Re: [dhcwg] whether/how to support Confirm with sedhcpv6

Ted Lemon <mellon@fugue.com> Tue, 28 March 2017 15:28 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AEAF1289C3 for <dhcwg@ietfa.amsl.com>; Tue, 28 Mar 2017 08:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id suE1ceED1y_E for <dhcwg@ietfa.amsl.com>; Tue, 28 Mar 2017 08:28:37 -0700 (PDT)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71186127010 for <dhcwg@ietf.org>; Tue, 28 Mar 2017 08:28:37 -0700 (PDT)
Received: by mail-pg0-x22f.google.com with SMTP id 81so61406134pgh.2 for <dhcwg@ietf.org>; Tue, 28 Mar 2017 08:28:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mKe+qB607f3Rms0OeztPSyziwIl1DW7nZkq7T5L6+94=; b=tKAlgLYtA+EsyB2NyUuFM25rLmzsGk+j4a4o379CAehQYwWUQ/RnYFGulgLf0ZDXNb n1wJIHAOh2uk6K6b+ylP7zL3eTtuSuYba06qmip7gk72BwO1P77gr5VUu/8P9W9GlgHL bL3OgRencKrXjuoojSzWJM1S4ZIpepCCEn0ASZtAQ0Clwzz+WF/aA5XEDKHGrLyFihfJ gvwZO1MEsOnD1sZ7dTVaZYRAvLg3HE3/G6PnDcYkjD4UB1xjxE0OPzyhg85vYNC8UUju 6XWJt6N8srBw98MEh+b+g1dxrWHqxLBuZOO9btnXeDO8WNlK2FRXGgDF4F0mcF6zx+dJ z8AQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mKe+qB607f3Rms0OeztPSyziwIl1DW7nZkq7T5L6+94=; b=aetPFAjSLy9RbXp5HIhb17Wn7DC5mSL5e+CRGiON76fS6PKQBolZbT3udyr0kBKSOn F/cWjaZk8vqok7idZgcarK4PsTRfead26umlvWXf5VwMqnV9mYEhqN4HfCRD2off+2kT RjE6BHc7S977qfg4/C7HVWyqwdxZNthDc/HxScnoSckRqax6V2R73cozLoHAw6yv8Ici JoPr94FkenoaFKrLK4gGUbMIF46ZrkVEZK5BHYnvD1OOFTGm8+wKgQacVQaVMkvl5hFW W4wmGR9C311871/+MdH5oml7nGK1PInsVP8vl5hhZXKHl5VHXBmh2sXU81lsWjGswZV2 T4Ag==
X-Gm-Message-State: AFeK/H1h0aCuuA7DIeTkskELJCUhVc8VCZsOZkJ1ym06I6e2DxIBt0bQMa4w4bfyf5QUjA==
X-Received: by 10.84.142.133 with SMTP id 5mr37539073plx.129.1490714917058; Tue, 28 Mar 2017 08:28:37 -0700 (PDT)
Received: from [172.16.3.182] (99-138-101-145.lightspeed.cicril.sbcglobal.net. [99.138.101.145]) by smtp.gmail.com with ESMTPSA id v16sm8205574pgo.29.2017.03.28.08.28.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Mar 2017 08:28:36 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <CAJE_bqf1QijOkv4L=YumwH+gxSh5QRxkukAN-b+cgE7zabTmOA@mail.gmail.com>
Date: Tue, 28 Mar 2017 10:28:34 -0500
Cc: "Bernie Volz (volz)" <volz@cisco.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4512A1F7-A480-4250-BE57-FCE822EAC890@fugue.com>
References: <CAJE_bqetH-MvY1RRGXvyy3t8WDa9AUDcvXM6jW0aGP=uJC60hg@mail.gmail.com> <3566F64B-D709-4DF3-9A5F-7648DA8FC45E@cisco.com> <CAJE_bqf1QijOkv4L=YumwH+gxSh5QRxkukAN-b+cgE7zabTmOA@mail.gmail.com>
To: =?utf-8?B?56We5piO6YGU5ZOJ?= <jinmei@wide.ad.jp>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/yd2zUKHufYFZHRRvwjkHprV8sjU>
Subject: Re: [dhcwg] whether/how to support Confirm with sedhcpv6
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 15:28:39 -0000

Probably the most expedient way to handle this would be to create a confirm, sign and encrypt it, and then wrap it the same way we wrap relay messages, including it in an information-request as in the regular IR/Solicit/Confirm process for secure DHCP.

The server on the local wire either supports the wrapping and can decrypt, supports it but cannot decrypt, or doesn't support it and hence ignores it.   This allows the client to send a single packet that will always elicit a response, either an answer to the question asked in the Information request, or else a confirmation that it's okay to continue using the address.

The hard question is, what do you do if you get an answer to the information request, rather than to the Confirm?   But I think that's straightforward: you wait a (short) while to see if you get an answer to the confirm; if you do, you take that; otherwise you take the answer from the Information-Request.