IETF Logo Mail Archive

Re: [dhcwg] recommendation on DHCP6 source port numbers

David Farmer <farmer@umn.edu> Thu, 29 February 2024 19:02 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E23C14F6A0 for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 11:02:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 675RPmdxHNuI for <dhcwg@ietfa.amsl.com>; Thu, 29 Feb 2024 11:02:50 -0800 (PST)
Received: from mta-p5.oit.umn.edu (mta-p5.oit.umn.edu [134.84.196.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F4B2C14F721 for <dhcwg@ietf.org>; Thu, 29 Feb 2024 11:02:48 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 4Tm0wS0qlLz9vpvN for <dhcwg@ietf.org>; Thu, 29 Feb 2024 19:02:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FD9KdUBzi7q6 for <dhcwg@ietf.org>; Thu, 29 Feb 2024 13:02:47 -0600 (CST)
Received: from mail-lj1-f197.google.com (mail-lj1-f197.google.com [209.85.208.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 4Tm0wR3h9Lz9vpvD for <dhcwg@ietf.org>; Thu, 29 Feb 2024 13:02:47 -0600 (CST)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4Tm0wR3h9Lz9vpvD
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4Tm0wR3h9Lz9vpvD
Received: by mail-lj1-f197.google.com with SMTP id 38308e7fff4ca-2d25a02f48fso9151211fa.3 for <dhcwg@ietf.org>; Thu, 29 Feb 2024 11:02:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; t=1709233365; x=1709838165; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2UFjZxdy8wEy6SwQan9bShy7hRQSMk8FOzN341G/lpI=; b=OoyJ9nIL7yEshyOrhsrRz6yt/pUaR0xDg3Qk0N2VRhJkrbvqCTvIMsPa42rI6VOi8h S5OK0YvYLzC8xkaQnP4VXENHp51gxMKhS7g4GAzh3VBEdwsmUryQS6shSF4VHTZUaBip R22D9TM4cRgBrigMdPWWLUefCUPW4wO/KVxu/NfuwAkA/uRcziYF+vrh+jPRFmqn2l5C 6bXU2nMOJAWAuxaxpw/2e5BZzS670IktvCKCsxlSZl8qFhEv4GcNkQgeFbGd5jhjLw99 dkAWEfUvzgg8cmRqketRPSkjbwIPZd/oM4JYR4X6c3xepnhkzFizdqmPBZTNrwa85S7P Anqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709233365; x=1709838165; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2UFjZxdy8wEy6SwQan9bShy7hRQSMk8FOzN341G/lpI=; b=jID5y1BhgmYqlJyTaBUOCA2PGQ/GdfxGQRgpd9YS0nj25Gq1L3C/XgbJLHbzNushlt mt6YnACc1OeKh/tRrbuSwwycbigR/7lhlKm+HblcLC6LEQ42Qu4Cr9kme9DIRM9NgrSk TNDdEps2C18/pKnt/NGdmW45jn/7lSy839UNOikpNpCYJDI7xnE+zYCncRsi4bM7keNX OGwEEO+5tc9+ao/pArgKzL0F4iiBXxUvmndGCLlCG6EkkAZRnw7j6LOQlwAdp1wLT7TD O7Qh7JJOIaEvkvZC/cM1SCVIoy8hK0B/DxTlXX8NuH3zzkbbPsROlxCtiavq9wpMsldS xeSw==
X-Forwarded-Encrypted: i=1; AJvYcCVbuZjkxycQL0zlHTUSTuA/sqZz9wbBYoSVOGH3qU2X+9iRqUuRLk8q6o7mZqM+ta+5PcVPEOMr66MtzdDmjA==
X-Gm-Message-State: AOJu0YwMvgOa+ooQ4+F7mrMahmbCJFJUAIoyGqSvfu/pCVw+Evnn4Dmh WjLE7k9TaZgBd8T4tgx7S74fw8bJYl64C54lDScV+w8WvUjM27DY2TJzSYuYXjZb2WF0iLrfF9S V75kBUjFn+0gvKE06ba4TGy56Y/063tm3IPDmKAIxt3Vm1xRQy+N4aN6qaJ28qJdm90ZtJSuM4E agXl+qTJbkhCDOyBz+wOI/B3KLRh1hVSJ9
X-Received: by 2002:ac2:4942:0:b0:511:a4c9:a010 with SMTP id o2-20020ac24942000000b00511a4c9a010mr1817073lfi.38.1709233365663; Thu, 29 Feb 2024 11:02:45 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHDqFG0I+UQiq7f110JFIUdsAX5uOVDmBXLSccLfEMGARVI071PpYkMEb67BD2J2mp8zD8JzGhYL8tJLBsTl58=
X-Received: by 2002:ac2:4942:0:b0:511:a4c9:a010 with SMTP id o2-20020ac24942000000b00511a4c9a010mr1817062lfi.38.1709233365156; Thu, 29 Feb 2024 11:02:45 -0800 (PST)
MIME-Version: 1.0
References: <CAN-Dau3m2_L7J9T9VBk7oyHTK0EeMeuiv+jNpuMGE3m1T623=A@mail.gmail.com> <CC99EB8A-3350-4682-B273-D0656AD8F7F4@employees.org> <CAN-Dau1SPXgyHg_fkmU6rTxWpt-edAWA9hM2kR1qyP8t1XW+_Q@mail.gmail.com> <A477E0AF-F68A-4528-A907-CF0C9F7448F2@deepdivenetworking.com>
In-Reply-To: <A477E0AF-F68A-4528-A907-CF0C9F7448F2@deepdivenetworking.com>
From: David Farmer <farmer@umn.edu>
Date: Thu, 29 Feb 2024 13:02:28 -0600
Message-ID: <CAN-Dau3cMV8yXF=WVXrdD36oV+_FQELDsgP4cddjrFfsagpv2w@mail.gmail.com>
To: "rob@deepdivenetworklng.com" <rob@deepdivenetworking.com>
Cc: Ole Trøan <otroan@employees.org>, dhcwg <dhcwg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000091a37a061289e729"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/ylAGYL_1GV_-gN9YNghDyUKeyfA>
Subject: Re: [dhcwg] recommendation on DHCP6 source port numbers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 19:02:54 -0000

Actually, given that return DHCP messages MUST be sent to their designated
destination ports and not the source port used by the originating DHCP
message, there is no advantage to using randomized source ports to prevent
spoofing. Using randomized source ports only makes firewall traversal for
DHCP messages more difficult.

Thanks.

On Thu, Feb 29, 2024 at 12:44 PM rob@deepdivenetworklng.com <
rob@deepdivenetworking.com> wrote:

> I think we are in the middle of the (no end in sight argument) of;  If we
> make it completely predictable it is easy to monitor and punch holes for
> firewalls vs if we make it easily predictable it is super easy to exploit.
> Just look at DNS needing to randomize source ports to combat cache
> poisoning. I think we don't have to say it “Should" be source and
> destination port that is  forced. People can do that if they choose to
> given the current text, but we don't paint them into a corner.
>
> Rob
>
>
>
> On Feb 29, 2024, at 10:39 AM, David Farmer <farmer=
> 40umn.edu@dmarc.ietf.org> wrote:
>
> If we did, that would ensure DHCP messages will make it through typical
> stateful firewalls without special rules.
>
> Clients receive DHCP messages on UDP (destination) port 546.  Servers and
> relay agents receive DHCP messages on UDP (destination) port 547.
>
> Clients, servers, and relay agents SHOULD send DHCP messages from their
> designated destination ports, as this will facilitate firewall traversal
> for DHCP messages. Nevertheless, DHCP messages MUST be accepted from any
> UDP (source) port, and regardless of the source port used, return DHCP
> messages MUST be sent to their designated destination port.
>
>
> On Thu, Feb 29, 2024 at 12:05 PM Ole Trøan <otroan=
> 40employees.org@dmarc.ietf.org> wrote:
>
>> Should we also make it recommended to use the designated port as the
>> source port? With the may to send arbitrary port and a must to accept an
>> arbitrary port?
>>
>> O.
>>
>> On 29 Feb 2024, at 18:51, David Farmer <farmer=40umn.edu@dmarc.ietf.org>
>> wrote:
>>
>> 
>> Ok, it's a little less wordy this time.
>>
>> Clients receive DHCP messages on UDP (destination) port 546.  Servers and
>> relay agents receive DHCP messages on UDP (destination) port 547.
>>
>> Clients, servers, and relay agents MAY send DHCP messages from any UDP
>> (source) port they are allowed to use, including their designated
>> destination ports. Nevertheless, regardless of the source port used, DHCP
>> messages MUST be sent to their designated destination ports.
>>
>> Thanks
>>
>> On Thu, Feb 29, 2024 at 10:24 AM David Farmer <farmer@umn.edu> wrote:
>>
>>> Would this text clarify things?
>>>
>>> Clients receive DHCP messages on UDP (destination) port 546.  Servers
>>> and relay agents receive DHCP messages on UDP (destination) port 547.
>>>
>>> Clients, servers, and relay agents MAY send DHCP messages from any UDP
>>> (source) port they are allowed to use, including their designated
>>> destination ports. Nevertheless, regardless of the source port the client
>>> uses, the server or relay agent MUST send traffic to the designated
>>> destination port of the client. And vice versa, regardless of the source
>>> port used by the server or relay agent, the client MUST send traffic to the
>>> designated destination port of the server or relay agent.
>>>
>>>
>>> Thanks
>>>
>>> On Thu, Feb 29, 2024 at 10:03 AM Ole Troan <otroan=
>>> 40employees.org@dmarc.ietf.org> wrote:
>>>
>>>> Bernie,
>>>>
>>>> > DHCPv6 has been successfully deployed and this is the first I recall
>>>> of this kind of discussion/issue.
>>>> > You would likely also invalidate a lot of implementations with such a
>>>> change, which is not really in line with advancing this to Full Standard.
>>>>
>>>> It’s a lot more important to have the specification clear and
>>>> unambiguous. I think it has been shown that it isn’t.
>>>> Happy with whatever solution there is consensus for, but the ambiguity
>>>> has to be resolved I think.
>>>>
>>>> O.
>>>> _______________________________________________
>>>> dhcwg mailing list
>>>> dhcwg@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>>>
>>>
>>>
>>> --
>>> ===============================================
>>> David Farmer               Email:farmer@umn.edu
>>> Networking & Telecommunication Services
>>> Office of Information Technology
>>> University of Minnesota
>>> 2218 University Ave SE        Phone: 612-626-0815
>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>> ===============================================
>>>
>>
>>
>> --
>> ===============================================
>> David Farmer               Email:farmer@umn.edu
>> Networking & Telecommunication Services
>> Office of Information Technology
>> University of Minnesota
>> 2218 University Ave SE        Phone: 612-626-0815
>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>> ===============================================
>>
>>
>
> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
>
>
>

-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email