IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-6man-addr-select-opt

Arifumi Matsumoto <arifumi@nttv6.net> Wed, 12 June 2013 09:56 UTC

Return-Path: <n@arifumi.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D740E21F9B99 for <secdir@ietfa.amsl.com>; Wed, 12 Jun 2013 02:56:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LtdbyP6eF+am for <secdir@ietfa.amsl.com>; Wed, 12 Jun 2013 02:56:02 -0700 (PDT)
Received: from mail-pd0-f182.google.com (mail-pd0-f182.google.com [209.85.192.182]) by ietfa.amsl.com (Postfix) with ESMTP id A74DD21F9BB9 for <secdir@ietf.org>; Wed, 12 Jun 2013 02:56:00 -0700 (PDT)
Received: by mail-pd0-f182.google.com with SMTP id r10so3539903pdi.41 for <secdir@ietf.org>; Wed, 12 Jun 2013 02:56:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=BaKHGQV8C+grSTKKj3+/wM01mix7qgdrXT0c20K+bUU=; b=L5V67m16JNloTjvH80PHlnKBOmc28fzfm8DeNXkPO+Y1O/HoDraVG0ATTG7auNEBT1 Xkc2rZ7uBO4lKdxuHCCwYCAlpvlZPD4P+zmiz7yg/J99AutptmK6F3nEjHeso+ToRrMp kWkC5jQ3h4l33qcVfRnEwaQPFr8rh1AWRkNrDfwFOE3yJko6dVHIT2u+/iNN5QQ2n4QM UcOyF/Zol28k7Xg2ghfib3fPmVO1X/Yk0hVzcMIeiv01txawpY6fyDErg8g7aAEaGhMN SPG+uWs95gVpM+bLyJZcBmQiH/ISs68jhTELtOh5tq1j1lFl5ewXE6fDrDtB3Ai3tKnb SP8Q==
MIME-Version: 1.0
X-Received: by 10.66.160.101 with SMTP id xj5mr23076434pab.5.1371030960255; Wed, 12 Jun 2013 02:56:00 -0700 (PDT)
Sender: n@arifumi.net
Received: by 10.68.194.198 with HTTP; Wed, 12 Jun 2013 02:56:00 -0700 (PDT)
X-Originating-IP: [2001:df0:45:20::61]
In-Reply-To: <e27bbbeef7bc43410bcb85e5ebc1ed07.squirrel@www.trepanning.net>
References: <3dc2e7cf8e11e1928d71c08895be5c68.squirrel@www.trepanning.net> <14984CD7-6EDD-49E6-A3C2-4775E80041AC@employees.org> <fb61afaa7d78273cb257bab766d03bcc.squirrel@www.trepanning.net> <CABTuw1Dag_G2nDt=XsM2EeOvVuUqqRjS_sP6GMsJhdu4-3=KYQ@mail.gmail.com> <e27bbbeef7bc43410bcb85e5ebc1ed07.squirrel@www.trepanning.net>
Date: Wed, 12 Jun 2013 18:56:00 +0900
X-Google-Sender-Auth: 7V5X3qlJLBS7BK67mYr7ydsY4Yo
Message-ID: <CABTuw1DKqJhP4rNKVm8HOqfzsBnrw1Oz600TJve63G8i1Uf15A@mail.gmail.com>
From: Arifumi Matsumoto <arifumi@nttv6.net>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="047d7b6dccf85cbb0e04def2058a"
X-Gm-Message-State: ALoCoQmrqAJaH2FumK/0tYHqw+zMMYkkOHmVLA2QWBB8Kkrg9hPYNTy9AqY4BW/T4kmXf5AKRjgW
Cc: secdir@ietf.org, "draft-ietf-6man-addr-select-opt.all@tools.ietf.org" <draft-ietf-6man-addr-select-opt.all@tools.ietf.org>, draft-ietf-6man-rfc3484bis@tools.ietf.org, Ole Troan <otroan@employees.org>, iesg@ietf.org, Arifumi Matsumoto <arifumi@nttv6.net>
Subject: Re: [secdir] secdir review of draft-ietf-6man-addr-select-opt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2013 09:56:03 -0000

Dan,

to summarize my statement, a host's behavior will look like:

i) a host is configured to accept A-flag and policy table from network
  a) A-flag in DHCP option is 0 (disable automatic row addition)
    1) DHCP option includes policy table
       host should disable automatic row addition, and use delivered policy
table.
    2) DHCP option does not include policy table
       host should disable automatic row addition. no change on host's
policy table.

  b) A-flag in DHCP option is 1 (no effect on host's A-flag)
    1) DHCP option includes policy table
        host should disable automatic row addition, and use delivered
policy table.
    2) DHCP option does not include policy table
        host does nothing.

ii) a host is configured not to accept A-flag nor policy table from network
        host does nothing.

Hope this helps.

2013/6/12 Dan Harkins <dharkins@lounge.org>

>
>   Hi,
>
> On Tue, June 11, 2013 11:55 pm, Arifumi Matsumoto wrote:
> > Hi,
> >
> > 2013/6/12 Dan Harkins <dharkins@lounge.org>
> >
> >>
> >>   Hi Ole,
> >>
> >> On Tue, June 11, 2013 2:24 am, Ole Troan wrote:
> >> > Dan,
> >> >
> >> > let me chime in as the document shepherd.
> >> > (thank you very much for the thorough comments by the way).
> >> >
> >> >>  For instance, while I think I understand the policy override of RFC
> >> >> 6724, having the Automatic Row Additions Flag be part of the address
> >> >> selection options seems problematic. If it is set to zero, then what
> >> are
> >> >> the semantics of such a message? "Here's an address selection option
> >> >> but don't you dare use it!"? What is the point? Me, as a node, can
> >> have
> >> >> this as part of my policy state which would allow me to ignore such
> >> >> an update but to have the bit be part of the option to update does
> >> >> not seem to make much sense. The semantics of the message needs
> >> >> to be explained much more clearly, or the bit needs to be removed
> >> >> from the message.
> >> >
> >> > my reading of the meaning of the A flag is a little different. (I have
> >> > cc'ed the authors of rfc6724 for confirmation.)
> >> >
> >> > an implementation of RFC6724 may automatically add entries in the
> >> policy
> >> > table based on addresses configured on the node.
> >> > e.g. the node has an interface with a ULA address.
> >> >
> >> > RFC6724 also says:
> >> >    An implementation SHOULD provide a means (the Automatic Row
> >> Additions
> >> > flag) for an administrator to disable
> >> >    automatic row additions.
> >>
> >>   That makes perfect sense. A client implementation SHOULD provide a
> >> means to disable automatic row additions. So it has some knob that can
> >> be turned on or off locally that would allow for update of its policy
> >> table
> >> by receiving policy options (enable) or forbid received policy options
> >> from
> >> updating the policy table (disable).
> >>
> >> > the A-flag in draft-ietf-6man-addr-select-opt provides the means.
> >>
> >>   So this is where I'm confused. The sender of the policy option should
> >> not have the ability to control the knob that an implementation added
> >> locally to satisfy RFC 6724. If a client implementation sets its knob to
> >> "disable" then it forbids policy option updates to its policy table. It
> >> shouldn't inspect the received option update to decide whether it
> >> should override the setting of its local knob.
> >>
> >>   This seems like a security issue to me. There's a reason why an
> >> implementation would choose to disable updates of its policy table
> >> and allowing the sender of policy updates to override that seems
> >> wrong.
> >>
> >
> > In my understanding,
> > - RFC 6724 defines a knob for switching automatic row addition.
> > - addr-select-opt defines a knob for switching whether accepting
> automatic
> > row addition flag delivered or not.
> >
> > and, if the second knob is switched to "accept", then the first knob is
> > overridden by a delivered flag.
>
>   So you're saying that the local knob can be overridden by the bit in
> the message? That begs the question: why would one send a message with
> the "delivered flag" set to "don't accept", meaning "don't accept this
> update"?
> How is that different than omitting this "don't accept" information from
> the
> message in the first place?
>
> > This is common case in moderen user OS settings, such that the DNS server
> > configuration can be
> > switched to automatic(delivered from network), or to locally configured
> to
> > some value.
>
>   But why would the network set an option indicating that the recipient
> should
> not use this configuration"? If the recipient has a knob indicating that
> local
> policy cannot be updated then the bit has no effect and if the recipient
> has a
> knob indicating that the policy can be updated then setting the the bit in
> the
> message should be meaningless.
>
> >>
> >> > it does not affect the policy entries that is contained in the DHCP
> >> > option.
> >> > the A-flag only affects the RFC6724 behaviour of adding entries based
> >> on
> >> > address configuration on the node.
> >>
> >>   Again, according to the draft a message can be received by a client
> >> implementation that provides policy update options to its policy table
> >> with semantics of "you SHOULD NOT use these!" So what is the point
> >> of sending that message? Why not just refrain from sending the message
> >> if that's what the message is?
> >>
> >>   Would you ever tell someone, "disregard what I am about to tell you"?
> >> I
> >> can't see why. And that's what the semantics of this message seem to be.
> >>
> >
> > As I mentioned in the previous e-mail, that I sent 10 June,
> > when this A flag is turned on, the DHCP option should not carry policy
> > table,
> > and a receiver should ignore it, which I have to add some text in the
> rev.
>
>   But why would a server send an address selection option that said, "don't
> use this"? Once again, it makes no sense to have these semantics.
>
>   If you notice, this question seems to be repeated over and over yet I
> have
> not yet received an answer why or an statement that I don't understand
> the semantics of the message. So what is it? Do I not understand (in which
> you should explain exactly why) or is this message meaningless (in which
> case why is it part of your draft)?
>
>   regards,
>
>   Dan.
>
>
>

v2.23.0 | Report a Bug | By Email