Re: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt
"Guang Yao" <yaoguang@cernet.edu.cn> Fri, 04 April 2014 02:48 UTC
Return-Path: <yaoguang@cernet.edu.cn>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59E4C1A0076 for <savi@ietfa.amsl.com>; Thu, 3 Apr 2014 19:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1RMoZXLDQVuv for <savi@ietfa.amsl.com>; Thu, 3 Apr 2014 19:48:49 -0700 (PDT)
Received: from cernet.edu.cn (cernet.edu.cn [202.112.39.2]) by ietfa.amsl.com (Postfix) with ESMTP id 7BFCE1A0064 for <savi@ietf.org>; Thu, 3 Apr 2014 19:48:48 -0700 (PDT)
Received: from AndrewYaoPC (unknown [166.111.132.217]) by centos (Coremail) with SMTP id AQAAf3CLMgOAHT5TNbgcAA--.2594S2; Fri, 04 Apr 2014 10:48:32 +0800 (CST)
From: Guang Yao <yaoguang@cernet.edu.cn>
To: 'Leaf Yeh' <leaf.yeh.sdo@gmail.com>
References: <20140331054839.12951.1562.idtracker@ietfa.amsl.com> <533a1b73.0382440a.6009.ffffb32a@mx.google.com> <000501cf4d7b$e18af450$a4a0dcf0$@cernet.edu.cn> <533a8591.2ac5440a.0da6.1ee7@mx.google.com>
In-Reply-To: <533a8591.2ac5440a.0da6.1ee7@mx.google.com>
Date: Fri, 04 Apr 2014 10:48:34 +0800
Message-ID: <002601cf4fb0$5f0d0180$1d270480$@cernet.edu.cn>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_0027_01CF4FF3.6D3300A0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQH2W92cm8JJdKosbkMcCGTh4OHxCgI61sxxAfzvUxcCgsquP5p8z5Ag
Content-Language: zh-cn
X-CM-TRANSID: AQAAf3CLMgOAHT5TNbgcAA--.2594S2
X-Coremail-Antispam: 1UD129KBjvJXoWxtFykKr4DWrWxJryrXw4DCFg_yoW3Xw43pa yftrW7Kw1DJa4xG397Cw10vr1ku39xXrW7AF15G347A398Zas3KrW8tw15C347Xr95GayI qrWq934DJasxWrJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUH014x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84ACjcxK6xIIjxv20xvE14 v26r1j6r1xM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r1j6r4UM28EF7xvwVC2z280aVAF wI0_Cr0_Gr1UM28EF7xvwVC2z280aVCY1x0267AKxVW8Jr0_Cr1UM2vj62AExVA0xI801c 8C04v26x02cVCv0xWle2I262IYc4CY6c8Ij28IcVAaY2xG8wASzI0EjI02j7AqF2xKxwAq x4xG67k08I80eVW7JVWxJwAqx4xG6c804VAFz4xC04v7Mc02F40Ew4AK048IF2xKxVWUJV W8JwAqx4xG6xAIxVCFxsxG0wAqx4xG6I80eVA0xI0YY7vIx2IE14AGzxvEb7x7McIj6I8E 87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lF7xvr2 IYc2Ij64vIr40E4x8a64kEw24lF7I21c0EjII2zVCS5cI20VAGYxC7Mx8GjcxK6IxK0xII j40E5I8CrwCY02Avz4vE14v_Gr1l42xK82IYc2Ij64vIr41lx2IqxVAqx4xG67AKxVWUGV WUWwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r126r1DMIIYrxkI7VAK I48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r1j6r 4UMIIF0xvE42xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF 0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43ZEXa7VUbtrcDUUUUU==
X-CM-SenderInfo: 51drw3xdqjquphuqv3oohg3hdfq/
Archived-At: http://mailarchive.ietf.org/arch/msg/savi/BugP4m6C26JPostgymzV7bOMxjo
X-Mailman-Approved-At: Fri, 04 Apr 2014 08:09:23 -0700
Cc: savi@ietf.org, 'Ted Lemon' <ted.lemon@nominum.com>
Subject: Re: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi/>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 02:48:55 -0000
Dear Leaf, Thank you for these advanced comments. Our responses are as follows: 1. Guang - R19: We found there is no direct link between SAVI devices, thus we add a new link to illustrate this situation. I guess we could live with the case of 'no direct link between SAVI devices', just because the connection (i.e. Non-SAVI device) between them are in the perimeter. Guang: You are right such a link is not necessary for real cases. But we think it will be weird if we state "trust" is mainly used between direct connected SAVI devices, but there is no such a case in the diagram. 2. Guang - R20: Since DHCP relay and server are only supposed to send DHCP messages, data packets are not expected from them. If they also send data packet, their roles are changed. How to process the data packet depends on the the role which sends the data packet. DHCP messages is only a kind of control plane packet. DHCP-Trust Attribute sounds only deactivate the blocking against the message from server/relay. If you let the data packet pass, then you will get a more flexible application case as follows within the perimeter: Right? I can't see the negative effect yet when you let the data packet pass through the trust port of SAVI-switch. Guang: Indeed, if only DHCP-trust if configured, the data packet will be forwarded without checking. This point is specified in the doc. Thus, the current design can survived in your case. However, this case is not secure; thus, it is not a suggested deployment case. Best regards, Guang From: Leaf Yeh [mailto:leaf.yeh.sdo@gmail.com] Sent: Tuesday, April 01, 2014 5:23 PM To: 'Guang Yao' Cc: savi@ietf.org; 'Jun Bi'; 'Ted Lemon' Subject: RE: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt Guang - R19: We found there is no direct link between SAVI devices, thus we add a new link to illustrate this situation. I guess we could live with the case of 'no direct link between SAVI devices', just because the connection (i.e. Non-SAVI device) between them are in the perimeter. Guang - R20: Since DHCP relay and server are only supposed to send DHCP messages, data packets are not expected from them. If they also send data packet, their roles are changed. How to process the data packet depends on the the role which sends the data packet. DHCP messages is only a kind of control plane packet. DHCP-Trust Attribute sounds only deactivate the blocking against the message from server/relay. If you let the data packet pass, then you will get a more flexible application case as follows within the perimeter: Right? I can't see the negative effect yet when you let the data packet pass through the trust port of SAVI-switch. Best Regards, Leaf -----Original Message----- From: Guang Yao [mailto:yaoguang@cernet.edu.cn] Sent: Tuesday, April 01, 2014 3:28 PM To: 'Leaf Yeh' Cc: savi@ietf.org <mailto:savi@ietf.org> ; 'Jun Bi'; 'Ted Lemon' Subject: RE: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt Hi Leaf, Thank you very much for these comments! The replies are as follows. 1. Q19. I am not sure the reason why there is a new link between SAVI Device C to SAVI Device B in Fig.1. The relation between the SAVI Device A and the SAVI Device B looks more like the case described in the Fig.1 of SAVI arch. (RFC7039). R19: We found there is no direct link between SAVI devices, thus we add a new link to illustrate this situation. 2. Q20. As to DHCP-Trust Attribute, in section 4.2.2, <quote> The "DHCP-Trust Attribute" indicates the DHCP Server-Client messages from the corresponding attachment is trustable. ... </quote> , in section 4.3.2 <quote> (5) Configure DHCP-Trust attribute on the direct attachments of trusted DHCP relays/servers. ... DHCP-Trust attribute is only configured on the inside links of the perimeter. Only DHCP server-client messages originated in the perimeter is trusted. </quote> When the port of SAVI-switch connected to the trusted DHCP relays/servers (in the SAVI-perimeter) is configured DHCP-Trust attribute, how about the data packet forwarding when it is received on this port? I guess the switch will forward the packet as the normal without checking, right? May you need a statement on this case in section 8.1? R20: Thank you for this comment. Since DHCP relay and server are only supposed to send DHCP messages, data packets are not expected from them. If they also send data packet, their roles are changed. How to process the data packet depends on the the role which sends the data packet. We will specify this point in the revision. -----Original Message----- From: Leaf Yeh [ <mailto:leaf.yeh.sdo@gmail.com> mailto:leaf.yeh.sdo@gmail.com] Sent: Tuesday, April 01, 2014 9:51 AM To: 'Guang Yao' Cc: <mailto:savi@ietf.org> savi@ietf.org; 'Jun Bi'; 'Ted Lemon' Subject: RE: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt Hi Guang, Q19. I am not sure the reason why there is a new link between SAVI Device C to SAVI Device B in Fig.1. The relation between the SAVI Device A and the SAVI Device B looks more like the case described in the Fig.1 of SAVI arch. (RFC7039). Q20. As to DHCP-Trust Attribute, in section 4.2.2, <quote> The "DHCP-Trust Attribute" indicates the DHCP Server-Client messages from the corresponding attachment is trustable. ... </quote> , in section 4.3.2 <quote> (5) Configure DHCP-Trust attribute on the direct attachments of trusted DHCP relays/servers. ... DHCP-Trust attribute is only configured on the inside links of the perimeter. Only DHCP server-client messages originated in the perimeter is trusted. </quote> When the port of SAVI-switch connected to the trusted DHCP relays/servers (in the SAVI-perimeter) is configured DHCP-Trust attribute, how about the data packet forwarding when it is received on this port? I guess the switch will forward the packet as the normal without checking, right? May you need a statement on this case in section 8.1? Best Regards, Leaf -----Original Message----- From: savi [ <mailto:savi-bounces@ietf.org> mailto:savi-bounces@ietf.org] On Behalf Of <mailto:internet-drafts@ietf.org> internet-drafts@ietf.org Sent: Monday, March 31, 2014 1:49 PM To: <mailto:i-d-announce@ietf.org> i-d-announce@ietf.org Cc: <mailto:savi@ietf.org> savi@ietf.org Subject: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Source Address Validation Improvements Working Group of the IETF. Title : SAVI Solution for DHCP Authors : Jun Bi Jianping Wu Guang Yao Fred Baker Filename : draft-ietf-savi-dhcp-21.txt Pages : 43 Date : 2014-03-30 Abstract: This document specifies the procedure for creating a binding between a DHCPv4/DHCPv6 assigned IP address and a binding anchor on a SAVI (Source Address Validation Improvements) device. The bindings set up by this procedure can be used to filter out packets with forged source IP address in DHCP scenario. This mechanism is proposed as a complement to ingress filtering to provide finer-grained source IP address validation. The IETF datatracker status page for this draft is: <https://datatracker.ietf.org/doc/draft-ietf-savi-dhcp/> https://datatracker.ietf.org/doc/draft-ietf-savi-dhcp/ There's also a htmlized version available at: <http://tools.ietf.org/html/draft-ietf-savi-dhcp-21> http://tools.ietf.org/html/draft-ietf-savi-dhcp-21 A diff from the previous version is available at: <http://www.ietf.org/rfcdiff?url2=draft-ietf-savi-dhcp-21> http://www.ietf.org/rfcdiff?url2=draft-ietf-savi-dhcp-21 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: <ftp://ftp.ietf.org/internet-drafts/> ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ savi mailing list <mailto:savi@ietf.org> savi@ietf.org <https://www.ietf.org/mailman/listinfo/savi> https://www.ietf.org/mailman/listinfo/savi
- Re: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt Leaf Yeh
- [savi] I-D Action: draft-ietf-savi-dhcp-21.txt internet-drafts
- Re: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt Leaf Yeh
- Re: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt Guang Yao
- Re: [savi] I-D Action: draft-ietf-savi-dhcp-21.txt Guang Yao