Re: [dhcwg] [v6ops] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements

Jen Linkova <furry13@gmail.com> Fri, 09 October 2020 01:34 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF1B83A118B; Thu, 8 Oct 2020 18:34:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ndUx8tYzLFC; Thu, 8 Oct 2020 18:34:09 -0700 (PDT)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A4A03A1190; Thu, 8 Oct 2020 18:33:37 -0700 (PDT)
Received: by mail-qk1-x72b.google.com with SMTP id d20so9099485qka.5; Thu, 08 Oct 2020 18:33:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LFQ/wft4XptRkyxud8OhaWMv6uY8xoQyZl61oXm5bxA=; b=Y+XV/hQhs74rKdWy2F7H4xdVgRmt4/YjDDA+0+Aygad08+uI+kyxkvU1+iDUQScR97 k3TI6D3xmBOdIUCKwv8pLoo5P+/ZqOhLTL8a+Oj4T3imrcf89pi9CKzIvJPtQca0Y20M FTDtpMiVovkK1m00fMqhYGttXririielVBBc2YGRtIwQnXYw8rws4Ltat8GGADj4tWiD UZqhYAtGWwvp1VqGKpjQeVq2ZRnF1uL7Vr6FqTs0PZyo9hhceJnvJLUyHen61dUXLs5z 8aIyg5iWnW0dpcRA9NjP/Adw/p7IYmPNWe4I96cmDxyD4cdiess2HHe52vSR0ykUyZLq c1LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LFQ/wft4XptRkyxud8OhaWMv6uY8xoQyZl61oXm5bxA=; b=pBF97/JEMJOEPkyhBxLYaxP4Y59boYz8TAYt2sOeyJIXUuVR3pHXk2ynSomZGgvGPH Q8dCNk3n1IImv1tc5R0MHOHf8MmTk2V2tFaZ9h/f2ho7IVzwhCv7te2A5SPmYgxOX0Vr 7E4K6lUoENKY3/wRxW8G+lyf5KaRX06olKTwBIwnan4hRkPkAw8ccog+QZkb3V2d32ZR nqJhUOkgI+knvW2A5SyXX7boocN4m4HXQcy3sq9SE6PgotQNxuCxH2vJlmuN39XNc1Ri CNKjG+vCvS3FXSvmXV/6pKltRVjooNxdghjXwePb2X31hJJ3iigFtnGaYqVMXvVa8F5D pzdQ==
X-Gm-Message-State: AOAM5328eFwKzS6xxXAgTh+rA7aIWOpC0eo9YdSizt+/PTslbo5oX+qP mK2DFJ8HsPIiD1HIJUblShw5vy9SYJmzM3CDxfA=
X-Google-Smtp-Source: ABdhPJwOD1pPO3Ez5dcaBkdWevjQL+4UiPmvoTPmQTLMm/SNQqUaKkKJW4xzM3gxLhkZjX7lLTHXv4tiRFUy3+sICP8=
X-Received: by 2002:a37:a74e:: with SMTP id q75mr3837880qke.277.1602207215913; Thu, 08 Oct 2020 18:33:35 -0700 (PDT)
MIME-Version: 1.0
References: <5F6947F2-F7DF-4907-8DD5-28C2B20A91DE@gmx.com> <CAFU7BAT87uhUKZM-G9MjCgtmGbdCwXorP3SfMJm7_Ax7pvwDjg@mail.gmail.com> <f2a9e0188cd84f52adce279cfb04cbcc@boeing.com> <D259F559-8528-428A-A9DF-0D9FB07E6BE4@gmx.com> <BN7PR11MB2547029C572CB32F3C593AD7CF0B0@BN7PR11MB2547.namprd11.prod.outlook.com> <ff36a6d9f0834b5bbf331c6c40df16b8@boeing.com> <A0B74F43-07A4-47C2-B773-3F2071CFCED3@cisco.com>
In-Reply-To: <A0B74F43-07A4-47C2-B773-3F2071CFCED3@cisco.com>
From: Jen Linkova <furry13@gmail.com>
Date: Fri, 9 Oct 2020 12:33:24 +1100
Message-ID: <CAFU7BARUKw_c2c9+3k9kJ0UqrATTruGKPGkVb5NPTo=vspb0NA@mail.gmail.com>
To: "Bernie Volz (volz)" <volz=40cisco.com@dmarc.ietf.org>
Cc: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>, dhcwg <dhcwg@ietf.org>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Content-Type: multipart/mixed; boundary="000000000000f63ef405b132ef25"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/vzWA8GSFpHZC7czui6Sv8_7nGDs>
Subject: Re: [dhcwg] [v6ops] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2020 01:34:12 -0000

On Fri, Oct 9, 2020 at 11:52 AM Bernie Volz (volz)
<volz=40cisco.com@dmarc.ietf.org> wrote:
>
> And of course connectivity is not going to work even if R-4 rule were not implemented, and seems best to drop packet early?
>
> If you take PD out of the picture and did this same (mis)configuration, what would happen? I was asking earlier about this issue as to what happens with “normal” routing and why this needs to do more or better?

I think there is confusion re: the scenario we are talking about. I've
attached the diagram for the case which concerns me.
So:
- The Relay R has an interface eth0 connected to a switch S.
- Devices A and B are connected to the same switch and using R as a
default gateway.
- The prefix 2001:db8::/56 was delegated to a client A via the relay R.
- R installs a route for 2001:db8::/56 towards A via eth0.
- The device B (which has an address NOT from the delegated prefix,
but from another /64 assigned to that common link, let's sat
2001:db8:cafe::/64) sends a packet to an address from the delegated
prefix (e.g. 2001:db8::42). Why? Well, maybe that address was
dynamically put in DNS. Or discovered by some other means.
- As R is a default router for B (and B has no idea that the shortest
path to 2001:db8::/56 is via A, not R), the packets are sent to R.
- R receives them and checks the routing table. It finds that that
packet needs to be sent back to eth0 towards A.

What I'd expect to happen (with DHCP-PD or without - e.g. if R has a
static route towards A, not a dynamic route produced by PD):
- the packet is sent to A. Well, if A does not have a route to
2001:db8::42 then indeed a routing loop might happen. But if A does
have a route, the packet will be delivered.

What seems to be required by R4:
- R detects that the packet is received via eth0 and needs to be sent
back to eth0. R4 seems to require such packets to be dropped.
So if B would never be able to communicate to any address in the
delegated prefix, right?

Am I missing anything?

> Perhaps the missing piece of the rule is don’t send it back to where it came from, based on link layer addresses (or link if point-to-point).

Yes. If R4 was saying 'drop the packet if it comes from the same
link-layer address you are going to send it back' - it would make
total sense. But I don't think routers do *that*.

>But that seems more like a standard routing rule?


>
> It also seems odd that the rule says:
>          An ICMPv6 Type
>          1, Code 6 (Destination Unreachable, reject route to
>          destination) error message MAY be sent back to the client.
>
> Shouldn’t the ICMPv6 be sent to the sender? In the scenario Jen and you are discussing, there are two clients? So, which client may the ICMPv6 be sent to?
>
> And, perhaps if there is only “the client”, Ian’s case is different?
>
> - Bernie
>
> > On Oct 8, 2020, at 5:54 PM, Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote:
> >
> > Bernie,
> >
> > Let's say two clients A and B are connected to a switch which is then connected to
> > relay R. Clients A and B receive PDs from the DHCPv6 service that are relayed by
> > R, and R establishes routes for the delegated prefixes A and B. A and B both regard
> > R as a default router.
> >
> > Now, suppose two things:
> >
> > - client B discovers through some means (e.g., DNS) the IP address of a service
> >   endpoint within prefix A
> > - client A somehow "forgets" that it received the prefix delegation A
> >
> > Now, client B sends packets destined to an address in A to R, and R forwards the
> > packets to client A since it still has a route for A. When the packets arrive at A,
> > however, A forwards them back to R since it has "forgotten" that it holds the
> > prefix A. When R receives the packets from A with destination address also
> > from prefix A, it must drop them instead of forwarding them back to A to
> > avoid looping.
> >
> > Note: If R had sent a Redirect to B, the same scenario would play out except
> > that B would send its subsequent packets directly to A. But then, A would again
> > still forward them to R which must drop instead of forwarding back to A.
> >
> > Fred
> >
> >> -----Original Message-----
> >> From: Bernie Volz (volz) [mailto:volz@cisco.com]
> >> Sent: Thursday, October 08, 2020 2:19 PM
> >> To: ianfarrer@gmx.com; Templin (US), Fred L <Fred.L.Templin@boeing.com>
> >> Cc: dhcwg <dhcwg@ietf.org>rg>; 6man <ipv6@ietf.org>rg>; v6ops list <v6ops@ietf.org>
> >> Subject: RE: [v6ops] [EXTERNAL] Re: [dhcwg] Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-
> >> requirements
> >>
> >>
> >> Is this a model where in your Figure 1, you have a switch between the PD Client and Delegating Relay and you might have other
> >> devices off that switch?
> >>
> >> In that case, why would any of the devices off that switch be using the prefix given the PD Client? How would they learn this? I don't
> >> think the PD Client nor Delegating Relay should be doing RAs with the PD prefix in them (or a sub-prefix).
> >>
> >> If the PD Client is doing that, then any devices off the switch would be using it as the default router for that prefix and not the
> >> delegating relay? And, hence no traffic should be doing to the delegating relay with the PD destination address.
> >>
> >> Or, do I have this model wrong?
> >>
> >> - Bernie
> >>
> >> -----Original Message-----
> >> From: v6ops <v6ops-bounces@ietf.org> On Behalf Of ianfarrer@gmx.com
> >> Sent: Thursday, October 8, 2020 12:16 PM
> >> To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
> >> Cc: dhcwg <dhcwg@ietf.org>rg>; 6man <ipv6@ietf.org>rg>; v6ops list <v6ops@ietf.org>
> >> Subject: Re: [v6ops] [EXTERNAL] Re: [dhcwg] Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-
> >> requirements
> >>
> >> Hi Fred / Jen
> >>
> >> Please see inline below.
> >>
> >> Thanks,
> >> Ian
> >>
> >>>> On 8. Oct 2020, at 17:51, Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote:
> >>>
> >>> Jen,
> >>>
> >>>> What would happen if the *second* device sends traffic towards the
> >>>> delegated prefix? As that device is usig the relay as its default
> >>>> gateway, the traffic would be sent there.
> >>>> If I read the draft correctly, instead of forwarding the traffic and
> >>>> maybe sending the redirect, the relay is expected to drop it?
> >>>
> >>> The way that I interpret it, when the second device sends the traffic
> >>> to the relay, the relay would still forward the traffic to the client,
> >>> which would then forward the traffic back to the relay, then at that
> >>> point the relay would drop the traffic. Unless the second node somehow
> >>> has a way of knowing that the client has entered into an amnesiac
> >>> state and then does a malicious "flood-ping", we can expect
> >>> applications to quickly learn that the IP addresses of the client are
> >>> no longer reachable. Plus, these amnesiac conditions can be expected
> >>> to be rare and transient; not steady-state.
> >>>
> >>> Fred
> >>
> >> [if - If I understand Jen’s question correctly, it’s related to the ‘working’ case.
> >> i.e. the client has completed PD, installed the routes and the relay has the relevant lease info/routes.
> >>
> >> When the second device sends via the default route with a destination address in the delegated prefix, R-4 in it’s current form would
> >> cause the traffic to be dropped.
> >> As the relay doesn’t forward the packet, it can’t send a redirect (per RFC4681), so the second device can’t forward.
> >>
> >> Looking at this, I think there are deployment scenarios where R-4 isn’t going to work.
> >>
> >> My suggestion would be to make R-4 disable-able.]
> >>
> >>
> >>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Jen Linkova
> >>>> Sent: Wednesday, October 07, 2020 6:25 PM
> >>>> To: ianfarrer@gmx.com
> >>>> Cc: dhcwg <dhcwg@ietf.org>rg>; v6ops list <v6ops@ietf.org>rg>; 6man
> >>>> <ipv6@ietf.org>
> >>>> Subject: [EXTERNAL] Re: [dhcwg] Question to DHCPv6 Relay Implementors
> >>>> regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements
> >>>>
> >>>> This message was sent from outside of Boeing. Please do not click
> >>>> links or open attachments unless you recognize the sender and know that the content is safe.
> >>>>
> >>>>
> >>>> On Wed, Oct 7, 2020 at 9:25 PM <ianfarrer@gmx.com> wrote:
> >>>>> We are currently finishing WGLC for this draft. It describes
> >>>>> requirements for a 'DHCPv6 Delegating Relay' - this is a router
> >>>>> functioning
> >>>> as the L3 edge and DHCPv6 relay (only) with prefix delegation. This
> >>>> is a common deployment scenario, but RFC3633/8415 only really
> >>>> describes PD using a Delegating Router - i.e the L3 edge also
> >>>> functions as a DHCPv6 server with no relay. When the relay and server
> >>>> functions are performed by separate devices a number of problems with
> >>>> how relays behave have
> >>>>> been observed, so this document addresses them.
> >>>>>
> >>>>> During WGLC for this, Ole raised a comment related to one of the routing requirements:
> >>>>>
> >>>>> R-4:    If the relay has learned a route for a delegated prefix via a
> >>>>>          given interface, and receives traffic on this interface with
> >>>>>          a destination address within the delegated prefix (that is
> >>>>>          not an on-link prefix for the relay), then it MUST be
> >>>>>          dropped.  This is to prevent routing loops.  An ICMPv6 Type
> >>>>>          1, Code 6 (Destination Unreachable, reject route to
> >>>>>          destination) error message MAY be sent back to the client.
> >>>>>          The ICMP policy SHOULD be configurable.
> >>>>>
> >>>>> The problem that this is trying to solve is:
> >>>>>
> >>>>> 3.5.  Forwarding Loops between Client and Relay
> >>>>
> >>>> I might be missing smth but...
> >>>> Let's say I have a relay and it's 'south' (client-facing) interface
> >>>> is connected to a switch. The client AND second device (another
> >>>> router or a host) are connected to the same segment.
> >>>> The client gets a prefix, the relay 'learned' (or shall we call it
> >>>> 'install'?) the route for the delegated prefix pointing to its 'south'
> >>>> interface with the client address as a next-hop.
> >>>> What would happen if the *second* device sends traffic towards the
> >>>> delegated prefix? As that device is usig the relay as its default
> >>>> gateway, the traffic would be sent there.
> >>>> If I read the draft correctly, instead of forwarding the traffic and
> >>>> maybe sending the redirect, the relay is expected to drop it?
> >>>>
> >>>> --
> >>>> SY, Jen Linkova aka Furry
> >>>>
> >>>> --------------------------------------------------------------------
> >>>> IETF IPv6 working group mailing list
> >>>> ipv6@ietf.org
> >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>>> --------------------------------------------------------------------
> >>>
> >>
> >> _______________________________________________
> >> v6ops mailing list
> >> v6ops@ietf.org
> >> https://www.ietf.org/mailman/listinfo/v6ops
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg



-- 
SY, Jen Linkova aka Furry