IETF Logo Mail Archive

Re: SLAAC vs DHCPv6 (II)

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 28 January 2020 17:04 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AABED12009E for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 09:04:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7MtWC4c9qS8E for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 09:04:21 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 090B0120096 for <ipv6@ietf.org>; Tue, 28 Jan 2020 09:04:21 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 21E313897A for <ipv6@ietf.org>; Tue, 28 Jan 2020 12:03:42 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 823A161 for <ipv6@ietf.org>; Tue, 28 Jan 2020 12:04:19 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: 6man WG <ipv6@ietf.org>
Subject: Re: SLAAC vs DHCPv6 (II)
In-Reply-To: <1af0b06d-f9d7-5ea1-27f3-b417eb9148fa@si6networks.com>
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <MN2PR11MB3565330989D411525D30B90DD80F0@MN2PR11MB3565.namprd11.prod.outlook.com> <80207E17-AE8E-4D19-B516-D2E6AB70721E@employees.org> <8D5610EA-49D3-483E-BB7A-67D67BC89346@jisc.ac.uk> <DE7B0688-230F-4A5C-8E24-9EAED9FD9FEB@puck.nether.net> <AFEBAD7D-DF24-4924-8B9A-60DF22BA1953@consulintel.es> <c42affce-fbd3-23ec-c9ff-4f05cdf38630@si6networks.com> <41173152-A8E8-4241-9DE7-376AA7AFB813@consulintel.es> <c4166907-b6c9-a4ef-fd59-cf539bbe0405@si6networks.com> <43D76C96-C16B-4BEB-B9B8-C68D53BCE63F@fugue.com> <fb5b8377-892d-2777-ef9b-4f9ddefa6c93@si6networks.com> <CAKD1Yr034_tu7ZoJ1FCfDYhNSN6igm-ZQyR4u3U+UDMr=huGOw@mail.gmail.com> <1af0b06d-f9d7-5ea1-27f3-b417eb9148fa@si6networks.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 28 Jan 2020 12:04:19 -0500
Message-ID: <11708.1580231059@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/SUPYvwalyybjPnNYcpoSIdMDR1g>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 17:04:24 -0000

Fernando Gont <fgont@si6networks.com> wrote:
    >> IIRC that was tried a few years ago and did not go anywhere (I think Suresh
    >> has more details). >
    >> We could try again, though - if it's true that the main reason that
    >> operators want DHCPv6 is tracking, then it could be a good middle ground
    >> between devices that want SLAAC's ability to form addresses without
    >> permission and networks that want DHCPv6's tracking abilities.

    > I don't believe the motivation is tracking, but some sort of control,
    > including:
    > * logging

I think that the key activity they want is auditing.
(Sorry to be pendantic here, but I think it might matter to future direction)

The log provides that, but if you can come up with a different mechanism then
that would be fine too.  DHCPv6 provides the audit through a log.

But for instance, if SEND were used, such that the address could be linked
to a public key/certificate which was in a certificate used for 802.1X
(perhaps enrolled autonomically), then that would satisfy the audit needs
without necessarily resulting in a new source of data with a vulnerability to
exfiltratration.

    >> If we do this it's important that the semantics only support tracking
    >> existing addresses and not requesting addresses. Otherwise there will be a
    >> conflict with the recommendations in RFC 7934 section 8 - and it would
    >> basically be identical to IA_NA which is already a standard.

    > Well, the whole thread entitled "RFC4941bis: consequences of many addresses
    > for the network" seem to be in conflict with RFC7934. -- i.e., folks have
    > concerns about nodes configuring an arbitrary number of addresses at will.

Yes.
I think that the thing that we are realizing is that 4941 doesn't give us
that much privacy for residential (or 3G/LTE!) situations.

Stable private addresses which are not manufacturer assigned EUI-48/64
derived are probably almost as good.  Per-provider-domain randomized L2 MAC
addresses with EUI-derived IIDs are possibly equivalent, except that we don't
have a direct DAD mechanism for that layer. (The IPv6 LL DAD is good here, as
much as it is rather a layer violation)

On the other hand, the places where 4941 works, it works because the
anonymity set is large.   In those situations, where it works, we need to make
sure that we do not wind up with hard-to-diagnose failure cases due to
policies (or implementation bugs) on routers with respect to number of NCE.

There are interactions that we should be aware of with L2 bridging and
Proxy-ND such that the IPv6-address:L2-address ratios could legitimately
vary a *lot*.

So, I'm not entirely sure what the motivation for 4941bis is (Internet
Standard?), but it seems to me that we are not solving the right problem
here.

I actually think that there is an entire WG worth of effort here.

    >> Note that 6man is working another way of getting this information to the
    >> network, see the "multicast NA to ff02::2 whenever an address is
    >> configured" proposal in draft-linkova-6man-grand.

    > I don't think that's registration in the same sense. For Jen's proposal, it's
    > "best effort" registration. For logging, you need to implement a reliability
    > mechanism. As we keep putting more state into SLAAC, it becomes more of AAC
    > than SLAAC. And IPv6 automatic configuration as a whole becomes harder and
    > harder to explain to newcomers, so to speak.

Agreed, because AFAIK, the router can't send a NAK.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email