Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation

Alexandre Petrescu <> Thu, 13 July 2017 20:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DE928131777 for <>; Thu, 13 Jul 2017 13:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4B1OodfnSSEd for <>; Thu, 13 Jul 2017 13:01:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 37E5C131778 for <>; Thu, 13 Jul 2017 13:01:17 -0700 (PDT)
Received: from ( []) by (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id v6DK1CwV174429; Thu, 13 Jul 2017 22:01:12 +0200
Received: from (localhost []) by localhost (Postfix) with SMTP id 52182205A22; Thu, 13 Jul 2017 22:01:12 +0200 (CEST)
Received: from ( []) by (Postfix) with ESMTP id 442ED204D2B; Thu, 13 Jul 2017 22:01:12 +0200 (CEST)
Received: from [] ([]) by (8.15.2/8.15.2/CEAnet-Intranet-out-1.4) with ESMTP id v6DK1BFR024175; Thu, 13 Jul 2017 22:01:11 +0200
To: "Bernie Volz (volz)" <>
Cc: "" <>
References: <> <> <> <> <>
From: Alexandre Petrescu <>
Message-ID: <>
Date: Thu, 13 Jul 2017 22:01:10 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - questions about Solicit Prefix Delegation
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Jul 2017 20:01:22 -0000

Le 13/07/2017 à 19:38, Bernie Volz (volz) a écrit :
> Regarding the hop limit, I don’t have a recommendation; I'd likely 
> leave it be what the OS defaults it to if I were writing a client. 
> I'm not sure I'd put this in the 3315bis specification, but the WG 
> can debate that issue.

My oppinion is to make DHCP spec Hop Limit > 1.  In order to make sure
that the encap/decap of DHCP Solicit in IPv4 GTP happening on a cellular
link does not drop it to 0 upon decap.

It may be that the decap does or does not decrement HopLimit.  I am 
saying 'may' because I am not sure there is a spec for GTP that 
encapsulates IPv6 in IPv4 (or there is but I dont know the number).

> Note also that the server does not have an easy way to get the hop 
> count (well, perhaps there is a way but the server I work on doesn't 
> care what it is) and therefore I doubt any of them check.
> Regarding Link Local vs GLA in Solicit, I think following the 
> specification would be recommended. Use link-local.


> For things that use GLA, likely it doesn't matter since if the
> Solicit is relayed and then the GLA isn't really used by the server
> -- as the link-address in the Relay-Forw. It may matter if the server
> is directly on link if it checks. I think that using differing scopes
> for source/destination addresses is a bad idea (and certainly sending
> with a source of LL and destination of GLA would be very bad). So, I
> think the client should stick to using the LL unless it is
> unicasting.


> Note also that section 13.1 (for the unicast, GLA case) assumes the 
> message was not multicast (section 18.4 about UseMulticast Status 
> talks about "Reception of Unicast Messages").
> I think section 13.1 was written with the assumption that
> determining the destination address of a packet is harder than
> obtaining the source address; hence the assumption is that if a GLA
> is used as the source address, it was not a multicast [to the
> link-local multicast address]. Today, kernels typically provide the
> ability to get the destination address, not just the source address
> (though it takes a bit more code to do so).
>> I can say e.g. some (I believe Cisco) client puts a GUA in the src 
>> of aDHCPv6 Solicit.
> That's a bit of a broad statement as Cisco has many different
> devices (and many different operating systems and versions) ...
> perhaps if you could indicate which device(s) and software versions
> you've found this to be the behavior on, I can perhaps follow up.

I cant say which precisely Cisco client.  The operator knows.  The 
operator tells me to imitate what the Cisco client does, because that's 
what works.  And that client puts a GUA in the src.

I have informed the operator about this and let's see.

> I will also add that in many cases when devices are doing DHCPv6, 
> they will only have a LL so it may also depend on the network 
> configuration.

I agree there are many cases like that.

The case I am concerned with wants that the GUA comes from the RA, and 
the prefix from DHCPv6-PD (a sort NAT-free scalable tethering on 
cellular connection).


> - Bernie
> -----Original Message----- From: Alexandre Petrescu 
> [] Sent: Thursday, July 13, 2017 
> 12:01 PM To: Bernie Volz (volz) <> Cc: 
> Subject: Re: [dhcwg] I-D Action: draft-ietf-dhc-rfc3315bis-09.txt - 
> questions about Solicit Prefix Delegation
> Bernie,
> Le 12/07/2017 à 23:33, Bernie Volz (volz) a écrit :
>> Hi:
>>> What is the Hop Limit that a Solicit should contain in the IPv6 
>>> header?
>> ND uses hop limit of 255 so the destination can check that it is 
>> 255 on receipt (whereas 1 could have been anything and forwarded 
>> many times).
>> But I'm not sure if that is a the best practice when you don't want
>> the packet forwarded. I would think that if the destination is a
>> link-local multicast, it really doesn't matter as nothing should 
>> forward the packet (and if something is misconfigured to forward 
>> the packet, you're probably in deeper trouble than just with 
>> DHCPv6).
>> RFC 4861 has:
>> 11.2.  Securing Neighbor Discovery Messages
>> The protocol reduces the exposure to the above threats in the 
>> absence of authentication by ignoring ND packets received from 
>> off-link senders.  The Hop Limit field of all received packets is 
>> verified to contain 255, the maximum legal value.  Because routers 
>> decrement the Hop Limit on all packets they forward, received 
>> packets containing a Hop Limit of 255 must have originated from a 
>> neighbor.
>> I don't know off hand if there's any place this is documented
>> (what to use for hop limit with link-local).
> I think your explanation makes sense about ND.
> But, about DHCP, I need to know whether a DHCP Solicit with HopLimit 
> 1 is valid or not.
> As I said earlier, some DHCP clients set it at 255 whereas others at 
> 1.
> In some setting, the DHCP Solicit is encapsulated in IPv4.  Some of 
> the decapsulation RFCs say that the HopLimit is decremented.
> In that setting, it is not clear whether decrementing the hop limit 
> happens, or not.
> But I want to make sure the client which sets HopLimit at 1
> (odhcp6c) is the right way to do.
> I think a good place to clarify this is in the DHCP spec.
> The spec could say that the HopLimit has some preferred value.
>>> Is IA_NA with empty fields a valid option in a Prefix Delegation
>>>  Solicit, or must IA_NA be absent altogether? (the intention is 
>>> to only request the Prefix, because the address comes from RA).
>> Not sure what an "empty" IA_NA is. Whether you include an IA_NA or 
>> not with IA_PD is the client's choice. If it what's an address 
>> (such as for management) on the upstream link, than it should 
>> include an IA_NA. This is covered in the text in 6.3 (IA_PD only) 
>> vs 6.4 (IA_PD and IA_NA, typically).
> Noted.
>>> Is ORO with empty fields illegal in a Prefix Delegation Solicit?
>>>  (the intention is to get the DNS server from RA, but some
>>> client puts an empty ORO there).
>> An empty ORO is fine (it should not cause problems, but is 
>> obviously useless). Though if they are following the rfc3315bis
>> and doing what they should, there would not be an empty ORO.
> Noted.
>>> Is it ok to use a GUA in the src address of a Solicit Prefix 
>>> Delegation?
>> See 13.1 of draft-ietf-dhc-rfc3315bis-09 ... the source address 
>> here should be link-local.
> Well, that contradicts some trial.
> I can say e.g. some (I believe Cisco) client puts a GUA in the src
> of a DHCPv6 Solicit.  Other DHCP clients have this optional between
> LLA or GUA.  The operator I work with wants it to be a GUA.
> As such, I dont know what is the way forward: should the spec get 
> updated?  shoudl the operator change?  should the Cisco 
> implementation change?
> Alex