re: I-D Action: draft-ietf-6man-addr-select-opt-04.txt

Ray Hunter <v6ops@globis.net> Wed, 18 July 2012 17:29 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D24F211E8132 for <ipv6@ietfa.amsl.com>; Wed, 18 Jul 2012 10:29:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZ4sqA5VyXE7 for <ipv6@ietfa.amsl.com>; Wed, 18 Jul 2012 10:29:12 -0700 (PDT)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id EB1D611E811D for <ipv6@ietf.org>; Wed, 18 Jul 2012 10:29:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 5DA9D870049; Wed, 18 Jul 2012 19:29:46 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TBFcex+W7cxw; Wed, 18 Jul 2012 19:29:17 +0200 (CEST)
Received: from Rays-iMac-2.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id E09BF870046; Wed, 18 Jul 2012 19:29:16 +0200 (CEST)
Message-ID: <5006F266.3070802@globis.net>
Date: Wed, 18 Jul 2012 19:29:10 +0200
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.4 (Macintosh/20120616)
MIME-Version: 1.0
To: draft-ietf-6man-addr-select-opt@tools.ietf.org
Subject: re: I-D Action: draft-ietf-6man-addr-select-opt-04.txt
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 6man Mailing List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 17:29:12 -0000

I have read this draft. As previously stated, I like the idea.

comments & questions:

Section 2:
/ a client MAY NOT automatically add rows to the policy table/

MAY NOT seems to contradict Section 4
/This option's concept is to serve as a hint for a node about how to 
behave in the network./

i.e. it's a hint not a command. Is this not then a "SHOULD NOT"? 
Otherwise won't we get questions about who is leading for determining 
end-node global behaviour, the device owner or the network operator? Or 
is this MAY NOT flag only valid IF the node chooses to trust and install 
the policy table communicated via DHCPv6?

/label:  An 8-bit unsigned integer;/

Is there any specification in an RFC that says ALL implementations can 
only handle a label of 8 bits?

/precedence:  An 8-bit unsigned integer;/

Is there any specification in an RFC that says that ALL implementations 
can only handle a precedence of 8 bits?

draft-ietf-6man-rfc3484bis-06 refers to numeric comparisons, but does 
not appear to specify a type.

I see later in Section 5:

/Currently, the label and precedence values are defined as 8-bit 
unsigned integers.  In almost all cases, this value will be enough./

How many times have I heard that about fixed length fields.
What happens if it is not enough?
Is it worth considering variable length labels and precedence fields? Or 
making them 16 bits to start with?

/An IPv4-mapped address [RFC4291] must  be used to represent an IPv4 
address as a prefix value./

Whilst I agree with this statement, some examples in the Microsoft 
documentation I have read show dual entries in the policy table: one for 
mapped IPv4 address prefixes and one for IPv4-Compatible IPv6 address 
prefixes.

e.g. the default policy table is shown with entries like:
::/96 20 3
::ffff:0:0/96 10 4

Since IPv4-Compatible IPv6 addresses are deprecated, can we assume that 
these can be safely ignored, or not?

I have always played it safe and configured both in Windows 7, so I'm 
not sure of underlying behaviour of the implementation and if this might 
change over time or versions.

/The zone-index is defined in RFC 3493 [RFC3493] as 'scope ID'/

I can't find a direct reference to 'scope ID' in RFC3493.
Is it 'sin6_scope_id'? That would make sense as it is defined as 32 bit 
integer.

Section 4.3:
/In other cases the node MUST NOT use Policy Table options unless the 
node is specifically configured to do so./

When I first read this I asked myself "is that not too draconian?" I 
think a document link to the definition of a "secure channel" in the 
Security Considerations section would answer that question effectively 
i.e. a signed DHCP message is considered a secure channel, regardless of 
the underlying transport.

What about version control of the policy table itself? Is there a need 
for a policy-table version option like a DNS SOA serial number? I could 
imagine some potential corner-case problems with replay attack or race 
conditions, especially if the local router is acting as some sort of 
smart caching DHCPv6 server introducing local options. Or is that just 
too obscure to worry about?

Thanks!
RayH