Re: [homenet] Fwd: I-D Action: draft-ietf-homenet-naming-architecture-dhc-options-01.txt
Daniel Migault <mglt.ietf@gmail.com> Mon, 16 March 2015 01:49 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83A721A1EF7 for <homenet@ietfa.amsl.com>; Sun, 15 Mar 2015 18:49:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f8wjjznKgdfs for <homenet@ietfa.amsl.com>; Sun, 15 Mar 2015 18:48:53 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10E181A1EEA for <homenet@ietf.org>; Sun, 15 Mar 2015 18:48:53 -0700 (PDT)
Received: by wifj2 with SMTP id j2so30858048wif.1 for <homenet@ietf.org>; Sun, 15 Mar 2015 18:48:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zk0f0qiah4oVnB7oxP3PcSwauYwMoAj0ZM03whRpwNE=; b=jnfNpMXX7B+oLr0SLb0M6E88sJoOL8JMywOQmBw6VXO/v8ViGrTMmptMAn/JDaJ/Sl hkdSFTKXKlDwKISKhKhshBf7+GvTIRs8xwVYGRR6+mz4wKffJyDvGU8D/2Hp0r+OeSUR Ozi2k93s9MGjnCnMUQwA/A4JjBmRSJJWU1TRZDJteTNr7Ftl3gB33LsgacJEwiUHCJue Xl7/mzty2hlVxsRmA07sACqzip8zrvwMc3qE+WI+O56+dHQkVZyHSfTk7eNwshmOUcWo cbp1ZUjMirERjcwTwYiz6X2cbI4iyJuFdBCIBmhTHiH5BF2vEkMdlTdiM/Xth+6oKeVX HAlg==
MIME-Version: 1.0
X-Received: by 10.194.61.244 with SMTP id t20mr113171485wjr.83.1426470531728; Sun, 15 Mar 2015 18:48:51 -0700 (PDT)
Received: by 10.194.68.39 with HTTP; Sun, 15 Mar 2015 18:48:51 -0700 (PDT)
In-Reply-To: <5504CCDE.709@gmail.com>
References: <20150217193324.25368.88002.idtracker@ietfa.amsl.com> <CADZyTknR_5Csm+gD_BbtNtKYxdycuikeyHt+cxMuqWw3fHvdkQ@mail.gmail.com> <54F6F93F.8030602@globis.net> <CADZyTk=57sH=_T1HDF_vv8CKwPyjpQpXqzP5v+FzwPBqOdx9sw@mail.gmail.com> <5504CCDE.709@gmail.com>
Date: Sun, 15 Mar 2015 21:48:51 -0400
Message-ID: <CADZyTkmoSQfo8E+WM7U5yrqF9vFo6q9bN1LnS4v5RyCY4FDCdA@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b86e4065389a805115e0dc6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/homenet/SrLvnr05oxFvxLwDLdOOtZy4rIo>
Cc: Ray Hunter <v6ops@globis.net>, "homenet@ietf.org" <homenet@ietf.org>
Subject: Re: [homenet] Fwd: I-D Action: draft-ietf-homenet-naming-architecture-dhc-options-01.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 01:49:04 -0000
Hi,
Thank you for the feed back. Here is an update of the renumbering section.
I considered the two cases make-before-break and break-before-make.
Feel free to make any comment.
BR,
Daniel
9 Renumbering
This section details how the CPE is expected to handle renumbering.
Renumbering has been extensively described in RFC4192 and analyzed in
RFC7010. This section is largely inspired by these document, and the reader
is expected to become familiar with them.
This section considers two ways to renumber the home network:
- make-before-break: In this scenario, the new prefix is advertised,
the network is configured to prepare the transition to the new prefix.
During a period of time, the two prefixes old and new coexist, before the
old prefix is completely removed.
- break-before-make: In this scenario, the new prefix is advertised
making the old prefix obsolete.
The make-before-break scenario is recommended, but this section details
both.
In both scenarios, this section is focused on how renumbering affects the
DNS(SEC) Homenet Zone and how renumbering affects the communication between
the Hidden Master and the slave hosted on the Public Authoritative Name
Server Set. This section designates by OLD_PREFIX and OLD_IP the IP prefix
and IP addresses that are to be replaced and NEW_PREFIX and the NEW_IP the
replacing IP prefix and IP addresses.
The initial situation is as follows: the CPE has configured its naming
architecture as depicted in Figure 1 (Section 4.1). More specifically, the
CPE has set the DNS(SEC) Homenet Zone as detailed in Section 4.2, and it is
assumed that some hosts are configured with OLD_PREFIX. In addition the
Hidden Master and the Public Authoritative Name Server Set are configured
as detailed in Section 5. The Public Authoritative Name Server Set is
configured as a slave for the Homenet Domain Name. The communication
between the Hidden Master and the slave uses the OLD_IP of the Hidden
Master. Usually, the slave is configured with the master's IP address. In
our case the slave is configured with OLD_IP.
9.1 make-before-break
In the make-before-break renumbering scenario, the CPE is informed that
renumbering will happen in the future. The CPE waits that routers ad
switches are ready to route both OLD_PREFIX and OLD_PREFIX on the home
network. The necessary time for the CPE to be aware of the bindings between
the hosts of the home network and the NEW_IPs may vary, depending on how
binding between the NEW_IPs and the various hosts in the home network is
performed as well as how the CPE is informed of the newly assigned IP
addresses. After some time, either that all hosts have provided their
corresponding NEW_IPs or a timer has expired, the CPE provides an updated
version of the DNS(SEC) Homenet Zone to the Hidden Master. As explained in
Section 9.1.1, the TTLs may also be adjusted.
The updated DNS(SEC) Homenet Zone is then updated on the slave using
the same configuration as used until now. In fact, there is no need to
update the master/slave configuration as currently both IP addresses of the
Hidden Master are reachable (IP_OLD and IP_NEW). This process may have been
proceed earlier, or may be processed later. Even though updating the
DNS(SEC) Homenet Zone and updating the IP address used by the Hidden Master
are completely different processes, they may be combined as explained in
section 9.1.2. At that time, the DNS(SEC) Homenet Zone has been updated
with both NEW_IPs and OLD_IPs, the DNS(SEC) Homenet Zone is being publicly
published on the Public Masters, and the master/slave mechanism uses the
NEW_IP of the Hidden Master.
The final step consists in removing the OLD_IPs of the DNS(SEC) Homenet
Zone file and updating the zone on the Public Masters. The removal of the
OLD_IPs RRsets SHOULD be performed such that there is no more RRSets
contains OLD_IPs in any cache when OLD_PREFIX is not reachable anymore.
TTLs should be chosen appropriately to meet timing constraints as explained
in section 9.1.1.
9.1.1 Adjusting TTLs
As TTL designates how long the RRsets are cached, they should be
adjusted regarding the time both OLD_IP and NEW_IP are reachable and the
time OLD_IPs are removed from the DNS(SEC) Homenet Zone. Let T_OLD_NEW
designate the time the DNS(SEC) Homenet Zone contains both OLD_IPs and
NEW_IPs, and T_NEW the time when OLD_IPs are removed from the DNS(SEC)
Homenet Zone. Let OLD_TTL the TTL value before T_OLD_NEW, OLD_NEW_TTL the
TTL value after T_OLD_NEW and NEW_TTL the TTL value after T_NEW.
When a RRset is modified, it takes 2*TTL seconds for the previous value
to be removed from all caches. As a result, it will take 2*OLD_TTL before
the DNS(SEC) Homenet Zone becomes stable have have its RRsets containing
both OLD_IPs and NEW_IP in all caches. Going to a stable state where both
OLD_IP and NEW_IP are stored in caches is not mandatory. On the other hand,
it is of primary importance that OLD_IP is not anymore in caches when
OLD_PREFIX becomes unreachable, i.e. T_OLD_NEW + 2 OLD_TTL <
T_OLD_PREFIX_UNREACHABLE. This equation provides indication on how to chose
T_OLD_NEW as other parameters may be fixed. Similarly, T_NEW should be
chosen so that T_NEW + 2*OLD_NEW_TTL < T_OLD_PREFIX_UNREACHABLE. This
equation provides indications on how OLD_NEW_TTL and T_NEW may be chosen.
Figure below illustrates a timing example.
Updating Zone Last RRsets with Updating Zone Last RRsets
with T_OLD_PREFIX_UNREACHABLE
with OLD_IP OLD_IP only expires with NEW_IP OLD_IP and
NEW_IP OLD_PREFIX becomes
and NEW_IPs from cache only expires from
cache unreachable
| | |
| |
| | |
| |
OLD_TTL v OLD_NEW_TTL v v NEW_TTL
v v
----------+---------------+-----------------------+------------+----------------------
T_OLD_NEW T_OLD_NEW + 2 OLD_TTL T_NEW T_NEW +
2*OLD_NEW_TTL
9.1.2 Updating the IP address of the Hidden Master
This section details how the slave may be advertised the Hidden Master
has changed its IP address, and consequently update its configuration. Note
also that the IP address of the Hidden Master does not appear in the
DNS(SEC) Homenet Zone as the Hidden Master is kept "hidden".
The Hidden Master sends a NOTIFY DNS query to the masters. When the
slave receives the NOTIFY DNS query and have authenticated the NOTIFY DNS
query, it sends a response back to the master. The slave may notices that
the IP address is not associated to the Hidden Master IP address(es),
however, the slave is not expected to update its master / slave
configuration as the IP address is most likely not protected. Instead the
slave is expected to perform a reachability check before setting the
master/slave configuration. The reachability check may be combined with the
regular master/slave synchronization, that is to say a DNS query for the
SOA is sent by the slave to the master. The difference with the regular
master/slave synchronization is that the IP used to reach the slave is not
provided by the master/slave setting, but is instead provided by the NOTIFY
DNS query. If an authenticated response is received the slave MAY update
its master/slave settings with the new IP address.
The reason a change of master does not necessarily results in updating the
master/slave configuration is that the CPE may be multi-homed, in which
case multiple IP addresses may be used in parallel. In such cases, it is
not necessary to update the master/slave configuration. Instead, the update
should be performed only when the IP is not in the pool of the IP addresses
used by the CPE. The edns-client-subnet option described in
[draft-vandergaast-edns-client-subnet-02] may be used to advertise the
valid IP addresses of the Hidden Master. However, for sake of simplicity,
we recommend that unless the slave is aware that the Hidden Master uses
multiple IP addresses, the Hidden Master uses a single IP address at a
time, meaning that a change of IP address would result in a modification of
the master/slave setting on the slave.
Note that the NOTIFY DNS query can be authenticated even though the IP
address is unknown to the slave. As described in RFC1996, the NOTIFY
payload carries the Homenet Domain Name. Similarly, if SIG(0) or TSIG is
used to secure the transaction between the Hidden Master and the slave, the
Homenet Domain Name is also indicated in the RRSIG RRset. Unless the
transport layer can handle with an IP update, if DTLS/TLS is used, than a
new socket may be opened, which results results in a new authentication
exchange before the NOTIFY DNS query is sent. If IPsec is used,
authentication is based on the IP address. Unless MOBIKE is supported by
IKEv2, a new IPsec Security Association should be negotiated. If MOBIKE is
supported, than the Hidden Master can inform the slave that its IP address
has been updated.
Note also that the IP address is not authenticated, unless IPsec with the
AH mode is used. The reliability of this IP address is left to the
reachability check. As a results, the IP address may not be the one
associated to the Hidden Master, but instead the one of a proxy or any
middle box. For this reason it matters to authenticate and protect the IP
payload with appropriated security protocols listed in Section 5.2. One
way DNS could be used to provide the IP addresses associated to the CPE
would be to use the edns-client-subnet option described in
[draft-vandergaast-edns-client-subnet-02], however, this may be used
cautiously in case any kind of translation address mechanism occurs between
the master and the slave.
9.2 break-before-make
In the break-before-make, the CPE is being assigned a new prefix at the
time the old prefix is not reachable. This situation necessarily results in
making the hosts unreachable, as the DNS cannot be updated instantly. More
specifically, RRset with OLD_IP will remain in cache for 2*TTL.
In this case, the DNS(SEC) Homenet Zone is rebuilt with the NEW_IPs
only, and eventually resigned. In fact OLD_IPs are already unreachable,
thus they are not mentioned in the zone. The Hidden Master then performs
sends a NOTIFY using the newly assigned IP address and performs both a zone
synchronization and a configuration update at the same time as described in
section 9.1.2.
On Sat, Mar 14, 2015 at 8:05 PM, Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:
> > When a renumbering operation occurs, the CPE IP prefix is modified. As a
> > result, IP addresses of the Homenet DNS(SEC) Zone are not valid anymore
> --
> > as we assume the DNS(SEC) Homenet only has global reachable IP addresses.
> > In addition, the Slave cannot anymore reach its master.
>
> That seems to assume a break-before-make renumbering. The preferred
> scenario is make-before-break, although we need to be able to support
> both. I hope you can adjust the text to allow both.
>
> Brian
>
--
Daniel Migault
Ericsson
- Re: [homenet] Fwd: I-D Action: draft-ietf-homenet… Brian E Carpenter
- Re: [homenet] Fwd: I-D Action: draft-ietf-homenet… Daniel Migault
- Re: [homenet] Fwd: I-D Action: draft-ietf-homenet… Daniel Migault
- [homenet] Reneumbering [ I-D Action: draft-ietf-h… Brian E Carpenter
- Re: [homenet] Fwd: I-D Action: draft-ietf-homenet… Ray Hunter
- Re: [homenet] Fwd: I-D Action: draft-ietf-homenet… Daniel Migault
- Re: [homenet] Fwd: I-D Action: draft-ietf-homenet… Ray Hunter
- Re: [homenet] Fwd: I-D Action: draft-ietf-homenet… Daniel Migault
- [homenet] I-D Action: draft-ietf-homenet-naming-a… internet-drafts
- [homenet] Fwd: I-D Action: draft-ietf-homenet-nam… Daniel Migault
- Re: [homenet] Fwd: I-D Action: draft-ietf-homenet… Ray Hunter