Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
Bernie Volz <bevolz@gmail.com> Sat, 13 August 2022 14:21 UTC
Return-Path: <bevolz@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93B11C157B41 for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:21:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iigho6ayuhPe for <dhcwg@ietfa.amsl.com>; Sat, 13 Aug 2022 07:21:02 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA529C157B37 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:21:02 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id b2so2704871qkh.12 for <dhcwg@ietf.org>; Sat, 13 Aug 2022 07:21:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc; bh=iyaq9t5vU7HGI6ldsDWZ1778NIMuyab7u8U2Htw2tk4=; b=QQrjlMSzcircv/y3TNJYDORYbYrvbb0l3pTTVKGEeSwxfKev0RJQ0sq8Rmcwv1YUGz V+rsoCty5LfLXPMHnSrAk8DU83zUWuc2qeTmaOKFGgV1MxB4xmG90mbDWbDmngJRcUN8 aS+XdV5PZaGsPFbYh+A7ME8ZzsB5640sBekAB0zQ+YGlmKqgsBOlXAgMt0l7dxBxMjBM PKg8sbIhZHgJA8OGtzMjxAdGUWsu0QalKTpjh9ZbyZHYud8sMi3hH27/MDvUb4iICkBL e6w4EBp8WiNE/bxhAfvYuTgRbbRgcePt+IxhBtBt5VS5muYH7ag+hwscR+AFVCqN7LQa 8v9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc; bh=iyaq9t5vU7HGI6ldsDWZ1778NIMuyab7u8U2Htw2tk4=; b=jNaacYn9HbSle3sPBF2HPTANCeQe5YHDVm9PeUrG+YPd/gkb0XZ6Njj2G6I0lGqm7e vzkYMgoBO6XYkZeWogmY3dB+7CWyUmeGJaA2HhIQK7ubJALruOmOyDsnbzlMhNXJ4eOk mnlEKmqJuRc8YXIHvAuEkVWKjajBvre6vD6kfzJlIvvk4j6t9OHwTvMBp9THKr9PHeKI uXsoX0H7vz7CK9D6VRdzEx/NMvU6gTQ/hGDoxNxxEmgykRddLJzkPDLc2nVT9cNes49q ivqG2aH3dYlrUDqqydrbVgjGavsLvUHjAJFiXbKKGzPajeWF+2NLFlP9lBgIX9inldoh JGWw==
X-Gm-Message-State: ACgBeo3I0iHexFWkF70jT5wEs95kHTapOG/jDZ/lEgqpoMMfENpKgbRx Nkp/FgPnc3hQkdFtifcxcLSt1aaJZQ==
X-Google-Smtp-Source: AA6agR7EDvuCc4yJj48xcRPUQA+WyqLMHiWrJTqRoP25faohxO+yyIBrYI8a4ILz7Bw4/idiDIu5Gw==
X-Received: by 2002:a05:620a:288f:b0:6b6:4e6e:c68c with SMTP id j15-20020a05620a288f00b006b64e6ec68cmr5976735qkp.240.1660400461176; Sat, 13 Aug 2022 07:21:01 -0700 (PDT)
Received: from smtpclient.apple (d-24-233-121-124.nh.cpe.atlanticbb.net. [24.233.121.124]) by smtp.gmail.com with ESMTPSA id l1-20020a05620a28c100b006b935e96f0bsm4143306qkp.12.2022.08.13.07.21.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Aug 2022 07:21:00 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-14E81BB0-CE8F-44B8-A0C3-2DE3363EF5C3"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 13 Aug 2022 10:20:59 -0400
Message-Id: <58224CCB-E770-4CB5-ACE3-E5C4C6746A41@gmail.com>
References: <DE568FDD-FF15-4F46-BF42-BF1F471890D1@fugue.com>
Cc: Michael Richardson <mcr@sandelman.ca>, dhcwg@ietf.org
In-Reply-To: <DE568FDD-FF15-4F46-BF42-BF1F471890D1@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: iPad Mail (19G71)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/tqkTA-KfUnPEKdBoxswbo7sk-sA>
Subject: Re: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 14:21:03 -0000
I understand this “control” difference. But why should a client care whether it gets address A or B? If there is a requirement to provide a client a specific address, DHCPv6 servers support reservations (typically based on client id, DUID, but there are other possibilities). And clients can suggest addresses, and a server generally could allow that address to be used unless there is a specific conflict? - Bernie > On Aug 13, 2022, at 10:14 AM, Ted Lemon <mellon@fugue.com> wrote: > > If a client wants to do DNS registration, the DNSSD service registration protocol might be a good option: https://datatracker.ietf.org/doc/draft-ietf-dnssd-srp/ > > As to why not use DHCPv6 IA_NA, the answer is that this allows the DHCP server to control the client’s address, whereas registering the address doesn’t give the DHCP server that sort of control. This is a significant difference, and is why a client implementation might choose to include registration, but not IA_NA allocation. > > Sent from my iPad > >>> On Aug 13, 2022, at 7:43 AM, Bernie Volz <bevolz@gmail.com> wrote: >>> >> >> These are great points Michael. >> >> For the earlier (circa 2014) draft that was similar, draft-ietf-dhc-addr-registration, the reason a client would have implemented it was to get its information in DNS (as there would presumably be a reason it needed this, such as to allow other devices to communicate with it). With this new draft, there is really zero benefit to the client. I’m not promoting a shift to this DNS registration as that had its own issues. >> >> If you want “notification”, why not just require DHCPv6 for address assignments? If you don’t care or are using other tools, use SLAAC. Do we really need something in between? >> >> - Bernie Volz >> >>>> On Aug 12, 2022, at 9:03 PM, Michael Richardson <mcr@sandelman.ca> wrote: >>>> >>> >>> This document seems to require many changes to many systems. >>> Do I hear that Google is willing to do this for Android? >>> I am very enthusiastic about having better information. >>> >>> It works only if all the devices implement it, it's not that useful until all >>> the devices do it. Until that happens, then it's completely useless to the >>> helpdesk. >>> It requires updates to DHCPv6 server, assuming that there is one, which if >>> you are using SLAAC... you probably don't even have one. >>> It does not require updates to the core routers, which is the only >>> interesting part. {But, in homes and small offices, and remotely supported >>> small offices with a b2b ISP..., that's all the same openwrt box.} >>> >>> It seems that if one already had an SNMP or YANG/NETCONF feed from the >>> routers for the Neighbor Entry Cache, that feeding that into the "database" >>> would be good. >>> >>> Warren eventually says that he thinks this would be *more* complicated, and I >>> read his slide 10.... and come-on. You hacked up something that needs to be >>> clearly coded correctly in the router. Yes, it's chatty, but it doesn't need >>> to tell about every state transition. >>> BUT, even if it did, who cares if you can't read it scrolling on your screen. >>> That's what the networking monitoring system is for. Actually, I think you >>> just proved how easily this could be done even without code changes to the routers. >>> >>> So, I don't think that I agree at all. The best part about linking it to the NCE >>> is that if the NCE is bad, overwhelmed or has been forged, then the client >>> machine probably doesn't get connectivity anyway. There is some fate sharing here. >>> >>> Another way would be to send the proposed DHCPv6 message along the DHCPv6-relay >>> path. This is very much akin to the Accounting records that radius sends. >>> Doing it this way links the v6 address more directly to the MAC address, >>> while not requiring the host to actually know what it is doing. >>> >>> As Lorenzo says in the chat, it needs to be tied in "whatever" L2 security >>> mechanisms they already have, but I'm not really sure how this should involve >>> the client system. >>> >>> And...if I was going to upload all the source code, the first thing I'd do is send >>> one of these messages saying that I'm either the CEO, or the new hire, and then do it. >>> >>> -- >>> Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) >>> Sandelman Software Works Inc, Ottawa and Worldwide >>> _______________________________________________ >>> dhcwg mailing list >>> dhcwg@ietf.org >>> https://www.ietf.org/mailman/listinfo/dhcwg > >> _______________________________________________ >> dhcwg mailing list >> dhcwg@ietf.org >> https://www.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-wkumari-dhc-addr-notification and t… Michael Richardson
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Ted Lemon
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Ted Lemon
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Lorenzo Colitti
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Ms. Li HUANG
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Michael Richardson
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… David Farmer