IETF Logo Mail Archive

Re: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt

"Guang Yao" <yaoguang@cernet.edu.cn> Tue, 01 April 2014 07:28 UTC

Return-Path: <yaoguang@cernet.edu.cn>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F099F1A6FF4 for <savi@ietfa.amsl.com>; Tue, 1 Apr 2014 00:28:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZkP4LAaJfcZ for <savi@ietfa.amsl.com>; Tue, 1 Apr 2014 00:28:01 -0700 (PDT)
Received: from cernet.edu.cn (mail.cernet.edu.cn [202.112.39.2]) by ietfa.amsl.com (Postfix) with ESMTP id 664831A07CA for <savi@ietf.org>; Tue, 1 Apr 2014 00:28:00 -0700 (PDT)
Received: from AndrewYaoPC (unknown [166.111.132.217]) by centos (Coremail) with SMTP id AQAAf3C7FQRyajpThfEbAA--.2482S2; Tue, 01 Apr 2014 15:27:46 +0800 (CST)
From: Guang Yao <yaoguang@cernet.edu.cn>
To: 'Leaf Yeh' <leaf.yeh.sdo@gmail.com>
References: <20140331054839.12951.1562.idtracker@ietfa.amsl.com> <533a1b73.0382440a.6009.ffffb32a@mx.google.com>
In-Reply-To: <533a1b73.0382440a.6009.ffffb32a@mx.google.com>
Date: Tue, 01 Apr 2014 15:27:47 +0800
Message-ID: <000501cf4d7b$e18af450$a4a0dcf0$@cernet.edu.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH2W92cm8JJdKosbkMcCGTh4OHxCgI61sxxmpxn5CA=
Content-Language: zh-cn
X-CM-TRANSID: AQAAf3C7FQRyajpThfEbAA--.2482S2
X-Coremail-Antispam: 1UD129KBjvJXoWxur4furyxAw47Kw1ktw1UWrg_yoWrtw1Upa yftrW7Kw1Dt3WxG397u340vryku3y3XFW7AF15Gr17A398Cas5trWFy3y5A347Xr95G3WI qrZ0934Dt393X3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUyG14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84ACjcxK6xIIjxv20xvE14 v26r4j6ryUM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j6F4UM28EF7xvwVC2z280aVAF wI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Cr1j6rxdM2AIxVAIcxkEcVAq07 x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j6r18 McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr4 1lF7xvr2IYc2Ij64vIr40E4x8a64kEw24lF7I21c0EjII2zVCS5cI20VAGYxC7MxkIecxE wVAFwVW8CwCF04k20xvY0x0EwIxGrwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4 vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IY x2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26c xKx2IYs7xG6rWUJVWrZr1UMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7Cj xVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43ZEXa7VUUiiSPUUUUU==
X-CM-SenderInfo: 51drw3xdqjquphuqv3oohg3hdfq/
Archived-At: http://mailarchive.ietf.org/arch/msg/savi/BpDe_uSNJOCjfnt0AvuNDsYzgJs
X-Mailman-Approved-At: Tue, 01 Apr 2014 08:25:05 -0700
Cc: savi@ietf.org, 'Ted Lemon' <ted.lemon@nominum.com>
Subject: Re: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi/>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 07:28:04 -0000

Hi Leaf,

Thank you very much for these comments! The replies are as follows.

1. Q19. I am not sure the reason why there is a new link between SAVI Device
C to SAVI Device B in Fig.1. The relation between the SAVI Device A and the
SAVI Device B looks more like the case described in the Fig.1 of SAVI arch.
(RFC7039).

R19:
We found there is no direct link between SAVI devices, thus we add a new
link to illustrate this situation.


2. Q20. As to DHCP-Trust Attribute,
in section 4.2.2, <quote>
The "DHCP-Trust Attribute" indicates the DHCP Server-Client messages
   from the corresponding attachment is trustable.
...
</quote>
, in section 4.3.2 <quote>
   (5)  Configure DHCP-Trust attribute on the direct attachments of
        trusted DHCP relays/servers.
...
DHCP-Trust
   attribute is only configured on the inside links of the perimeter.
   Only DHCP server-client messages originated in the perimeter is
   trusted.
</quote>


When the port of SAVI-switch connected to the trusted DHCP relays/servers
(in the SAVI-perimeter) is configured DHCP-Trust attribute, how about the
data packet forwarding when it is received on this port? I guess the switch
will forward the packet as the normal without checking, right? May you need
a statement on this case in section 8.1?

R20:
Thank you for this comment. 
Since DHCP relay and server are only supposed to send DHCP messages, data
packets are not expected from them. If they also send data packet, their
roles are changed. How to process the data packet depends on the the role
which sends the data packet.
We will specify this point in the revision.

-----Original Message-----
From: Leaf Yeh [mailto:leaf.yeh.sdo@gmail.com] 
Sent: Tuesday, April 01, 2014 9:51 AM
To: 'Guang Yao'
Cc: savi@ietf.org; 'Jun Bi'; 'Ted Lemon'
Subject: RE: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt

Hi Guang,

Q19. I am not sure the reason why there is a new link between SAVI Device C
to SAVI Device B in Fig.1. The relation between the SAVI Device A and the
SAVI Device B looks more like the case described in the Fig.1 of SAVI arch.
(RFC7039).


Q20. As to DHCP-Trust Attribute,
in section 4.2.2, <quote>
The "DHCP-Trust Attribute" indicates the DHCP Server-Client messages
   from the corresponding attachment is trustable.
...
</quote>
, in section 4.3.2 <quote>
   (5)  Configure DHCP-Trust attribute on the direct attachments of
        trusted DHCP relays/servers.
...
DHCP-Trust
   attribute is only configured on the inside links of the perimeter.
   Only DHCP server-client messages originated in the perimeter is
   trusted.
</quote>


When the port of SAVI-switch connected to the trusted DHCP relays/servers
(in the SAVI-perimeter) is configured DHCP-Trust attribute, how about the
data packet forwarding when it is received on this port? I guess the switch
will forward the packet as the normal without checking, right? May you need
a statement on this case in section 8.1?


Best Regards,
Leaf



-----Original Message-----
From: savi [mailto:savi-bounces@ietf.org] On Behalf Of
internet-drafts@ietf.org
Sent: Monday, March 31, 2014 1:49 PM
To: i-d-announce@ietf.org
Cc: savi@ietf.org
Subject: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt


A New Internet-Draft is available from the on-line Internet-Drafts
directories.
 This draft is a work item of the Source Address Validation Improvements
Working Group of the IETF.

        Title           : SAVI Solution for DHCP
        Authors         : Jun Bi
                          Jianping Wu
                          Guang Yao
                          Fred Baker
	Filename        : draft-ietf-savi-dhcp-21.txt
	Pages           : 43
	Date            : 2014-03-30

Abstract:
   This document specifies the procedure for creating a binding between
   a DHCPv4/DHCPv6 assigned IP address and a binding anchor on a SAVI
   (Source Address Validation Improvements) device.  The bindings set up
   by this procedure can be used to filter out packets with forged
   source IP address in DHCP scenario.  This mechanism is proposed as a
   complement to ingress filtering to provide finer-grained source IP
   address validation.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-savi-dhcp/

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-savi-dhcp-21

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-savi-dhcp-21


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
savi mailing list
savi@ietf.org
https://www.ietf.org/mailman/listinfo/savi

v2.23.0 | Report a Bug | By Email