0800 (PST)
Received: from smtpclient.apple (d-69-161-122-95.nh.cpe.atlanticbb.net. [69.161.122.95]) by smtp.gmail.com with ESMTPSA id of3-20020a056214434300b0068ff6350607sm1737880qvb.12.2024.03.01.02.45.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Mar 2024 02:45:34 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 01 Mar 2024 05:45:23 -0500
Message-Id: <E34659EE-1EFF-4B26-8C30-9E6C94715508@gmail.com>
References: <20240301.132600.531322798554788835.tsahara@iij.ad.jp>
Cc: lorenzo@google.com, otroan@employees.org, dhcwg@ietf.org
In-Reply-To: <20240301.132600.531322798554788835.tsahara@iij.ad.jp>
To: Tomoyuki Sahara <tsahara@iij.ad.jp>
X-Mailer: iPad Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/rhqz4mEFlBw9tppt_um0I6hGaDY>
Subject: Re: [dhcwg] recommendation on DHCP6 source port numbers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 10:45:40 -0000

>  (b) sends response messages to the source port of the request message.

This server is broken and needs to follow the RFC.

Yes, you could fix this by changing client to send from 546 source port. But it is server that is broken and should be fixed.

And it is usually a lot easier to fix (& update) a few servers than lots of clients.

- Bernie (from iPad)

> On Feb 29, 2024, at 11:26 PM, Tomoyuki Sahara <tsahara@iij.ad.jp> wrote:
> 
> 
>> 
>> That would not solve anything for (b) clients.
> 
> Yes.  The recomendation is not for the existing clients but
> for new client implementations.
> 
> Consider 3 new DHCP6 client implementations:
> 
>  (C1) sends messages from 546 and receives messages on 546.
>  (C2) sends messages from 12345 (a random port) and receives messages
>      on 546.
>  (C3) sends messages from 12345 and receives messages on 12345.
> 
> and 2 existing DHCP6 servers on the market:
> 
>  (a) sends response messages to 546.
>  (b) sends response messages to the source port of the request message.
> 
> (C1) interoperates with both (a) and (b).
> (C2) interoperates with (a) but does not interoperate with (b).
> (C3) does not interoperate with (a) but interoperates with (b).
> 
> (C1) and (C2) follow the specification to listen on 546.  But (C2) does
> not interoperate with (b).  So, I have recommended (C1) - sending
> messages from the standard source port.
> 
> 
> Thanks,
> Tomoyuki
> 
>> Yes, that is correct - (a).
>> 
>> If a client does (b), it would never get any messages from server.
>> 
>> To interoperaate with both (a) and (b), we should
>> send request messages from the standard source port number 546/547.
>> 
>> That would not solve anything for (b) clients. The source port doesn’t
>> matter to them if they are waiting for traffic on another port.
>> 
>> - Bernie
>> 
>> On Feb 29, 2024, at 2:23 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
>> 
>> Isn't b) a violation of the RFC? If a client sends a message from port
>> 12345 to 547, then shouldn't the server send the message to destination
>> port 546, since the RFC says "clients listen for DHCP messages on UDP
>> port 546"?
>> 
>> On Thu, Feb 29, 2024 at 4:19 PM Tomoyuki Sahara <tsahara@iij.ad.jp>
>> wrote:
>> 
>> The clarification text should be helpful for new DHCP6 implementers
>> and network operators who write firewall rules.
>> 
>> But when client/server received a request message from a random
>> port,
>> which port should they send a response message to?  There are two
>> types
>> of implementations on the market (and on my desk):
>> 
>>  (a) returns to 546/547.
>>  (b) returns to the source port of the request message.
>> 
>> (a) follows the text in RFC8415 strictly.  (b) follows normal UDP
>> communication rules.  To interoperaate with both (a) and (b), we
>> should
>> send request messages from the standard source port number 546/547.
>> That is not obvious and I think it is worth mentioning that in the
>> spec.
>> 
>> Thanks,
>> Tomoyuki
>> 
>>> Yes, I got it wrong. Been a while since that part of the code was
>> done.
>>> 
>>> I agree with Lorenzo:
>>> 
>>> I do think the current text is ambiguous. In practice it allows
>>> arbitrary source ports, but because this is unusual, implementers
>> might
>>> assume that the other side is using the same port to send and
>> receive.
>>> Such an implementation might not interoperate. So if we think the
>>> behaviour is OK, then we should clarify the text to say that the
>> source
>>> port is not specified and clients and servers need to be prepared
>> to
>>> receive messages from arbitrary source ports.
>>> 
>>> We do allow arbitrary source ports and as there are lots if
>> implementations
>>> in existence with that behavior, we should just clarify it: "The
>> source
>>> port is not specified and clients, servers, and relay agents need
>> to be
>>> prepared to receive messages from arbitrary source ports."
>>> 
>>> - Bernie
>>> 
>>> On Feb 28, 2024, at 3:28 AM, Lorenzo Colitti <lorenzo@google.com>
>> wrote:
>>> 
>>> FWIW the Android client binds to port 546 and does not connect()
>> the
>>> socket but uses sendto(). So it will send packets from port 546
>> and it
>>> will receive any packet to port 546 regardless of the source port
>> used
>>> by the server. So I guess that happens to be correct.
>>> 
>>> Having the client send from 12345 -> 547 and the server send from
>> 33333
>>> -> 546 is sort of unusual - usually each party in a connection
>> will use
>>> the same source port for sending and receiving - but DHCPv6 is not
>> a
>>> connected protocol (e.g., some of the messages are multicast and
>> some
>>> are unicast), so...
>>> 
>>> I do think the current text is ambiguous. In practice it allows
>>> arbitrary source ports, but because this is unusual, implementers
>> might
>>> assume that the other side is using the same port to send and
>> receive.
>>> Such an implementation might not interoperate. So if we think the
>>> behaviour is OK, then we should clarify the text to say that the
>> source
>>> port is not specified and clients and servers need to be prepared
>> to
>>> receive messages from arbitrary source ports.
>>> 
>>> On Wed, Feb 28, 2024 at 4:47 PM Ole Troan
>>> <otroan=40employees.org@dmarc.ietf.org> wrote:
>>> 
>>> Bernie,
>>> 
>>>> No. Normal UDP communication rules apply. A client sends traffic
>>> to a well-known destination port and it is free to select whatever
>>> port number it likes as the source port. The server’s response is
>>> sent from that well known port (as source port) and sent to the
>>> client’s selected port (as destination port). This is normal
>>> communication and dhcpv6 follows it. That is why nothing is said
>> or
>>> needs to be said about the client source port.
>>> 
>>> I’m with Tomoyuki here.
>>> 
>>> "
>>> 7.2. UDP Ports
>>> 
>>> Clients listen for DHCP messages on UDP port 546. Servers and
>> relay
>>> agents listen for DHCP messages on UDP port 547.
>>> 
>>> “
>>> 
>>> Just checked my little scapy based DHCPv6 server and I do:
>>> 
>>>       reply = (Ether(src=self.interface_info.mac, dst=request
>>> [Ether].src) /
>>>                    IPv6(src=self.interface_info.ip6ll,
>> dst=request
>>> [IPv6].src) /
>>>                    UDP(sport=547, dport=546) /
>>>                    DHCP6_Reply(trid=trid) /
>>>                    DHCP6OptServerId(duid=self.duid) /
>>>                    DHCP6OptClientId(duid=clientduid) /
>>>                    DHCP6OptIA_NA(iaid=request
>> [DHCP6OptIA_NA].iaid,
>>> T1=t1, T2=t2,
>>>                                  ianaopts = DHCP6OptIAAddress
>>> (addr=ipv6,
>>> 
>>> preflft=self.preflft,
>>> 
>>> validlft=self.validlft)
>>>                    )
>>> 
>>> I couldn’t find any text supporting your position Bernie.
>> Although
>>> I would be fine if that was also the outcome.
>>> As another implementor I cannot figure out what the correct
>>> behaviour is from the RFC.
>>> 
>>> Cheers,
>>> Ole
>>> 
>>>> - Bernie Volz
>>>> 
>>>>> On Feb 26, 2024, at 1:00 AM, Tomoyuki Sahara
>>> <tsahara=40iij.ad.jp@dmarc.ietf.org> wrote:
>>>>> 
>>>>> Hi, DHC wg members:
>>>>> 
>>>>> Can we make recommendations on source port numbers of DHCP6
>>> messages
>>>>> in rfc8415bis?
>>>>> 
>>>>> DHCP6 specification says that DHCP6 clients and servers listen
>> on
>>> UDP
>>>>> port 546 and 547 respectively, in RFC8415 section 7.2.  It
>>> implies
>>>>> that DHCP6 clients MUST send messages to UDP port 547 (server
>>> port) and
>>>>> servers MUST send messages to UDP port 546 (client port) to
>> work
>>> with
>>>>> their counterpart correctly (though restrictions can be relaxed
>>> with
>>>>> RFC8357 for relays).
>>>>> 
>>>>> But it says nothing about source port numbers.  Without any
>>>>> restrictions, some implementations use ephemeral source port
>>>>> (e.g. 12345) to send their messages.  DHCP6 conversations look
>>> like:
>>>>> 
>>>>> 1. client send Solicit    fe80::2#49876    -> ff02::1:2#547
>>>>> 2. server send Advertise  fe80::1#547      -> fe80::2#546 (!)
>>>>> 3. client send Request    fe80::2#49877(?) -> ff02::1:2#547
>>>>> 4. server send Confirm    fe80::1#547      -> fe80::2#546
>>>>> 
>>>>> This behavior is not prohibited by the specification but makes
>>>>> confusions for DHCP6 implementer and network/firewall operators
>>> (*1).
>>>>> Most Internet protocols nowadays assume that servers send
>>> response
>>>>> messages from the port number they received on.
>>>>> (*1 e.g. https://bugzilla.redhat.com/show_bug.cgi?id=952126 )
>>>>> 
>>>>> In my humble opinion, it is too late to require that DHCP6
>> client
>>> and
>>>>> server MUST send messages from the fixed port number (546/547)
>>> because
>>>>> there are too many DHCP6 implementations in the wild.  But
>> making
>>> a
>>>>> recommendation is helpful for new implementations/deployments
>> of
>>> DHCP6.
>>>>> 
>>>>> An idea to make such recommendation is adding a text in
>>> rfc8415bis:
>>>>> 
>>>>> OLD:
>>>>>  7.2. UDP Ports
>>>>>    Clients listen for DHCP messages on UDP port 546.  Servers
>>> and
>>>>>    relay agents listen for DHCP messages on UDP port 547.
>>>>> 
>>>>> NEW:
>>>>>  7.2. UDP Ports
>>>>>    Clients listen for DHCP messages on UDP port 546.  Servers
>>> and
>>>>>    relay agents listen for DHCP messages on UDP port 547.
>>>>> 
>>>>>    Clients are RECOMMENDED to send DHCP messages from UDP port
>>> 546.
>>>>>    Servers and relay agents are RECOMMENDED to send DHCP
>>> messages
>>>>>    from UDP port 547 (unless relay agent includes Relay Source
>>> Port
>>>>>    Option for DHCP6 [RFC8357]).
>>>>> 
>>>>> I know WGLC has been concluded but I believe the
>> recommendations
>>> above
>>>>> encourage new implementations to use the standard DHCP6 port
>>> numbers
>>>>> on UDP source port.
>>>>> 
>>>>> 
>>>>> Best regards,
>>>>> Tomoyuki Sahara
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> dhcwg mailing list
>>>>> dhcwg@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>>> 
>>>> _______________________________________________
>>>> dhcwg mailing list
>>>> dhcwg@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>> 
>>> _______________________________________________
>>> dhcwg mailing list
>>> dhcwg@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email