[mif] Comments on draft-ietf-mif-mpvd-dhcp-support-01
Steven Barth <cyrus@openwrt.org> Tue, 21 July 2015 19:57 UTC
Return-Path: <cyrus@openwrt.org>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD2D51B2CC7 for <mif@ietfa.amsl.com>; Tue, 21 Jul 2015 12:57:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31KBffkMdXQG for <mif@ietfa.amsl.com>; Tue, 21 Jul 2015 12:57:01 -0700 (PDT)
Received: from mail.core-networks.de (mail.core-networks.de [IPv6:2001:1bc0:d::4:9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1BA71B2B75 for <mif@ietf.org>; Tue, 21 Jul 2015 12:57:01 -0700 (PDT)
Received: from localhost ([127.0.0.1]) by mail.core-networks.de id 1ZHdeu-0000oG-8y with ESMTPSA (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) for mif@ietf.org; Tue, 21 Jul 2015 21:57:00 +0200
From: Steven Barth <cyrus@openwrt.org>
To: mif@ietf.org
Message-ID: <55AEA40C.4090909@openwrt.org>
Date: Tue, 21 Jul 2015 21:57:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/mif/bcfrumt2vd-YU2lUL-IKSWSqt0c>
Subject: [mif] Comments on draft-ietf-mif-mpvd-dhcp-support-01
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mif/>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 19:57:03 -0000
Hi everyone, as promised few comments on the DHCPv6 support draft. This is based on roughly reading it 1-2 times and not meant to be conclusive in any way. Also I'm not a dhc expert, though I have implemented a DHCPv6 client, server and relay myself. 3 SHOULD contain exactly one still allows more than one PVD_AUTH vs. "MUST be the last option inside PVD" in 5 5 refers to RFC3791 in key-hash and digital-signature options but 3791 is not part of references. 6 specifies that ANY options may be encapsulated. This is awkward, e.g., what would be the meaning of e.g. a Status or a Reconfigure-Accept option within that container, more general what happens to options explicitly defined to be on some level and / or having a specific meaning there? Also where may your container option be present? Only on the top-level? Also inside IA_NA/IA_PD? Inside IAAddr / IAPrefix? Also in which DHCPv6 messages may your container appear? 7.1 merely specifies to send ORO etc. in SOLICIT, but not in REQUEST, RENEW etc. whereas 7.3 says OPTION_PVD must not be sent if ORO is absent in request 8 mentions the use of timestamps to avoid replay attacks, though DHCPv6 is usually used to bootstrap network connectivity and thus at this point devices (especially embedded ones) may not have an accurate wallclock yet. This is especially interesting since DHCPv6 itself may carry NTP server addresses to use. Some additional stuff related to routers forwarding this kind of information from to clients (e.g. your coffee shop example in 8). In general this should applies to CPEs, as specified in RFC 7084, especially if they themselves got the information using DHCPv6 from an ISP, but not necessarily. Again disclaimer: this list is not conclusive: Since you don't restrict options inside your container, it may originally contain options e.g. FQDN which may only be directed at the specific receiving router but not hosts behind it (e.g. the hotspot got the PVD TLVs via DHCPV6 itself). Furthermore the container may contain options which are specified to not be sent to clients unless explicitly asked for in an ORO. In both instances the "coffee shop router" would need to dynamically remove options from the container which will inevitably invalidate the signature of the container. Also given the "coffee shop router" is supposed to hand out addresses from different PVDs and "tag" them appropriately: How is it supposed to do that with just a container which SHOULD contain a signature? It certainly cannot place IAAddrs or IAPrefixes inside containers since it doesn't have the key (there are more and even more severe issues with trying to use containers for IA_Xs or IAAdress / IAPrefix but I will skip them for the sake of simplicity for now). Also, if a hotspot / CER / etc. asks (e.g. an ISP) for PVD information that does not necessarily mean that all the hosts behind said router will understand PVD information so that router requires that it also gets "legacy" information for "legacy" hosts being not PVD-aware OR it needs some guidance to construct that information from data within the PVD containers it got. Cheers, Steven
- [mif] Comments on draft-ietf-mif-mpvd-dhcp-suppor… Steven Barth
- Re: [mif] Comments on draft-ietf-mif-mpvd-dhcp-su… Suresh Krishnan
- Re: [mif] Comments on draft-ietf-mif-mpvd-dhcp-su… Steven Barth
- Re: [mif] Comments on draft-ietf-mif-mpvd-dhcp-su… Behcet Sarikaya