[dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
Michael Richardson <mcr@sandelman.ca> Sat, 13 August 2022 01:03 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87C60C157B5A for <dhcwg@ietfa.amsl.com>; Fri, 12 Aug 2022 18:03:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.007
X-Spam-Level:
X-Spam-Status: No, score=-4.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i8D2x6coXoQ6 for <dhcwg@ietfa.amsl.com>; Fri, 12 Aug 2022 18:03:42 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78428C14F74D for <dhcwg@ietf.org>; Fri, 12 Aug 2022 18:03:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id E4D0B18017 for <dhcwg@ietf.org>; Fri, 12 Aug 2022 21:23:00 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Jz305msOf1en for <dhcwg@ietf.org>; Fri, 12 Aug 2022 21:22:59 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 2F96918015 for <dhcwg@ietf.org>; Fri, 12 Aug 2022 21:22:59 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1660353779; bh=c8wVxuoQ40hpRMtf+F690o8lnaZasSQ5SlGM9uXkrSw=; h=From:To:Subject:In-Reply-To:References:Date:From; b=1fzjc6E+6PkDy5g5z7bxM7kc7le4URiIL2DbfySqx80EYi9b6agATA7z5c2iJqyGg G9kz8Rp3v1dvdv1bKH88DN1TVR0faiqc+ZSle4MhRW8XhvfOTG6Etu4eNq0clNfrM7 oe4mVk3ZPHRYPr6OovOJTqdFML0bONm+iAYc7k5kOMCO3HB3pfGNV+VVydmdXqTzLc x3d09DTxmnhI1zGqGunBU4n8A6NhTVkjFqD82Qs/4ijLbaWHWRGjIDUpwP5SM4JukJ UTZvP1PnABSL0/fB7YiwEegihUa8pNA1Lb5XEdSVYiBn5RsRVB6noTVi3nLoeUKC3N 6r/aga3YqsMCQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 75475632 for <dhcwg@ietf.org>; Fri, 12 Aug 2022 21:03:39 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ca>
To: dhcwg@ietf.org
In-Reply-To: <20220813011208.08A4A18017@tuna.sandelman.ca>
References: <20220813011208.08A4A18017@tuna.sandelman.ca>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 12 Aug 2022 21:03:39 -0400
Message-ID: <4190.1660352619@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/ujVv8W_nYnrHp97DAoA0z8Zd8b4>
Subject: [dhcwg] draft-wkumari-dhc-addr-notification and the secops problem
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 01:03:47 -0000
This document seems to require many changes to many systems.
Do I hear that Google is willing to do this for Android?
I am very enthusiastic about having better information.
It works only if all the devices implement it, it's not that useful until all
the devices do it. Until that happens, then it's completely useless to the
helpdesk.
It requires updates to DHCPv6 server, assuming that there is one, which if
you are using SLAAC... you probably don't even have one.
It does not require updates to the core routers, which is the only
interesting part. {But, in homes and small offices, and remotely supported
small offices with a b2b ISP..., that's all the same openwrt box.}
It seems that if one already had an SNMP or YANG/NETCONF feed from the
routers for the Neighbor Entry Cache, that feeding that into the "database"
would be good.
Warren eventually says that he thinks this would be *more* complicated, and I
read his slide 10.... and come-on. You hacked up something that needs to be
clearly coded correctly in the router. Yes, it's chatty, but it doesn't need
to tell about every state transition.
BUT, even if it did, who cares if you can't read it scrolling on your screen.
That's what the networking monitoring system is for. Actually, I think you
just proved how easily this could be done even without code changes to the routers.
So, I don't think that I agree at all. The best part about linking it to the NCE
is that if the NCE is bad, overwhelmed or has been forged, then the client
machine probably doesn't get connectivity anyway. There is some fate sharing here.
Another way would be to send the proposed DHCPv6 message along the DHCPv6-relay
path. This is very much akin to the Accounting records that radius sends.
Doing it this way links the v6 address more directly to the MAC address,
while not requiring the host to actually know what it is doing.
As Lorenzo says in the chat, it needs to be tied in "whatever" L2 security
mechanisms they already have, but I'm not really sure how this should involve
the client system.
And...if I was going to upload all the source code, the first thing I'd do is send
one of these messages saying that I'm either the CEO, or the new hire, and then do it.
--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
- [dhcwg] draft-wkumari-dhc-addr-notification and t… Michael Richardson
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Ted Lemon
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Ted Lemon
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Bernie Volz
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Lorenzo Colitti
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Ms. Li HUANG
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… Michael Richardson
- Re: [dhcwg] draft-wkumari-dhc-addr-notification a… David Farmer