Re: [mif] New Version Notification for draft-reddy-mif-dhcpv6-precedence-ops-02.txt
"Prashanth Patil (praspati)" <praspati@cisco.com> Wed, 24 October 2012 17:42 UTC
Return-Path: <praspati@cisco.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D43EC21F882B for <mif@ietfa.amsl.com>; Wed, 24 Oct 2012 10:42:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.307
X-Spam-Level:
X-Spam-Status: No, score=-10.307 tagged_above=-999 required=5 tests=[AWL=0.292, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A21TdJTtyweO for <mif@ietfa.amsl.com>; Wed, 24 Oct 2012 10:42:16 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 12CBF21F8711 for <mif@ietf.org>; Wed, 24 Oct 2012 10:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2831; q=dns/txt; s=iport; t=1351100536; x=1352310136; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=7ssgkFBr2zrL1ClQSXGqQQkLbD58O6MUx0CDr0jmEMc=; b=PPP36orjOWzgv6tadZRY6cxFGGFj0/YWkLgrcnp7OAkB8fYspGImeQWz YvkiTp/TxOTkVl1wwjfmlJwOR5iCgOavc5XI5JGZGlzU3Wa9P2bJS3ChZ LXDmqIj47PJjrOwUfDwmUUF/8LfJWxX5rhPyUal9Ean0TM190p7ykxbhG 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAJkniFCtJXHB/2dsb2JhbABEwXmBCIIeAQEBBAEBAQ8BWwkCEgEIGApFBgslAgQBDQUIGodQAw8LnEOWPA2JUASKemeGDGEDlB6MfoMlgWuCb4FbAh4EAhg
X-IronPort-AV: E=Sophos;i="4.80,640,1344211200"; d="scan'208";a="134958329"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-7.cisco.com with ESMTP; 24 Oct 2012 17:42:15 +0000
Received: from xhc-rcd-x11.cisco.com (xhc-rcd-x11.cisco.com [173.37.183.85]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q9OHgFYD005271 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 24 Oct 2012 17:42:15 GMT
Received: from xmb-rcd-x07.cisco.com ([169.254.7.203]) by xhc-rcd-x11.cisco.com ([173.37.183.85]) with mapi id 14.02.0318.001; Wed, 24 Oct 2012 12:42:15 -0500
From: "Prashanth Patil (praspati)" <praspati@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Thread-Topic: [mif] New Version Notification for draft-reddy-mif-dhcpv6-precedence-ops-02.txt
Thread-Index: AQHNsg7nS4dGruTwa0O9vQpZCFwZAg==
Date: Wed, 24 Oct 2012 17:42:14 +0000
Message-ID: <B235506D63D65E43B2E40FD27715372E134BDF5F@xmb-rcd-x07.cisco.com>
In-Reply-To: <50866262.3050500@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.3.120616
x-originating-ip: [10.154.164.161]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19302.000
x-tm-as-result: No--53.154900-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <791C1213793F034B9729E58DCC9DC953@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "mif@ietf.org" <mif@ietf.org>
Subject: Re: [mif] New Version Notification for draft-reddy-mif-dhcpv6-precedence-ops-02.txt
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 17:42:18 -0000
Hi Brian, On 23/10/12 2:54 PM, "Brian E Carpenter" <brian.e.carpenter@gmail.com> wrote: >On 21/10/2012 04:01, Ted Lemon wrote: >> On Oct 20, 2012, at 10:55 PM, "Tirumaleswar Reddy (tireddy)" >><tireddy@cisco.com> wrote: >>> Yes. In such Managed Networks, SLAAC is disabled and IPv6 addresses >>>are only assigned using DHCPv6 server. Switches in such environments >>>provide First Hop Security by gleaning DHCP/NDP messages and can make >>>sure hosts are using the IPv6 addresses assigned by the DHCPv6 server >>>only (Source Guard). With the technique in this draft only certain >>>hosts will be permitted assignment of IA_TA and not for other hosts. >> >> That makes sense‹thanks for clarifying! > >It makes sense, but the draft doesn't explain that it is only >intended for use in managed networks where the suppression of >privacy is considered acceptable. I think this needs to be stated >in the Introduction, and the issue of (loss of) privacy needs to >be discussed in the Security Considerations. Sure, will state as suggested. > >How will users know that temporary addressing has been disabled? Users wont. I suppose guests authenticating using Webauth could be served a disclaimer page that points this out. It's the administrative domain that makes this decision. > >Is there a risk of a rogue DHCPv6 relay switching off temporary >addressing for hosts that really need it? DHCP authentication should be used to counter such risks. A DHCP server would then only process relay options included by a valid relay agent. > >Also, in the section > >> 3.2.1. Avoiding Excessive IP-Based Authentication > >it says: > >> When Address-based authentication is used, re- >> authentication occurs for each address obtained by the host, which >> can create a lot of authentication transactions. To reduce this >> chatter, > >This doesn't convince me that the proposed feature is solving a real >problem. "A lot of" and "chatter" are vague terms. Can you add something >to suggest what size of a network would have a real performance problem >as a result? When IP address based authentication eg Webauth is used, the authentication device will end up authenticating each and every temporary address used by the client - So 'a lot of' here implies that the number of authentications is equal to the number of temporary addresses used by the host - this would also lead to bad user experience. The same number of transactions with the backend AAA server to validate user credentials will also have to be made. Will add these details. -Prashanth > >Regards > Brian Carpenter > > >_______________________________________________ >mif mailing list >mif@ietf.org >https://www.ietf.org/mailman/listinfo/mif
- [mif] FW: New Version Notification for draft-redd… Tirumaleswar Reddy (tireddy)
- Re: [mif] New Version Notification for draft-redd… Ted Lemon
- Re: [mif] New Version Notification for draft-redd… Tirumaleswar Reddy (tireddy)
- Re: [mif] New Version Notification for draft-redd… Ted Lemon
- Re: [mif] New Version Notification for draft-redd… Tirumaleswar Reddy (tireddy)
- Re: [mif] New Version Notification for draft-redd… Ted Lemon
- Re: [mif] New Version Notification for draft-redd… Brian E Carpenter
- Re: [mif] New Version Notification for draft-redd… Ted Lemon
- Re: [mif] FW: New Version Notification for draft-… Lorenzo Colitti
- Re: [mif] New Version Notification for draft-redd… Prashanth Patil (praspati)
- Re: [mif] FW: New Version Notification for draft-… Tirumaleswar Reddy (tireddy)
- Re: [mif] FW: New Version Notification for draft-… Arifumi Matsumoto
- Re: [mif] FW: New Version Notification for draft-… Lorenzo Colitti