IETF Logo Mail Archive

Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem

Bernie Volz <bevolz@gmail.com> Sat, 13 August 2022 14:21 UTC

Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93B11C157B41 for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:21:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iigho6ayuhPe for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:21:02 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA529C157B37 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:21:02 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id b2so2704871qkh.12 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:21:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc; bh=iyaq9t5vU7HGI6ldsDWZ1778NIMuyab7u8U2Htw2tk4=; b=QQrjlMSzcircv/y3TNJYDORYbYrvbb0l3pTTVKGEeSwxfKev0RJQ0sq8Rmcwv1YUGz V+rsoCty5LfLXPMHnSrAk8DU83zUWuc2qeTmaOKFGgV1MxB4xmG90mbDWbDmngJRcUN8 aS+XdV5PZaGsPFbYh+A7ME8ZzsB5640sBekAB0zQ+YGlmKqgsBOlXAgMt0l7dxBxMjBM PKg8sbIhZHgJA8OGtzMjxAdGUWsu0QalKTpjh9ZbyZHYud8sMi3hH27/MDvUb4iICkBL e6w4EBp8WiNE/bxhAfvYuTgRbbRgcePt+IxhBtBt5VS5muYH7ag+hwscR+AFVCqN7LQa 8v9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc; bh=iyaq9t5vU7HGI6ldsDWZ1778NIMuyab7u8U2Htw2tk4=; b=jNaacYn9HbSle3sPBF2HPTANCeQe5YHDVm9PeUrG+YPd/gkb0XZ6Njj2G6I0lGqm7e vzkYMgoBO6XYkZeWogmY3dB+7CWyUmeGJaA2HhIQK7ubJALruOmOyDsnbzlMhNXJ4eOk mnlEKmqJuRc8YXIHvAuEkVWKjajBvre6vD6kfzJlIvvk4j6t9OHwTvMBp9THKr9PHeKI uXsoX0H7vz7CK9D6VRdzEx/NMvU6gTQ/hGDoxNxxEmgykRddLJzkPDLc2nVT9cNes49q ivqG2aH3dYlrUDqqydrbVgjGavsLvUHjAJFiXbKKGzPajeWF+2NLFlP9lBgIX9inldoh JGWw==
X-Gm-Message-State: ACgBeo3I0iHexFWkF70jT5wEs95kHTapOG/jDZ/lEgqpoMMfENpKgbRx Nkp/FgPnc3hQkdFtifcxcLSt1aaJZQ==
X-Google-Smtp-Source: AA6agR7EDvuCc4yJj48xcRPUQA+WyqLMHiWrJTqRoP25faohxO+yyIBrYI8a4ILz7Bw4/idiDIu5Gw==
X-Received: by 2002:a05:620a:288f:b0:6b6:4e6e:c68c with SMTP id j15-20020a05620a288f00b006b64e6ec68cmr5976735qkp.240.1660400461176; Sat, 13 Aug 2022 07:21:01 -0700 (PDT)
Received: from smtpclient.apple (d-24-233-121-124.nh.cpe.atlanticbb.net. [24.233.121.124]) by smtp.gmail.com with ESMTPSA id l1-20020a05620a28c100b006b935e96f0bsm4143306qkp.12.2022.08.13.07.21.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Aug 2022 07:21:00 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-14E81BB0-CE8F-44B8-A0C3-2DE3363EF5C3"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 13 Aug 2022 10:20:59 -0400
Message-Id: <58224CCB-E770-4CB5-ACE3-E5C4C6746A41@gmail.com>
References: <DE568FDD-FF15-4F46-BF42-BF1F471890D1@fugue.com>
Cc: Michael Richardson <mcr@sandelman.ca>, dhcwg@ietf.org
In-Reply-To: <DE568FDD-FF15-4F46-BF42-BF1F471890D1@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: iPad Mail (19G71)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/tqkTA-KfUnPEKdBoxswbo7sk-sA>
Subject: Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 14:21:03 -0000

I understand this “control” difference. But why should a client care whether it gets address A or B? If there is a requirement to provide a client a specific address, DHCPv6 servers support reservations (typically based on client id, DUID, but there are other possibilities). And clients can suggest addresses, and a server generally could allow that address to be used unless there is a specific conflict?

- Bernie

> On Aug 13, 2022, at 10:14 AM, Ted Lemon <mellon@fugue.com> wrote:
> 
> If a client wants to do DNS registration, the DNSSD service registration protocol might be a good option: https://datatracker.ietf.org/doc/draft-ietf-dnssd-srp/
> 
> As to why not use DHCPv6 IA_NA, the answer is that this allows the DHCP server to control the client’s address, whereas registering the address doesn’t give the DHCP server that sort of control. This is a significant difference, and is why a client implementation might choose to include registration, but not IA_NA allocation.
> 
> Sent from my iPad
> 
>>> On Aug 13, 2022, at 7:43 AM, Bernie Volz <bevolz@gmail.com> wrote:
>>> 
>> 
>> These are great points Michael.
>> 
>> For the earlier (circa 2014) draft that was similar, draft-ietf-dhc-addr-registration, the reason a client would have implemented it was to get its information in DNS (as there would presumably be a reason it needed this, such as to allow other devices to communicate with it). With this new draft, there is really zero benefit to the client. I’m not promoting a shift to this DNS registration as that had its own issues.
>> 
>> If you want “notification”, why not just require DHCPv6 for address assignments? If you don’t care or are using other tools, use SLAAC. Do we really need something in between?
>> 
>> - Bernie Volz
>> 
>>>> On Aug 12, 2022, at 9:03 PM, Michael Richardson <mcr@sandelman.ca> wrote:
>>>> 
>>> 
>>> This document seems to require many changes to many systems.
>>> Do I hear that Google is willing to do this for Android?
>>> I am very enthusiastic about having better information.
>>> 
>>> It works only if all the devices implement it, it's not that useful until all
>>> the devices do it.  Until that happens, then it's completely useless to the
>>> helpdesk.
>>> It requires updates to DHCPv6 server, assuming that there is one, which if
>>> you are using SLAAC... you probably don't even have one.
>>> It does not require updates to the core routers, which is the only
>>> interesting part.  {But, in homes and small offices, and remotely supported
>>> small offices with a b2b ISP..., that's all the same openwrt box.}
>>> 
>>> It seems that if one already had an SNMP or YANG/NETCONF feed from the
>>> routers for the Neighbor Entry Cache, that feeding that into the "database"
>>> would be good.
>>> 
>>> Warren eventually says that he thinks this would be *more* complicated, and I
>>> read his slide 10.... and come-on.   You hacked up something that needs to be
>>> clearly coded correctly in the router.  Yes, it's chatty, but it doesn't need
>>> to tell about every state transition.
>>> BUT, even if it did, who cares if you can't read it scrolling on your screen.
>>> That's what the networking monitoring system is for.  Actually, I think you
>>> just proved how easily this could be done even without code changes to the routers.
>>> 
>>> So, I don't think that I agree at all.  The best part about linking it to the NCE
>>> is that if the NCE is bad, overwhelmed or has been forged, then the client
>>> machine probably doesn't get connectivity anyway.  There is some fate sharing here.
>>> 
>>> Another way would be to send the proposed DHCPv6 message along the DHCPv6-relay
>>> path.  This is very much akin to the Accounting records that radius sends.
>>> Doing it this way links the v6 address more directly to the MAC address,
>>> while not requiring the host to actually know what it is doing.
>>> 
>>> As Lorenzo says in the chat, it needs to be tied in "whatever" L2 security
>>> mechanisms they already have, but I'm not really sure how this should involve
>>> the client system.
>>> 
>>> And...if I was going to upload all the source code, the first thing I'd do is send
>>> one of these messages saying that I'm either the CEO, or the new hire, and then do it.
>>> 
>>> --
>>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>>           Sandelman Software Works Inc, Ottawa and Worldwide
>>> _______________________________________________
>>> dhcwg mailing list
>>> dhcwg@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dhcwg
> 
>> _______________________________________________
>> dhcwg mailing list
>> dhcwg@ietf.org
>> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email