Re: [Softwires] Benjamin Kaduk's No Objection on draft-ietf-softwire-map-radius-24: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Fri, 14 June 2019 23:54 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: softwires@ietfa.amsl.com
Delivered-To: softwires@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D3F01200C4; Fri, 14 Jun 2019 16:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I5npTMKv2pBm; Fri, 14 Jun 2019 16:54:31 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1B57120099; Fri, 14 Jun 2019 16:54:30 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x5ENsNuJ005489 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jun 2019 19:54:25 -0400
Date: Fri, 14 Jun 2019 18:54:22 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: mohamed.boucadair@orange.com
Cc: The IESG <iesg@ietf.org>, "draft-ietf-softwire-map-radius@ietf.org" <draft-ietf-softwire-map-radius@ietf.org>, Yong Cui <cuiyong@tsinghua.edu.cn>, Ian Farrer <ianfarrer@gmx.com>, "softwire-chairs@ietf.org" <softwire-chairs@ietf.org>, "softwires@ietf.org" <softwires@ietf.org>
Message-ID: <20190614235421.GB52381@kduck.mit.edu>
References: <156039857091.27144.11177820030867633181.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EAA602B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190613235806.GM52381@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EAA6D73@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EAA6D73@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/softwires/Bqso0_dZZYKd0Zw3gdaJMPkDxmw>
Subject: Re: [Softwires] Benjamin Kaduk's No Objection on draft-ietf-softwire-map-radius-24: (with COMMENT)
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/softwires/>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 23:54:35 -0000
On Fri, Jun 14, 2019 at 12:15:56PM +0000, mohamed.boucadair@orange.com wrote: > Hi Ben, > > Please see inline. > > Cheers, > Med > > > -----Message d'origine----- > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] > > Envoyé : vendredi 14 juin 2019 01:58 > > À : BOUCADAIR Mohamed TGI/OLN > > Cc : The IESG; draft-ietf-softwire-map-radius@ietf.org; Yong Cui; Ian > > Farrer; softwire-chairs@ietf.org; softwires@ietf.org > > Objet : Re: Benjamin Kaduk's No Objection on draft-ietf-softwire-map- > > radius-24: (with COMMENT) > > > > On Thu, Jun 13, 2019 at 07:21:38AM +0000, mohamed.boucadair@orange.com > > wrote: > > > Re-, > > > > > > Thank you for the detailed review. Much appreciated, as usual! > > > > > > Please see inline. > > > > > > Cheers, > > > Med > > > > > > > -----Message d'origine----- > > > > De : Benjamin Kaduk via Datatracker [mailto:noreply@ietf.org] > > > > Envoyé : jeudi 13 juin 2019 06:03 > > > > À : The IESG > > > > Cc : draft-ietf-softwire-map-radius@ietf.org; Yong Cui; Ian Farrer; > > > > softwire-chairs@ietf.org; ianfarrer@gmx.com; softwires@ietf.org > > > > Objet : Benjamin Kaduk's No Objection on draft-ietf-softwire-map- > > radius- > > > > 24: (with COMMENT) > > > > > > > > Benjamin Kaduk has entered the following ballot position for > > > > draft-ietf-softwire-map-radius-24: No Objection > > > > > > > > When responding, please keep the subject line intact and reply to all > > > > email addresses included in the To and CC lines. (Feel free to cut > > this > > > > introductory paragraph, however.) > > > > > > > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > > criteria.html > > > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > > > > > > > The document, along with other ballot positions, can be found here: > > > > https://datatracker.ietf.org/doc/draft-ietf-softwire-map-radius/ > > > > > > > > > > > > > > > > ---------------------------------------------------------------------- > > > > COMMENT: > > > > ---------------------------------------------------------------------- > > > > > > > > It might be worth a brief note somewhere about why attributes of this > > > > sort can be included in Accounting-Request packets > > > > > > [Med] This is already covered by this text: > > > > > > In some deployments, the DHCP server may use the Accounting-Request > > > to report to a AAA server the softwire configuration returned to a > > > requesting host. It is the responsibility of the DHCP server to > > > ensure the consistency of the configuration provided to requesting > > > hosts. Reported data to a AAA server may be required for various > > > operational purposes (e.g., regulatory). > > > > So it is; thanks for pointing it out. (I guess I would have expected to > > see something earlier in the document, but this is up to your discretion.) > > > > > > > > (and, to a lesser > > > > extent, CoA-Request packets). > > > > What about CoA-Request, though? > > > > [Med] Added this NEW text: > > A configuration change (e.g., BR address) may result in an exchange > of CoA-Requests between the BNG and the AAA server as shown in > Figure 3. Concretely, when the BNG receives a CoA-Request message > containing Softwire46 attributes, it sends a DHCPv6 Reconfigure > message to the appropriate CE to inform that CE that an updated > configuration is available. Upon receipt of such message, the CE > sends a DHCPv6 Renew or Information-Request in order to receive the > updated Softwire46 configuration. In deployments where the BNG > embeds a DHCPv6 relay, CoA-Requests can be used following the > procedure specified in [RFC6977]. Thanks! -Ben > > > > Section 1 > > > > > > > > Since IPv4-in-IPv6 softwire configuration information is stored in > > an > > > > AAA server, and user configuration information is mainly > > transmitted > > > > through DHCPv6 between the BNGs and Customer Premises Equipment > > (CEs, > > > > a.k.a., CPE), new RADIUS attributes are needed to propagate the > > > > information from the AAA servers to BNGs. > > > > > > > > nit: maybe "from the AAA servers to BNGs so that they can be > > propagated > > > > to CPE over the existing DHCPv6 options."? > > > > > > > > > > [Med] Updated as follows: > > > > > > "from the AAA servers to BNGs so that they can be provided to CEs using > > the existing DHCPv6 options." > > > > Thanks > > > > > > Section 2 > > > > > > > > Please use the boilerplate text from RFC 8174 (including BCP 14 > > > > mention). > > > > > > > > > > [Med] Added to BCP 14 mention. > > > > > > > Section 3.1 > > > > > > > > The Softwire46-Configuration Attribute conveys the configuration > > > > information for MAP-E, MAP-T, or Lightweight 4over6. The BNG > > > > SHALL use the configuration information returned in the RADIUS > > > > attribute to populate the DHCPv6 Softwire46 Container Option > > > > defined in Section 5 of [RFC7598]. > > > > > > > > nit: "Option(s)" seems more appropriate, since that section defines > > > > separate options for MAP-E and MAP-T. > > > > > > [Med] OK. > > > > > > > > > > > Section 3.1.1.1 > > > > > > > > Just to double-check my understanding: since this is an "attribute", > > > > > > [Med] This is a sub-attribute that appears under Softwire46- > > Configuration. This is discussed in the introduction text of Section > > 3.1.1. > > > > > > > it's a top-level container with the 'type' value bearing universal > > > > semantics for all RADIUS packets, as opposed to a "tlv" that appears > > > > within a given attribute and whose 'type' values only have meaning in > > > > the context of that attribute? But this interpretation doesn't hold > > up > > > > for (e.g.) Section 3.3.3, which defines an "attribute" but uses a > > > > "TLV-Type" that is in the range of values scoped only to the > > structures > > > > defined in this document. > > > > > > > > Section 3.1.3.2 > > > > > > > > There MUST be at least one Softwire46-BR included in each > > > > Softwire46-MAP-E or Softwire46-Lightweight-4over6. > > > > > > > > This seems to be in conflict with Table 2, which says that exactly one > > > > Softwire-BR is included in each MAP-E or Lightweight-4over6 attribute. > > > > > > [Med] Good catch. Updated the table: s/1/1+. > > > > > > > > > > > Section 3.1.6.1 > > > > > > > > This field that specifies the > > > > numeric value for the Softwire46 algorithm's excluded > > > > port range/offset bits (a bits), as per Section 5.1 > > > > of [RFC7597]. Allowed values are between 0 and 15. > > > > > > > > nit: "This field that specifies" is redundant; just "This field > > > > specifies" would be fine. > > > > > > [Med] OK. > > > > > > > > > > > I'm also not sure I understand the range being between 0 and 15, when > > we > > > > previously talk about this being an 8-bit value ("right justified"). > > > > > > [Med] We used to have a 8-bit field that we then updated to 32-bit to be > > aligned with radext reco. Fixed. > > > > > > > > > > > Section 3.1.6.3 > > > > > > > > This format seems needlessly confusing. We encode as an integer (32- > > bit > > > > unsigned), but then state that this 32-bit integer contains a 16-bit > > > > value, right justified. And then we only interpret the f irst 'k' > > bits > > > > on the left of the 16-bit value. Isn't there a simpler way to encode > > a > > > > 'k' bit value in a 32-bit field? > > > > > > [Med] We used to have a 16-bit field but changed it to 32-bit to be > > aligned with RFC6158. The proposed approach is straightforward for > > extracting the psid bits. > > > > > > > > > > > Section 3.2 > > > > > > > > Softwire46 mechanisms are prioritized in the appearance > > order > > > > of the in the Softwire46-Priority Attribute. > > > > > > > > Do we want to say explicitly that the first-appearing mechanism is > > most > > > > preferred? > > > > > > [Med] We can. > > > > > > > > > > > Section 3.3.1 > > > > > > > > TLV-Length > > > > 16 octets. The length of asm-prefix64 must be to 96 [RFC8115]. > > > > > > > > nit(?): I can't parse the grammar here -- what does "must be to" mean? > > > > (Same question for following section.) > > > > > > [Med] Updated to: "The length of asm-prefix64 must be /96 [RFC8115]." > > > > > > > > > > > Please expand "ASM" on first use. > > > > > > [Med] Done. > > > > > > > > > > > Section 4 > > > > > > > > 1. The CE creates a DHCPv6 Solicit message. For unicast softwire > > > > configuration, the message includes an OPTION_REQUEST_OPTION > > (6) > > > > with the Softwire46 Container option codes as defined in > > > > [RFC7598]. [...] > > > > > > > > nit: with all of them (the Softwire46 Container option codes)? > > > > > > [Med] Not all of them because some mechanisms may not be supported. I > > updated the text to: > > > > > > " Softwire46 Container option code(s)" > > > > > > > > > > > 2. On receipt of the Solicit message, the BNG constructs a RADIUS > > > > Access-Request message containing a User-Name Attribute (1) > > > > (containing either a CE MAC address, interface-id or both), a > > > > User-Password Attribute (2) (with a pre-configured shared > > > > password as defined in [RFC2865]. The Softwire46-Configuration > > > > Attribute and/or Softwire46-Multicast Attribute are also > > included > > > > (as requested by the client). The resulting message is sent to > > > > the AAA server. > > > > > > > > Perhaps clarify whether the shared password is shared between BNG/AAA > > > > server, or CE/AAA server? > > > > > > [Med] Updated with an explicit mention of CE-AAA server. > > > > Thanks! > > > > > > > > > > 6. The BNG sends a Reply message to the client containing the > > > > softwire container options enumerated in the ORO. > > > > > > > > nit: maybe "DHCPv6 Reply" to match the "DHCPv6 Request" in step (5)? > > > > > > [Med] Fixed. > > > > > > > > > > > The authorization operation could also be done independently, after > > > > the authentication process. In this case, steps 1-5 are completed > > as > > > > above, then the following steps are performed: > > > > > > > > nit: "authorization" or "authorize" do not appear in the previous > > > > procedure anywhere; it would be rhetorically more clear what this > > > > statement refers to if there was explicit mention in the prior > > > > procedure. > > > > > > [Med] Will double check this one. > > > > > > > > > > > o In both the configuration message flows described above the > > > > Message-authenticator (type 80) [RFC2869] SHOULD be used to > > > > protect both Access-Request and Access-Accept messages. > > > > > > > > Why is this SHOULD and not MUST? Maybe an example of when it would > > not > > > > be needed would be helpful? > > > > > > [Med] The set of requirements are deployment-oriented. I already changed > > my local copy to avoid the use of normative language. This applies also > > for the following comments. > > > > Okay > > > > > > nit: Message-Authenticator has two capital letters. > > > [Med] Fixed. > > > > > > > > > > > o As specified in [RFC8415], Section 18.2.5, "Creation and > > > > Transmission of Rebind Messages", if the DHCPv6 server to which > > > > the DHCPv6 Renew message was sent at time T1 has not responded > > by > > > > time T2, the CE (DHCPv6 client) SHOULD enter the Rebind state > > and > > > > attempt to contact any available server. In this situation, a > > > > > > > > This seems to just be restating the requiremnets from RFC 8415, in > > which > > > > case the normative language is not needed... > > > > > > > > secondary BNG receiving the DHCPv6 message MUST initiate a new > > > > Access-Request message towards the AAA server. The secondary > > BNG > > > > includes the Softwire46-Configuration Attribute in this Access- > > > > Request message. > > > > > > > > ... but this MUST does need to use normative language (as it currently > > > > does). > > > > > > > > o For Lightweight 4over6, the subscriber's binding state needs to > > be > > > > synchronized between the clients and the Lightweight AFTR > > > > (lwAFTR)/BR. This can be achieved in two ways: static pre- > > > > > > > > We have not previously talked about the "subscriber"; is there some > > > > realignment of terminology or earlier definition that would help > > clarify > > > > how the subscriber relates to the other entities in play? > > > > > > > > > > [Med] Changed to "CE". > > > > > > > configuration of the bindings on both the AAA server and lwAFTR, > > > > or on-demand whereby the AAA server updates the lwAFTR with the > > > > subscriber's binding state as it is created or deleted. > > > > > > > > (I assume this is done "out of band" from the perspective of this > > > > document.) > > > > > > [Med] Yes. > > > > > > > > > > > Section 6 > > > > > > > > As the secdir reviewer notes, there are a lot of references here. > > > > That's usually good, avoiding duplication of content/etc., but this > > text > > > > seems to claim that there is discussion of known security > > > > vulnerabilities in RADIUS discussed in RFCs 2607, 2865, and 2869, and > > a > > > > quick review of those documents does not find extensive discussion of > > > > such vulnerabilities (and not much in the Security Considerations > > > > section where one might expect to find it). I think that just those > > > > references may not provide a comprehensive picture of the state of > > > > RADIUS (in)security, and so some additional exposition to tie together > > > > what those documents are saying (including Section references as > > > > appropriate), as well as potential other information, would be in > > order. > > > > > > [Med] Will update the text with the exact section references. > > > > > > > I note that there was some fairly recent discussion of the general > > state > > > > of RADIUS security in the IESG processing of > > > > draft-ietf-radext-coa-proxy, along the lines of "it basically boils > > down > > > > to you have to trust your neighbor/contractual arrangement". I do > > *not* > > > > think that the three RFCs from 2000 convey that sentiment well, and so > > > > the following paragraph's statement about targetting deployments with > > a > > > > trust relationship is quite important. Perhaps we can tweak the > > writing > > > > a bit so that these two points tie together more clearly. > > > > > > [Med] Any suggestion to better convey this message? > > > > I'd just add another sentence at the end of the second paragraph: "These > > well-established properties of the RADIUS protocol place some limitations > > on how it can safely be used, since there is some inherent requirement to > > trust the counterparty to not misbehave." and start the third paragraph > > with "Accordingly, [...]". > > > > [Med] Works for me. Updated the text accordingly. > > > > > > > > > It may be worth mentioning earlier (in the Introduction?) that this > > > > document only targets deployments with a trusted relationship between > > > > RADIUS client/server (that can use IPsec/TLS as appropriate). > > > > > > [Med] We can but IMHO this will be redundant. > > > > It's your call. > > > > > > > > > > I am also not entirely sure about the "does not introduce any security > > > > issue other than the ones already identified in RADIUS documents", > > > > though admittedly the additional exposure seems quite minimal. > > > > Specifcally, without these RADIUS attributes, DHCPv6 negotiation of > > > > softwires includes in-band protocol flows conveying softwire > > > > configuration information between DHCP client and BNG, but now that > > > > information flows additionally to the AAA server. The additional > > > > exposure seems minimal, though, since the necessary softwire > > > > configuration information inherently needs to be in *some* central > > > > location, so we're just exchanging one way of configuring the BNG > > ("out > > > > of band") for another (RADIUS). The most notable difference would > > seem > > > > to be that now we have to trust the AAA server to not leak the > > softwire > > > > configuration details (as opposed to whatever central configuration > > > > server would otherwise be used), but since both are rather inherently > > > > trusted roles, there's not in the general case more attack surface to > > > > worry about. > > > > > > [Med] How is this specific to the attributes defined in the document? > > > > It's only specific to the attributes in this document in that it's the > > information content of these attributes getting a slightly different > > exposure. I think I recently suggested on a different document a > > rewording > > like "does not introduce any security issues inherently different from > > those already identified in [other documents]" for a different document, > > if > > you were interested in something like that. > > > > [Med] Ok, thanks. > > > > > > > > > Section 7.3 > > > > > > > > If the registry is to be "Option Codes Permitted in the > > > > Softwire46-Priority Attribute", that seems to imply that there are > > some > > > > option codes *not* permitted. Where are those option codes > > enumerated? > > > > (I would have guessed at > > > > https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6- > > > > parameters.xhtml#dhcpv6-parameters-2 > > > > , but the values don't seem to match up.) Do we need to add a note > > > > somewhere about future allocations of such option codes needing to > > > > decide whether or not they are permitted in the Softwire46-Priority > > > > Attritube? > > > > > > [Med] New (attribute) codes that can be listed will naturally include a > > IANA request to be added to the registry. I'm not sure a note is needed so > > that each new attribute has to declare whether it can be listed or not. > > > > I think my point here is that I'm confused whether this is a registry of > > freshly allocated values or a subset of values allocated elsewhere (and > > thus reusing the numerical value from the other registry). It sounds like > > it's the former, though, so it's just the "Permitted in" in the title that > > confuses me (vs. "for" or similar) ... but looking at the IANA page this > > wording seems to be pretty widespread already, so I don't see any grounds > > to change this one just on my account. > > > > [Med] Thank you for clarifying. I maintained the text as it is. > > > Thanks, > > > > Ben
- [Softwires] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk via Datatracker
- Re: [Softwires] Benjamin Kaduk's No Objection on … mohamed.boucadair
- Re: [Softwires] Benjamin Kaduk's No Objection on … Benjamin Kaduk
- Re: [Softwires] Benjamin Kaduk's No Objection on … mohamed.boucadair
- Re: [Softwires] Benjamin Kaduk's No Objection on … Benjamin Kaduk