Re: [dhcwg] Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)

"Bernie Volz (volz)" <volz@cisco.com> Wed, 27 May 2020 20:56 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA5753A0B3B; Wed, 27 May 2020 13:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=hRDDldO5; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=rojnbZ2h
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gfo7HP5qmtG; Wed, 27 May 2020 13:56:09 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA4493A0BD1; Wed, 27 May 2020 13:56:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7140; q=dns/txt; s=iport; t=1590612969; x=1591822569; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=k84KUWciiBGW2vm8M4vPg5a9k4QuZqQOS4scxv9HMjc=; b=hRDDldO5UgOFVvele4hU/Ch1ivilfSQ96U8QKzIUs0wjPnaxFK2i5O/i uq/ixxXlid0x0uUp1CxgJFoT4cKPxTIz9XoChkp9GahytlvtjFrDJ3AJ0 AkoELf1wMpybm3Tb1No0kjME+6vjrxLDwwHSvDB/WrNY3hQLiZjf+P96t M=;
IronPort-PHdr: =?us-ascii?q?9a23=3AzBZHLBdzvQux84MBu7SqcbgklGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwaQA9fY9vdNkeuQta38CiQM4peE5XYFdpEEFx?= =?us-ascii?q?oIkt4fkAFoBsmZQVb6I/jnY21ffoxCWVZp8mv9PR1TH8DzNF7Pp3So7HgUFw?= =?us-ascii?q?msfQZwL/7+T4jVicn/3uuu+prVNgNPgjf1Yb57IBis6wvLscxDiop5IaF3wR?= =?us-ascii?q?zM8XY=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BbAQDh0s5e/5FdJa1mHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgTkEAQELAYFPIy8Hb1gvLAqEG4NGA40/iXqOSIFCgRADVQs?= =?us-ascii?q?BAQEMAQEnBgIEAQGERAIXgX8CJDcGDgIDAQELAQEFAQEBAgEGBG2FVwyFcgE?= =?us-ascii?q?BAQEDEhERDAEBNwELBAIBCBEEAQEDAiYCAgIfERUICAIEAQ0FCBMHgwWCSwM?= =?us-ascii?q?uAQ6kQAKBOYhhdoEygwEBAQWBMQEBEz8CgyUNC4IOCYEOKgGCY4lgGoIAgRF?= =?us-ascii?q?Dgk0+gh5JAgECAYEsAQwGAQkaFYJ9M4Itjjgjgk8BPKECSgqCVIgqi1kEhHa?= =?us-ascii?q?CZIESh3GSIZBSiXCCTZEsAgQCBAUCDgEBBYFpI2ZYEQdwFYMkCUcYDZBABwU?= =?us-ascii?q?XFYM6hRSFQnQCCyoCBggBAQMJfIl0gTQBgQ8BAQ?=
X-IronPort-AV: E=Sophos;i="5.73,442,1583193600"; d="scan'208";a="486103041"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 May 2020 20:56:07 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 04RKu3Us005230 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 27 May 2020 20:56:07 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 27 May 2020 15:56:05 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 27 May 2020 15:56:02 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 27 May 2020 16:56:02 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Gc6iuKzo4gfHIig7RnG5iAWPb10QZAf9wljDoFcs0A3Rmsgvs9iTGKpyiNO7+H1uEhNF2XMCMwJ0sfE/FtIgf6aXW5ZjsojGbP6C+jQeZloY+m0pG+Dfvvi4AJ77x3VQOfKS7Kdw361E8Dr6Aeha29vFkexlWiNzmr/muH2eAqe21+5cIxBtjkOGGUc9r7dS/efUS5CoYPFq62jM/EP7QIfb/sDWo9H/FSbqRa9lwev65+B1UD54AqhH1eQ3n9Vz1ZEtXO1Cm63eOyELXpZpwQxJ+sipJlNlkcf3wK+q1RkQTKEmsInliIkfi0u4++imORJfqK1SGE5ikODZWq2qSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k84KUWciiBGW2vm8M4vPg5a9k4QuZqQOS4scxv9HMjc=; b=XLlaVPOWpsw5hAlWeyFD9w/lFvuYY8N6/MatoD8undktcOqvIWUvTnzBmx+UEdCEBF8YchepyK2307PaKLaR4D1zCTR1Ouho/6Ky1DQ1sY0SyVrHHooH0IbZLsEWJHy3TQauw0W/ohuFmqyfgMEXuV+mz6Lk423Q481Ug3/bHqQKun7ToPj0k3yKkPWsGIDtFQxk0O7EiXkfIdpJS2HXVEDTbvv/yoV8JtuWPv25m04Gz6aV1kewsrcWcIFC4rvevgO2GSiIBiwfcyDEXZbl3xkCTOWON8bTh8IFAnn6oIf1QmWtLfri2QRBvEeopLndNy2wuLq52amPIqjqLFEZag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k84KUWciiBGW2vm8M4vPg5a9k4QuZqQOS4scxv9HMjc=; b=rojnbZ2hx4Q/utS8g5S3FwX3ibnrcFlAteO5fPtGViAYT6axKpVlZKoMKDooMs262WvubsCFqc6ru4HZEM7l7UL1FbvflLMlvAXkQBXpe2Xd7XbqjHyFpwWOgrA4Ba1JB5PEqtBWtluM/vsIfuTwT7WacME50w3agAxcdb4wp0Q=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN7PR11MB2692.namprd11.prod.outlook.com (2603:10b6:406:aa::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23; Wed, 27 May 2020 20:56:00 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::7d1c:98b:2131:d35]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::7d1c:98b:2131:d35%3]) with mapi id 15.20.3045.016; Wed, 27 May 2020 20:56:00 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Warren Kumari <warren@kumari.net>, The IESG <iesg@ietf.org>
CC: "draft-ietf-dhc-mac-assign@ietf.org" <draft-ietf-dhc-mac-assign@ietf.org>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>, Tomek Mrugalski <tomasz.mrugalski@gmail.com>, Ian Farrer <ianfarrer@gmx.com>
Thread-Topic: Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)
Thread-Index: AQHWNGUY/+JTHUodzUmsx4XyY7vReKi8ZfBA
Date: Wed, 27 May 2020 20:55:59 +0000
Message-ID: <BN7PR11MB254753F131F4298595002766CFB10@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <159061117184.12588.3496366666468663429@ietfa.amsl.com>
In-Reply-To: <159061117184.12588.3496366666468663429@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: kumari.net; dkim=none (message not signed) header.d=none;kumari.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.66]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2c205a7a-6b82-48ea-32e0-08d802805c54
x-ms-traffictypediagnostic: BN7PR11MB2692:
x-microsoft-antispam-prvs: <BN7PR11MB2692A8B47C7872FAA0B0D37DCFB10@BN7PR11MB2692.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 04163EF38A
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pFKCWuu8PjSI8ZUvWYqH0fQTT8+YE5ywP0enpqvWySK9TzWc0aMMu9iZdsx10FSnQEuyyV8HLBpyncf+crZ6rUVunlCAuduRxZlxqoeeLJXXqWn1fl5E6q1R83/hIzJbtYVzYOYrBhw902ZWAZ6M1pEYkauSypJwAeV4J95R9OIYVRYv8M6oCQy+Orzj9kf2FU17wn8b5zLEsb7B4JlxDCv1Cvcao1abKErd68ZtaHLGN11LeE4TFAuqLkQaC9b5I+Ghoq9fschI08XJyYUhBEGg3c4p4a4rIoLm19N4S5g7WhXknnFjfS0Uo+eHMX6Fg/LO/NElZmzQy1qMOilvY7peoGbzKa3xz44vNOyZtqEpEuHWt+aLwq6/gA3dKdTNseRJmVaiHZY6OHbXEwY2MNzPdYF+SJPS2TLDfjWqRIU2/pvk1IvTLdVuch0mhza+GIKlE1nLRz5/WT0ucu+4Tw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(366004)(346002)(39860400002)(376002)(136003)(8676002)(86362001)(33656002)(26005)(6506007)(186003)(52536014)(8936002)(53546011)(7696005)(55016002)(71200400001)(9686003)(2906002)(66476007)(64756008)(66556008)(83380400001)(66446008)(966005)(5660300002)(76116006)(66946007)(316002)(54906003)(110136005)(478600001)(4326008)(518174003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Q+A/6eRDD5rmd4r1jCxHFQ7lmF+/EL+8nE3C1mxSG6Tm9ztruO5sUdtFLv0kzYBKgMlOO+xLYjToZnrpZjul6JR7WBD3d00EwaUAwjR9qr1M3joiAZVSIadKS3H3LA3j06VujdZsN98uCthT4Tw2tVRXLCSJ0/vR/BvRurQLz7qrMog5G3VS4dVU2QJS0Q1gp0yGLTPhYp6n5yrCUpg9QJrVKd7HIT91Jt0plj1EOwWQvcfeDj+0DVVQMpUHS5PEU2Zl1fFEclvGPhJdSUYHPc44HAQEsoc3nb0TYl3XlZQULk+HnnOPhYmVDjSsENcWgC0VXtRtTkGEhX9cbL6+mlHbkb0EXnUP0JuE1N8h948+cDEtNynFYYu5RlUkFLKbQfvmEr8790jp6f+IC3dmSVeIWCbiIjIxUjYfOC/7TqFfY1hLvpCzW3F/AsL7wCQ4Lyx/lBO4hAoF3Osncy9J1FomVN3BviyYljLolEuEXuizbYUkv+JAZ6ny486h8owS
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2c205a7a-6b82-48ea-32e0-08d802805c54
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2020 20:55:59.9407 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OCVB5IZMao2bW1y+Q5dGEjPPkNeZVcAny+GlMkQHoXMeJq2olAcHpJ3iMpcb5Zs4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2692
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/y1FPh2jTYV8IiHIB7rhhdWjBle8>
Subject: Re: [dhcwg] Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 20:56:11 -0000

Hi Warren:

Regarding the DISCUSS, that may be an item to point out in the draft (that in some cases a change in mac-address may have issues as it may be administratively prohibited to restricted). Perhaps adding an additional paragraph such as the following in Section 4.2 (Direct client mode scenario) would address this?

	Also, a client that operates as above may run into issues if the switch is
	is connected to prohibits or restricts link-layer address changes. This may
	limit where this capability can be used, or it may require the administrator
	to adjust the configuration of the switch(es) to allow a change in address.

Thanks for finding this, no one else (as far as I recall) pointed out this issue during the documents development.

For the comment regarding limits, we usually do avoid them as we consider those server policy. But perhaps adding the following to Section 13 (Security Considerations) would be useful:

	Server implementations SHOULD consider configuration of the maximum number
	of addresses to allocate (both in a single request and in total for a client).
	However, note that this does not prevent a bad client actor from pretending to
	be many different clients and consuming all available addresses.

And, thanks for the " Thank you for writing this -- I *do* like this document, and agree that it solves a real problem." It was Ralph Droms and Russ Housley that originally suggested some of us work on this as part of the IEEE/IETF liaison activity as IEEE was looking for a solution. Tomek (co-author) and I did present to an IEEE RAN meeting and they were supportive of this work.

- Bernie

-----Original Message-----
From: Warren Kumari via Datatracker <noreply@ietf.org> 
Sent: Wednesday, May 27, 2020 4:26 PM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dhc-mac-assign@ietf.org; dhc-chairs@ietf.org; dhcwg@ietf.org; Tomek Mrugalski <tomasz.mrugalski@gmail.com>om>; Ian Farrer <ianfarrer@gmx.com>om>; ianfarrer@gmx.com
Subject: Warren Kumari's Discuss on draft-ietf-dhc-mac-assign-06: (with DISCUSS and COMMENT)

Warren Kumari has entered the following ballot position for
draft-ietf-dhc-mac-assign-06: Discuss

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dhc-mac-assign/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Be ye not afraid -- these should be easy to address.

I have some concerns about this document -- much of my unease isn't specifically about the document itself, but rather the impact that deploying this on a wide scale may create. Much of my concerns can probably be addressed by sprinkling on some weasel-words / "you could shoot yourself in the foot if not careful" language.

Unless I've horribly misunderstood, in the direct client mode, a device comes up, connects to a switch and then changes its MAC address to the DHCP assigned one. This may interact poorly with: a: switches with small CAM tables (sometimes deployed in DCs) b: devices with configured maximum MACs per port, common in enterprises (e.g:
https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/l2/switchport-port-security-maximum.html
) c: 802.1X (which is often configured to only allow a single MAC per interface / VLAN) d: switches which do things like DHCP snooping. Again, I do realize that most of these issues are not directly the result of this technique, but implementing / deploying this makes it more likely that devices will come up with a temp address and then pivot to an assigned one, and I'd like to see some operational warnings...


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you for writing this -- I *do* like this document, and agree that it solves a real problem (e.g:
http://grouper.ieee.org/groups/802/PrivRecsg/email/msg00164.html ), but would like to make sure that it is deployable without causing sadness...

I think it would be useful to also add some text around policy limits / DoS.
As examples, would you expect that this would be enabled on "regular" user interfaces (e.g at my local coffee shop), or is it more designed for datacenters and IoT VLANs? Either way, should a device be able to ask for
00:00:00:00:00:01 and 2^48-2 addresses? The document does say things like: "In particular, the server may send a different starting address than requested, or grant a smaller number of addresses than requested.", but it might be nice to also include something like "implementations should allow configuration of the maximum number of addresses to allocate" or something similar (yes, an attacker could keep coming back and looking like a new device, but...)