IETF Logo Mail Archive

Re: [mif] New Version Notification for draft-reddy-mif-dhcpv6-precedence-ops-02.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 23 October 2012 09:24 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6BC021F85B4 for <mif@ietfa.amsl.com>; Tue, 23 Oct 2012 02:24:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.677
X-Spam-Level:
X-Spam-Status: No, score=-101.677 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0yKXZgWBR-rx for <mif@ietfa.amsl.com>; Tue, 23 Oct 2012 02:24:52 -0700 (PDT)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 172A021F853E for <mif@ietf.org>; Tue, 23 Oct 2012 02:24:51 -0700 (PDT)
Received: by mail-bk0-f44.google.com with SMTP id jc3so1251665bkc.31 for <mif@ietf.org>; Tue, 23 Oct 2012 02:24:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=bieIFXPWI+R56uZnzmJWV7UAI32/7YkFRkYe8CEGk8Y=; b=Uv5zzUptyR2/6MnAEFmKn++DOX1gxdcx/QVbzSMfrGPGPBjrlloBL+g+AMGcm9pb75 bK7voPUcg1lL3yrit0uotJIWltQN+xhZM7hIAV8+jOZTiT9OYZ2oxNtTox9TdwV8RYZA IfXkuNLte5b+LtUgp5aUmlrt9XMyHfa4LXg52EC2zn5QIBQmMRGM2YWB5/gYiRccplie 8HH4yZpjLKHJm1MMYtrQ+BN5zgGwAj03gj94aHyV217PghsWzh501c7D3wjczAKzRWhp 9loEImv2PBWsTgLqA6PuIeQsNVMCw5lxXd4qdhGJ03EXNKEvHNLCVUiOjhGduWQX0rFM 2qCQ==
Received: by 10.204.11.133 with SMTP id t5mr3572424bkt.14.1350984291200; Tue, 23 Oct 2012 02:24:51 -0700 (PDT)
Received: from [192.168.1.65] (host-2-102-219-57.as13285.net. [2.102.219.57]) by mx.google.com with ESMTPS id g8sm5103153bkv.6.2012.10.23.02.24.49 (version=SSLv3 cipher=OTHER); Tue, 23 Oct 2012 02:24:50 -0700 (PDT)
Message-ID: <50866262.3050500@gmail.com>
Date: Tue, 23 Oct 2012 10:24:50 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
References: <913383AAA69FF945B8F946018B75898A1480EDFA@xmb-rcd-x10.cisco.com> <7E99AA25-66C2-4A4D-B251-0E71F31FBA26@nominum.com> <913383AAA69FF945B8F946018B75898A148124F2@xmb-rcd-x10.cisco.com> <09806E4D-E6BA-431A-9BB4-F59AD64885A7@nominum.com> <913383AAA69FF945B8F946018B75898A14812900@xmb-rcd-x10.cisco.com> <CD611B92-16E5-4836-BF43-DEB9706155CD@nominum.com>
In-Reply-To: <CD611B92-16E5-4836-BF43-DEB9706155CD@nominum.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "mif@ietf.org" <mif@ietf.org>
Subject: Re: [mif] New Version Notification for draft-reddy-mif-dhcpv6-precedence-ops-02.txt
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 09:24:52 -0000

On 21/10/2012 04:01, Ted Lemon wrote:
> On Oct 20, 2012, at 10:55 PM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> wrote:
>> Yes. In such Managed Networks, SLAAC is disabled and IPv6 addresses are only assigned using DHCPv6 server. Switches in such environments provide First Hop Security by gleaning DHCP/NDP messages and can make sure hosts are using the IPv6 addresses assigned by the DHCPv6 server only (Source Guard). With the technique in this draft only certain hosts will be permitted assignment of IA_TA and not for other hosts. 
> 
> That makes sense—thanks for clarifying!

It makes sense, but the draft doesn't explain that it is only
intended for use in managed networks where the suppression of
privacy is considered acceptable. I think this needs to be stated
in the Introduction, and the issue of (loss of) privacy needs to
be discussed in the Security Considerations.

How will users know that temporary addressing has been disabled?

Is there a risk of a rogue DHCPv6 relay switching off temporary
addressing for hosts that really need it?

Also, in the section

> 3.2.1.  Avoiding Excessive IP-Based Authentication

it says:

>                      When Address-based authentication is used, re-
>    authentication occurs for each address obtained by the host, which
>    can create a lot of authentication transactions.  To reduce this
>    chatter,

This doesn't convince me that the proposed feature is solving a real
problem. "A lot of" and "chatter" are vague terms. Can you add something
to suggest what size of a network would have a real performance problem
as a result?

Regards
   Brian Carpenter

v2.23.0 | Report a Bug | By Email