[mif] Subject: Comments on draft-ietf-mif-mpvd-dhcp-support-01
Hui Deng <denghui02@hotmail.com> Wed, 22 July 2015 07:13 UTC
Return-Path: <denghui02@hotmail.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CC931ACE2A for <mif@ietfa.amsl.com>; Wed, 22 Jul 2015 00:13:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.841
X-Spam-Level: *
X-Spam-Status: No, score=1.841 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_37=0.6, J_CHICKENPOX_42=0.6, J_CHICKENPOX_54=0.6, J_CHICKENPOX_81=0.6, J_CHICKENPOX_82=0.6, J_CHICKENPOX_84=0.6, J_CHICKENPOX_92=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8y1rL2AfJnu for <mif@ietfa.amsl.com>; Wed, 22 Jul 2015 00:13:42 -0700 (PDT)
Received: from COL004-OMC2S17.hotmail.com (col004-omc2s17.hotmail.com [65.55.34.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31FBF1ACE25 for <mif@ietf.org>; Wed, 22 Jul 2015 00:13:42 -0700 (PDT)
Received: from COL125-W43 ([65.55.34.72]) by COL004-OMC2S17.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Wed, 22 Jul 2015 00:13:41 -0700
X-TMN: [PfSkjsoDDNchnwpniLroux/mdVwerPiJ]
X-Originating-Email: [denghui02@hotmail.com]
Message-ID: <COL125-W436833B2B6FAD013C45D6DB1830@phx.gbl>
Content-Type: multipart/alternative; boundary="_2957eb25-9117-4ce1-a405-b65e9e159b19_"
From: Hui Deng <denghui02@hotmail.com>
To: "mif@ietf.org" <mif@ietf.org>, "cyrus@openwrt.org" <cyrus@openwrt.org>
Date: Wed, 22 Jul 2015 15:13:41 +0800
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 22 Jul 2015 07:13:41.0472 (UTC) FILETIME=[F02C8600:01D0C44D]
Archived-At: <http://mailarchive.ietf.org/arch/msg/mif/uzcxnpwr0kz86x5Nd_MvQgzq4o0>
Subject: [mif] Subject: Comments on draft-ietf-mif-mpvd-dhcp-support-01
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mif/>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 07:13:44 -0000
Hello all, Steven sent this, by some chance, it was not shown up in our list, so I cc here From: Steven Barth <cyrus@openwrt.org>To: mif@ietf.orgCc: Date: Tue, 21 Jul 2015 21:55:49 +0200Subject: Comments on draft-ietf-mif-mpvd-dhcp-support-01Hi everyone,as promised few comments on the DHCPv6 support draft. This is based on roughlyreading it 1-2 times and not meant to be conclusive in any way. Also I'm not adhc expert, though I have implemented a DHCPv6 client, server and relay myself.3 SHOULD contain exactly one still allows more than one PVD_AUTH vs."MUST be the last option inside PVD" in 55 refers to RFC3791 in key-hash and digital-signature options but 3791 isnot part of references.6 specifies that ANY options may be encapsulated. This is awkward, e.g., whatwould be the meaning of e.g. a Status or a Reconfigure-Accept option withinthat container, more general what happens to options explicitly defined to beon some level and / or having a specific meaning there?Also where may your container option be present? Only on the top-level?Also inside IA_NA/IA_PD? Inside IAAddr / IAPrefix?Also in which DHCPv6 messages may your container appear?7.1 merely specifies to send ORO etc. in SOLICIT, but not in REQUEST, RENEW etc.whereas 7.3 says OPTION_PVD must not be sent if ORO is absent in request8 mentions the use of timestamps to avoid replay attacks, though DHCPv6 is usuallyused to bootstrap network connectivity and thus at this point devices (especiallyembedded ones) may not have an accurate wallclock yet. This is especially interestingsince DHCPv6 itself may carry NTP server addresses to use.Some additional stuff related to routers forwarding this kind of information fromto clients (e.g. your coffee shop example in 8). In general this should applies to CPEs,as specified in RFC 7084, especially if they themselves got the information usingDHCPv6 from an ISP, but not necessarily. Again disclaimer: this list is not conclusive:Since you don't restrict options inside your container, it may originally contain optionse.g. FQDN which may only be directed at the specific receiving router but not hosts behindit (e.g. the hotspot got the PVD TLVs via DHCPV6 itself). Furthermore the container maycontain options which are specified to not be sent to clients unless explicitly asked forin an ORO. In both instances the "coffee shop router" would need to dynamically removeoptions from the container which will inevitably invalidate the signature of the container.Also given the "coffee shop router" is supposed to hand out addresses from different PVDsand "tag" them appropriately: How is it supposed to do that with just a container whichSHOULD contain a signature?It certainly cannot place IAAddrs or IAPrefixes inside containers since it doesn't havethe key (there are more and even more severe issues with trying to use containers for IA_Xsor IAAdress / IAPrefix but I will skip them for the sake of simplicity for now).Also, if a hotspot / CER / etc. asks (e.g. an ISP) for PVD information that doesnot necessarily mean that all the hosts behind said router will understand PVD informationso that router requires that it also gets "legacy" information for "legacy" hosts beingnot PVD-aware OR it needs some guidance to construct that information from data withinthe PVD containers it got.Cheers,Steven