Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03
"Templin, Fred L" <Fred.L.Templin@boeing.com> Tue, 29 July 2008 14:55 UTC
Return-Path: <dhcwg-bounces@ietf.org>
X-Original-To: dhcwg-archive@megatron.ietf.org
Delivered-To: ietfarch-dhcwg-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26FE13A6B84; Tue, 29 Jul 2008 07:55:51 -0700 (PDT)
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B801F3A6B99 for <dhcwg@core3.amsl.com>; Tue, 29 Jul 2008 07:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.442
X-Spam-Level:
X-Spam-Status: No, score=-6.442 tagged_above=-999 required=5 tests=[AWL=-0.158, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AEH2my-qKD0g for <dhcwg@core3.amsl.com>; Tue, 29 Jul 2008 07:55:48 -0700 (PDT)
Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id 2614C3A6927 for <dhcwg@ietf.org>; Tue, 29 Jul 2008 07:55:48 -0700 (PDT)
Received: from blv-av-01.boeing.com (blv-av-01.boeing.com [130.247.48.231]) by slb-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id m6TEtZ1N007711 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 29 Jul 2008 07:55:35 -0700 (PDT)
Received: from blv-av-01.boeing.com (localhost [127.0.0.1]) by blv-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id m6TEtYXp021245; Tue, 29 Jul 2008 07:55:34 -0700 (PDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by blv-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id m6TEtXJq021207; Tue, 29 Jul 2008 07:55:34 -0700 (PDT)
Received: from XCH-NW-7V2.nw.nos.boeing.com ([130.247.54.35]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 29 Jul 2008 07:55:34 -0700
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 29 Jul 2008 07:55:28 -0700
Message-ID: <39C363776A4E8C4A94691D2BD9D1C9A1029EE1A0@XCH-NW-7V2.nw.nos.boeing.com>
In-Reply-To: <20080729132332.GN7179@steelhead.localdomain>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dhcwg] draft-pruss-dhcp-auth-dsl-03
Thread-Index: AcjxflGxp7yda4wRQXyJnG+rSZrAwAACIZyQ
References: <52CF1BCD-9BEF-4A01-869B-F20A2C72B4C6@cisco.com> <39C363776A4E8C4A94691D2BD9D1C9A1029EE195@XCH-NW-7V2.nw.nos.boeing.com> <20080729132332.GN7179@steelhead.localdomain>
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Yoshihiro Ohba <yohba@tari.toshiba.com>
X-OriginalArrivalTime: 29 Jul 2008 14:55:34.0085 (UTC) FILETIME=[2738EF50:01C8F18B]
Cc: dhcwg@ietf.org
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
>-----Original Message----- >From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] >Sent: Tuesday, July 29, 2008 6:24 AM >To: Templin, Fred L >Cc: Richard Pruss; dhcwg@ietf.org >Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03 > >On Mon, Jul 28, 2008 at 09:28:27AM -0700, Templin, Fred L wrote: >> I haven't touched 'draft-templin-dhcpmtu' since the >> last time this subject came up, but AFAICT it will >> still work fine even if relay agent information >> options are inserted. >> >> Per RFC3046: >> >> "A DHCP relay agent adding a Relay Agent Information >field SHALL add >> it as the last option (but before 'End Option' 255, if present) in >> the DHCP options field of any recognized BOOTP or DHCP packet >> forwarded from a client to a server." >> >> So, as long as 'draft-templin-dhcpmtu' is updated to >> say that the reassembly process ignores any relay agent >> information options the DHCP fragmentation/reassembly >> will still work fine. > >One issue with 'draft-templin-dhcpmtu' is that essentially there is a >possibility of collision of fragments generated by multiple DHCP >clients using 0.0.0.0 address. This is because IP source address, the >'xid' field in the DHCP message header, and the Identification field >in the DHCP fragment option are used for reassembly, and it is >possible that multiple DHCP clients prior to address allocation happen >to use the same set of values for them. You are kidding, right? True, we don't have an IP source address (the whole reason for considering this approach) but we do have 2 32bit randomly-chosen fields. That gives 64bits of uniqueness, and the probability for collision for two nodes selecting randomly-chosen 64bit IDs is "vanishingly small" as analyzed in RFC4429, Appendix A. The probability of collision is certainly negligible when compared to that for IP fragmentation which uses a fixed 32bit IP source address plus 16bit ip_id. In fact, draft-templin-dhcpmtu as it stands is overkill along several different vectors. First, the sprite-mtu checksum is completely unnecessary when we have such high assurance against misassociating fragments during reassembly. Secondly, the 32bit Identification field is overkill when we consider that we already have a randomly-chosen 32bit xid and that ordinary use cases would not have millions of nodes on the same link trying to bootstrap themselves at the same time. Also, the UDP checksum will catch most reassembly errors if fragment misassociation somehow occurs. Finally, how bad could it be if a reassembly error actually slipped past the UDP checksums? The server would get confused and discontinue processing of the message, and the client would time out and try again. These factors (plus some easily-fixed errors such as failure to observe the 255 byte length restriction for DHCP options) seem like reason enough to revive the draft. Thanks - Fred fred.l.templin@boeing.com > >Yoshihiro Ohba > >> >> Ric is right that the normal-case link MTU is 1500 bytes, >> but there is a remote possibility of smaller link MTUs >> and/or larger DHCP messages; draft-templin-dhcpmtu' >> addresses both possibilities. The approach would be >> for the DHCP AUTH client to try w/o fragmentation first, >> then try again using fragmentation if the unfragmented >> attempt fails. >> >> Fred >> fred.l.templin@boeing.com >> >> >> >-----Original Message----- >> >From: Richard Pruss [mailto:ric@cisco.com] >> >Sent: Sunday, July 27, 2008 4:47 AM >> >To: Yoshihiro Ohba >> >Cc: dhcwg@ietf.org >> >Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03 >> > >> >Thanks for your comments, >> > >> >On 27/07/2008, at 10:19 AM, Yoshihiro Ohba wrote: >> > >> >> I have a couple of comments on new dhcp-auth I-D. >> >> >> >> - It still does not seem to address the issue of the difference in >> >> retransmission directions. Especially I am not sure how dhcp-auth >> >> works when EAP-Success/Failure gets lost. >> >> >> >> - Comment on fragmentation. The current draft says that >> >there is over >> >> 200-octet space available more than the EAP MTU of 1020 octets. >> >> However, I am not sure that if over 200-octet space is really >> >> sufficient for 1500-octet MTU considering that DHCP relay agent >> >> information option can be inserted by DHCP relay agent as well as >> >> there can be 'shim' layers below IP. >> > >> >Relay's typically add only port information so I think we can >> >be quiet >> >safe with our 200 bytes >> >also considering the real world EAP packet sizes. >> > >> >- Ric >> > >> > >> >> >> >> >> >> - DHCP EAP request response message can be more confusing, >> >considering >> >> the new extension to EAP such as ERX >(draft-ietf-hokey-erx) where two >> >> new messages are defined that are neither request nor response. >> >> Considering ERX, I would strongly discourage combining >DHCP and EAP >> >> because ERX can make integration of DHCP and EAP even >more difficult. >> >> It is best if we separate IP address configuration from >> >network access >> >> authentication. >> >> >> >> Regards, >> >> Yoshihiro Ohba >> >> >> >> On Fri, Jul 25, 2008 at 08:41:44AM +1000, Richard Pruss wrote: >> >>> Hi, >> >>> >> >>> To help the discussion next week I was prompted to put out a >> >>> summary of >> >>> changes. >> >>> http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03 >> >>> >> >>> We have tried in this version to address concerns raised >in IETF 70. >> >>> Jari and Ralph's preso may remind you of those: >> >>> http://www.ietf.org/proceedings/07dec/slides/intarea-2/sld1.htm >> >>> >> >>> We have added a first draft proposal for DHCPv6 messages for a >> >>> limited >> >>> set of IPv6 deployments. >> >>> >http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03#section-5.2 >> >>> >> >>> We now have added a DHCP relay model to the DHCP >> >proxy/server model >> >>> that >> >>> was the document model. >> >>> (DHCP proxy is a term used in the DSL architectures, where >> >the BRAS >> >>> acts >> >>> as a server to the client.) >> >>> >> >>> We have added a section on fragmentation. >> >>> http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03#section-8 >> >>> >> >>> The DHCP EAP request response messages are now separate >messages to >> >>> possibly make the flow clearer >> >>> and hopefully make the discussion around DHCP vs EAP >retransmission >> >>> responsibility easier for people to understand. >> >>> >> >>> There is a section on backwards compatibility and a >number of cases >> >>> considered, no updates to that but it addresses one of the >> >bullets on >> >>> the slides in IETF-70. >> >>> >> >>> - Ric >> >>> >> >>> _______________________________________________ >> >>> dhcwg mailing list >> >>> dhcwg@ietf.org >> >>> https://www.ietf.org/mailman/listinfo/dhcwg >> >>> >> > >> >_______________________________________________ >> >dhcwg mailing list >> >dhcwg@ietf.org >> >https://www.ietf.org/mailman/listinfo/dhcwg >> > >> >> > _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-pruss-dhcp-auth-dsl-03 Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03 Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03 Alan Kavanagh
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03 Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03 Templin, Fred L
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03 Alan Kavanagh
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03 Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03 Templin, Fred L