Re: [savi] Some findings in the darft-ietf-savi-dhcp-20

["Guang Yao" <yaoguang@cernet.edu.cn>]

Dear Leaf,

Thank you very much for the quick review!

Our responses are as follows:

1. Leaf - As to Fig.1, question for clarification : It sounds to set up a filter (as the requirement of DHCP-Trust Attribute) inside the SAVI-perimeter. I guess if the Relay or Server B is directly connected to SAVI Device and outside the SAVI-perimeter, we still need to set up DHCP-Trust Attribute for the port of SAVI Device A and B, right? If yes, does it means the Fig.1 can let the Relay or Server B outside the SAVI-perimeter?
Guang - R2.2: ...Indeed, there is no problem if letting the Relay or Server B outside the perimeter. In fact, in the ealier versions, they are outside the perimeter. However, in recent versions, we decide to include them into the perimeter. 

The above decision sounds you make that Relay is the for the connection with the upstream network.

Guang:
Thank you for this comment.
 Exactly. The strength of the binding based security is actually very weak. Especially, if the DHCP messages are untrustable, the bindings will be meaningless. Thus, We prefer the security mechanism enforced between DHCP relay and server, if we cannot completely trust traffic from upstream.


2. Guang - On one hand, it is used to distinguish the DHCP server A(which is outside the perimeter) and the DHCP server B/Relay. On the other hand, we think the perimeter should be used to separating the trusted area and the untrusted area. The Relay and Server B should be trusted, and they are actually the sources of trust. 


But you still need DHCP-Trust Attribute for them. It seem DHCP-Trust Attribute make them to be trust. How about if we just trust the Relay and Server B in the SAVI-perimeter without the additional permission, because they are connected to the Trust Port, (which was introduced by RFC662.)

Guang: 
Thank you for this comment.

Trust: both data packet and control packet are trusted;
DHCP-Trust: only control packet is trusted.

Actually it is proper to configure Trust on the port of Relay and server B, if we also trust the data packet from them. In the scenario, the relay and server B are supposed to only send control packets, thus I think it makes no difference whether DHCP-Trust or trust is used. (Maybe we should specify this point in the doc?)

However, I believe it is necessary to distinguish the two types of trusts.  I think the perimeter is only a deployment suggestion. In practice it is not always possible to enforce savi as the diagram.  For example, we may choose to configure DHCP-trust and validating on the same port, which is attached by a DHCP server and some hosts through a hub. In such cases, the DHCP server is actually outside the perimeter. The DHCP messages are not fully trustable but we have to make use of them for there are no other ways. 

Besides, I think where to draw the perimeter is actually not a critical problem. It makes no difference whether placing the relay and server inside or outside the perimeter. The savi device works based on port configuration, without knowing the perimeter.


3. Guang - Besides, to confirm with other solutions, perimeter is the place to perform data packet filtering. Thus, only the attach points with validating attribute are on the perimeter.


It make me not quite sure you want to configure Validating attribute for the upstream network, which looks outside of the SAVI-perimeter in Fig.1. 

Per the description in section 4 of RFC7039, <quote>The IP source addresses in packets passing the protection perimeter are validated by the ingress SAVI instance, but no further validation takes place as long as the packets remain within or leave the protection perimeter.</quote>, I suppose it is not necessary to let upstream network outside the SAVI-perimeter.

Guang:
Thank you for this comment.
It's my fault: the upstream port is also on the perimeter.
We choose not to fully trust the traffic from upstream network: both data packet and control packet. Thus, I think it is necessary to keep it outside the perimeter. 
However, if the operator chooses to fully trust packet from upstream networks, he can use a Trust on the corresponding port. Then in concept the upstream network is inside the perimeter.


4. Leaf - What does “SAVI device B is still protected from spoofing from client A” exactly mean? How can SAVI device B protects from spoofing from client A? It sounds a little confused.
Guang - R3:...It means, "SAVI device B can avoid receiving spoofing traffic from client A.".


The above statement sounds SAVI device A can avoid receiving spoofing traffic from client A, then 'SAVI device B can avoid receiving spoofing traffic from client A' because of the SAVI perimeter. I doubt the necessary text of 'SAVI device B is still protected from spoofing from client A' here.

Guang:
Thank you for this comment.
We will revise this sentence.


5. Leaf -4. Question of clarification on the text in section 4.3.2, <quote>(6) Optional: configure filters on the upstream links to filter out spoofing of local addresses from other networks.</quote>...
Guang - R4:...We cannot prevent other networks from spoofing each other. Thus, we can just requre local addresses (addresses assigned to local network) will not be spoofed by the other networks.


Thanks for your explanation here, but that method sounds ingress filtering (or uRPF) to me. Meanwhile, the 'other network' in the definition of 'Upstream link' seems a little vague for me. I guess it is usually we don’t use SAVI-switch to connect to the upstream network, we use a gateway or router. So the (6) of SAVI-DHCP Perimeter Configuration Guideline seems unnecessary. I mean we don't usually use SAVI-switch to form the SAVI-perimeter against the upstream link or network.


Guang:
Thank you for this comment.
We do not require the savi switch to connect to upstream network. Actually, they are connected to the gateway or router. This configuration just specifies how to process the traffic from the gateway or router.


6. Leaf - 5. Question of clarification on the text in the last paragraph of section 4.3.2, <quote> In this way, the points of attachments with Validating attribute (and generally together with attachments of upstream devices) on SAVI devices can form a perimeter separating DHCP clients and trusted devices.</quote> The above sentence sounds SAVI devices always form perimeter for upstream devices. But in general thinking, we always trust devices in the upstream network...
Guang - R5:...We should not trust devices in the upstream network by default unless some other securty mechanisms are enforced.  


Why not if the upstream network is in the SAVI-perimeter?

Guang:
Thank you for this comment.
For SAVI-DHCP, a critical problem is that the DHCP Server-Client messages should be trustable. However, there can be bogus DHCP servers in the upstream network. We should not make assumption that the upstream network is always trustable. Thus, they should not be in the perimeter.


7. Guang - R7.1: ...'A' and 'B' do not stand for any element in the diagram. They just denote some anchor of the clients.


How about replace A to be 'Port_1' in the instance of Fig.3?

Guang:
Thank you for this comment. This is an excellent advice. We will revise the doc accordingly.


8. Leaf - On the other hand, I guess the ‘Creation Time’ of the entry looks like a field in this table per the usage described in the section 9. For the reason of consistency, we also have the field of ‘Creation Time’ in the FCFS-SAVI DataBase (i.e. SAVI-SLAAC DB, section 3.1 of RFC6620).
Guang - R7.2:...It is a good suggestion. ... For the usage in section 9, the system time of the store operation is enough. There is no need to recording the "Creation Time" in binding set up. Besides, adding a new field in the table will introduce too many modifications...


Per the description in section 9, <quote> Binding entries MAY be saved into non-volatile storage whenever a new binding entry changes to BOUND state. ... The time when each binding entry is established is also saved.</quote>, I suppose 'Creation Time' could support this action.

Guang:
Thank you for this comment. Maybe can the  'Creation Time' field only present in the stored table rather than BST?


9. Leaf...though I don’t really like the prefix of ‘EVE_’ here. ☺ The prefix of ‘EVE_’ must stand for Event here, supposed it really means the additional valid check defined in section 6.3.2.
Guang - R8: ...We have changed ‘EVE_DHCP_SOLICIT_RC’ to ‘EVE_DHCP_OPTION_RC'. Yes, ‘EVE_’ stands for Event. We need some terms to denote events to be handled.


I guess the text in the draft will not cause any misunderstanding if you delete the prefix of 'EVE_'. Right?

Guang:
Thank you for this comment. "EVE_" means it is an event instead of a packet. For example, not all " DHCP_OPTION_RC'" will trigger an event.


10. Leaf - In Section 7.1, <quote> Data packets without matching binding entry may trigger this process to set up bindings.</quote> <quote>This process is not intended to set up a binding whenever a data packet without matched binding entry is received.</quote> Does the above 2 sentence sound a little conflict?
Guang - R10: ... "Data packets without matching binding entry _may_ trigger this process to set up bindings." We use a "may" to mean this is probable.


Can I say ' This process is intended to set up a binding whenever a data packet without matched binding entry is received.' ?


Guang:
Thank you for this comment. Strictly, it is not quite proper. Not all the mismatched packet will trigger the process.


11. 
Leaf -13. In Section 7.5.3.2, about ‘IPv6 address’ on page 32, <quote> Send a Neighbor Solicitation message with the target address set to the IP address in the corresponding entry. The Neighbor Solicitation is only sent to the attachment which triggers the binding. If there is no response after DAD_TIMEOUT, send another Neighbor Solicitation.
</quote> Could this additional DAD process be added in Fig.13?
Guang - R12: ... But it is there:...


I am not quite sure it is a good decision to delete this DAD process after EVE_DATA_LEASEQUERY (in the state of RECOVERY). It looks not the same as that DAD after EVE_DATA_UNMATCH (in the state of DETECTION), if you keep the text in section 7.5.2, <quote>The messages MUST NOT be sent to the attachment from which the triggering packet is received.</quote>. The DAD process after EVE_DATA_LEASEQUERY looks that 'The Neighbor Solicitation is only sent to the attachment which triggers the binding.' I personally prefer to combine these 2 DAD process, which means to sent DAD_NS to all the ports of SAVI-switch.

Guang:
Thank you for this comment.
As I can understand, you mean sending DAD to the attachment which triggers the binding after receiving the DHCP leasequery-reply? What is the purpose of this step?
And I'm wondering how to combine the 2 DAD processes since they are performed at different stages?
May you please give a further explanation? Thank you very much!

Best regards,
Guang


-----Original Message-----
From: Guang Yao [mailto:yaoguang@cernet.edu.cn]
Sent: Monday, March 31, 2014 5:33 PM
To: 'Leaf Yeh'; 'Jun Bi'; 'Jun Bi'
Cc: 'Ted Lemon'; savi@ietf.org
Subject: RE: Some findings in the darft-ietf-savi-dhcp-20

Dear Leaf,

Thank you very much for your comments!

Your comments are very important and valuable. We have revised the doc accordingly and submitted a new version. The responses are both at the behind of this mail and in the attachment.

If you have any more comments, please let us know.

Best regards,
Guang

1. In the 1st paragraph of Page 11,
<quote>
For example, in Figure 1, the attachment from the Non-SAVI Device 1 to the SAVI Device B should be configured with no attribute.
</quote>

But in Fig.1, Non-SAVI Device 1 is not directly connected to SAVI Device B. I suppose the draft really means ‘SAVI Device C’ here.
***

R1:
Thank you very much!
We have made some modifications to the scenario diagram. It seems a part of the text is not updated accordingly. We have modified such sentences, including the following one.


2. In the last paragraph of page 11,
<quote>
In Figure 1, the attachment from the DHCP Relay to the SAVI Device B, and the attachment from the DHCP Server B to the SAVI Device B should be configured with this attribute.
</quote> (for DHCP-Trust Attribute)

But in Fig.1, DHCP Relay is not directly connected to SAVI Device B. I suppose the draft really means ‘SAVI Device A’ here.
***

R2.1:
Thanks. We have revised the sentence.

As to Fig.1, question for clarification : It sounds to set up a filter (as the requirement of DHCP-Trust Attribute) inside the SAVI-perimeter. I guess if the Relay or Server B is directly connected to SAVI Device and outside the SAVI-perimeter, we still need to set up DHCP-Trust Attribute for the port of SAVI Device A and B, right? If yes, does it means the Fig.1 can let the Relay or Server B outside the SAVI-perimeter?

R2.2:
Thank you for this comment.
Indeed, there is no problem if letting the Relay or Server B outside the perimeter. In fact, in the ealier versions, they are outside the perimeter.
However, in recent versions, we decide to include them into the perimeter. On one hand, it is used to distinguish the DHCP server A(which is outside the perimeter) and the DHCP server B/Relay. On the other hand, we think the perimeter should be used to separating the trusted area and the untrusted area. The Relay and Server B should be trusted, and they are actually the sources of trust.
Besides, to confirm with other solutions, perimeter is the place to perform data packet filtering. Thus, only the attach points with validating attribute are on the perimeter.

3. Question of clarification on the text in the 3rd paragraph of section 4.3.1, <quote> In this case, SAVI device B doesn’t create a binding for client A. SAVI device A doesn’t create a binding for client B. But the SAVI device B is still protected from spoofing from client A and the SAVI device A is still protected from spoofing from client B.
</quote>

What does “SAVI device B is still protected from spoofing from client A” exactly mean? How can SAVI device B protects from spoofing from client A? It sounds a little confused.

R3:
Thank you for this comment.
It means, "SAVI device B can avoid receiving spoofing traffic from client A.".


4. Question of clarification on the text in section 4.3.2, <quote>
(6) Optional: configure filters on the upstream links to filter out spoofing of local addresses from other networks.
</quote>

Per the definition of ‘Upstream link’ and ‘Downstream link’ in section 3, upstream is for other network (with gateway router), downstream is for local network. I guess the text here might mean ‘filter out spoofing of source addresses from other networks.’

R4:
Thank you for this comment.
We cannot prevent other networks from spoofing each other. Thus, we can just requre local addresses (addresses assigned to local network) will not be spoofed by the other networks.


5. Question of clarification on the text in the last paragraph of section 4.3.2, <quote> In this way, the points of attachments with Validating attribute (and generally together with attachments of upstream devices) on SAVI devices can form a perimeter separating DHCP clients and trusted devices.
</quote>

The above sentence sounds SAVI devices always form perimeter for upstream devices. But in general thinking, we always trust devices in the upstream network. In Fig.1, we should not configure ‘DHCP-Trust attribute’ on the port of SAVI Device C for the Server A through Non-SAVI Device 1, which might means the Client A and Client B can’t get address assignment from Server A of the upstream network. Does the above sounds a little confused?

R5:
Thank you for this comment.
This problem is discussed in section4.3.3 P3.
We should not trust devices in the upstream network by default unless some other securty mechanisms are enforced.  Client A and Client B can get address assignment from Server A indirectly from the Relay.


6. Question of clarification on the text in the last paragraph of section 4.3.2, <quote> DHCP-Trust attribute is only configured on the inside links of the perimeter.
</quote>

The above sentence sounds, even in the SAVI-perimeter, we still need set up filter for some devices, including relay and server. It sounds we couldn’t trust the relay and server in the SAVI-perimeter; and after we configure the DHCP-Trust attribute on the port of the SAVI-device which connect the relay or server, we start to trust them. But in general thinking, we always trust devices in the perimeter, and we don’t need additional SAVI-device to connect some kind of device in the perimeter. Does the above sounds a little confused?

R6: 
Thank you for this comment.
Maybe this comment has been responed by R2.2?

7. Question of clarification on table 3 of BST in section 5:
<quote>
+---------+----------+----------+-----------+-------+
| Anchor | Address | State | Lifetime |TID |
+---------+----------+----------+-----------+-------+
| A | IP_1 | BOUND | 65535 |TID_1 |
+---------+----------+----------+-----------+-------+
| A | IP_2 | BOUND | 10000 |TID_2 |
+---------+----------+----------+-----------+-------+
| B | IP_3 |INIT_BIND | 1 |TID_3 |
+---------+----------+----------+-----------+-------+
</quote> for Binding State Table

It is not quite sure about ‘A’ and ‘B’ in the column of Anchor stands for. Does ‘A’ stands for the Client A? It must not stand for SAVI-Device A. ☺ Per the definition of ‘Binding anchor’ in section 3, the anchor is the link-layer property of Clients. It sound usually be the port of SAVI-device which connect Client A, right?

R7.1:
Thank you for this comment.
'A' and 'B' do not stand for any element in the diagram. They just denote some anchor of the clients.


On the other hand, I guess the ‘Creation Time’ of the entry looks like a field in this table per the usage described in the section 9. For the reason of consistency, we also have the field of ‘Creation Time’ in the FCFS-SAVI DataBase (i.e. SAVI-SLAAC DB, section 3.1 of RFC6620).

R7.2:
Thank you for this comment.
It is a good suggestion. But I think "Creation Time" is not requried in binding set up and traffic filtering. For the usage in section 9, the system time of the store operation is enough. There is no need to recording the "Creation Time" in binding set up. Besides, adding a new field in the table will introduce too many modifications...


8. In section 6.3,
<quote>
EVE_DHCP_OPTION_RC: A DHCPv6 Solicitation message with Rapid Commit option is received.
</quote>

I guess  looks better than ‘EVE_DHCP_OPTION_RC, though I don’t really like the prefix of ‘EVE_’ here. ☺ The prefix of ‘EVE_’ must stand for Event here, supposed it really means the additional valid check defined in section 6.3.2.


R8:
Thank you for this comment.
We have changed ‘EVE_DHCP_SOLICIT_RC’ to ‘EVE_DHCP_OPTION_RC'. Yes, ‘EVE_’ stands for Event. We need some terms to denote events to be handled.


9. For Section 6.4.1, I think we could replace its title ‘From NO_BIND to Other States’ to be ‘From NO_BIND to INIT_BIND’.

R9:
Thank you for this comment.
Well, we find it is alright to make this modification.


10. In Section 6.4.3.2
<quote>
If the message is DHCPv6 Reply, the SAVI device checks each IA Address option in each IA option.
</quote>
<quote>
The related binding entry can be determined based on the address in the IAADDR option in the Leasequery-reply message.
</quote>

I personally like ‘IA Address option’ and ‘IAADDR option’ could written in the same.

R10:
Thank you for this comment.
We have changed them to 'IA Address option'.


11. In Section 7.1,
<quote>
Data packets
without matching binding entry may trigger this process to set up bindings.
</quote>
<quote>
This process is not intended to set up a binding whenever a data packet without matched binding entry is received.
</quote>

Does the above 2 sentence sound a little conflict?

R10:
Thank you for this comment.
"Data packets
without matching binding entry _may_ trigger this process to set up bindings."

We use  a "may" to mean this is probable.


12. For Section 7.5.1, I think we could replace its title ‘From NO_BIND to Other States’ to be ‘From NO_BIND to DETECTION’.

R12:
Thank you for this comment.
Well, we find it is alright to make this modification, too.:)


13. In Section 7.5.3.2, about ‘IPv6 address’ on page 32, <quote> Send a Neighbor Solicitation message with the target address set to the IP address in the corresponding entry. The Neighbor Solicitation is only sent to the attachment which triggers the binding. If there is no response after DAD_TIMEOUT, send another Neighbor Solicitation.
</quote>

Could this additional DAD process be added in Fig.13?

R12:
Thank you for this comment. But it is there:
                               +-------------+
                               |             |
                     /---------|   NO_BIND   |<--------\
                     |  ------>|             |         | TIMEOUT
                     |  |      +-------------+         |(2nd LQ_DELAY)
   EVE_DATA_UNMATCH  |  |                              |
                     |  |                              |
                     |  |                              |
  ***1st DAD_TIMEOUT |  |                              | 1st LQ_DELAY
         /------\    |  |                              |    /---------\
         |      |    |  | EVE_DATA_CONFLICT            |    |         |
         |      v    v  |                              |    v         |
         |    +-------------+        TIMEOUT         +------------+   |
         |    |             | ***(2nd DAD_TIMEOUT)   |            |   |
         \----|  DETECTION  ------------------------>|  RECOVERY  ----/
              |             |                        |            |
              +-------------+                        +------------+
                                      EVE_DATA_LEASEQUERY|
                          /----------\                   |
            EVE_DHCP_RENEW|          |                   |
           EVE_DHCP_REBIND|    +-----v-------+           |
                          |    |             |           |
                          \----|   BOUND     |<----------/
                               |             |
                               +-------------+



14. In Section 7.5.3.2, about ‘IPv6 address’ in page 32, <quote> If there is only one identical response, get the source hardware address from the response. Check if the ’chaddr’ field (hardware address) of the LEASEQUERY-REPLY message matches the source hardware address.
If the two addresses do not match, the following actions will not be performed. If there is more than one response, if any of the source hardware addresses matches the ’chaddr’ field (hardware address) of the LEASEQUERY-REPLY message, the following actions are to be performed.
</quote>

If the LEASEQUERY-REPLY message mentioned here is defined in RFC5007, I supposed we can’t find the ’chaddr’ field in this message.
***

R14:
We are sorry this is a careless copy from IPv4 para. LEASEQUERY-REPLY provides no additional information about the link-layer address or physical address of the client. Thus we remove this para.

15. Section 7.6, just after Fig. 12
<quote>
LQ_DELAY: MAX_LEASEQUERY_DELAY
</quote>

This ‘LQ_DELAY’ looks not a note for Fig. 12, but a note for Fig. 13, right? If yes, should it be placed after Fig. 13?

R15:
Thank you for this comment.
It has been done.

16. Section 14.2,
<quote>
[savi-fcfs]
Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFSSAVI:
First-Come First-Serve Source-Address Validation for Locally Assigned Addresses", RFC 6620, May 2012.
</quote>

I prefer to replace [savi-fcfs] to be [RFC 6620].

R16:
Thank you for this comment.
It has been done.


17. Section 14.2,
<quote>
[savi-framework]
Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed., "Source Address Validation Improvement Framework",
draft-ietf-savi-framework-06 (work in progress), </quote>

I prefer to replace [savi-framework] to be [RFC 7039]. It is not is in the status of ‘work in progress’ any more. ☺

R17:
Thank you for this comment.
It is great!

18. I guess the darft-ietf-savi-dhcp-20 has not support DHCPv6-PD (RFC3633) for SAVI on the delegated prefix by now, right?

R18:
Thank you for this comment.
Actually, DHCPv6-PD is covered in the very early version of this draft. But it is moved to the section 7 of SAVI-Framework.