Re: [Softwires] [dhcwg] Is tunnelling DHCP multicast messages in 6rd unicast tunnel to BR acceptable for DHCP redundancy?//re: About draft-guo-softwire-6rd-ipv6-config-00
Ted Lemon <Ted.Lemon@nominum.com> Thu, 19 August 2010 15:14 UTC
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: softwires@core3.amsl.com
Delivered-To: softwires@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6BCE13A688C; Thu, 19 Aug 2010 08:14:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.348
X-Spam-Level:
X-Spam-Status: No, score=-106.348 tagged_above=-999 required=5 tests=[AWL=0.251, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W+ca5K6pafJH; Thu, 19 Aug 2010 08:14:53 -0700 (PDT)
Received: from exprod7og121.obsmtp.com (exprod7og121.obsmtp.com [64.18.2.20]) by core3.amsl.com (Postfix) with ESMTP id 6D0473A6893; Thu, 19 Aug 2010 08:14:53 -0700 (PDT)
Received: from source ([64.89.228.229]) (using TLSv1) by exprod7ob121.postini.com ([64.18.6.12]) with SMTP ID DSNKTG1KdTm7m3Z9BGZryrGVIW/kSkE3DIH/@postini.com; Thu, 19 Aug 2010 08:15:28 PDT
Received: from webmail.nominum.com (webmail.nominum.com [64.89.228.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "webmail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 285821B82D8; Thu, 19 Aug 2010 08:14:58 -0700 (PDT)
Received: from vpna-148.vpn.nominum.com (64.89.227.148) by exchange-01.win.nominum.com (64.89.228.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 19 Aug 2010 08:14:57 -0700
MIME-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <002c01cb3f5f$365ae280$26626e0a@china.huawei.com>
Date: Thu, 19 Aug 2010 11:14:52 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <159275A1-FA26-4A9A-9F54-0506C9C3DD7A@nominum.com>
References: <002c01cb3f5f$365ae280$26626e0a@china.huawei.com>
To: Xu Xiaohu <xuxh@huawei.com>
X-Mailer: Apple Mail (2.1081)
Cc: "softwires@ietf.org" <softwires@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [Softwires] [dhcwg] Is tunnelling DHCP multicast messages in 6rd unicast tunnel to BR acceptable for DHCP redundancy?//re: About draft-guo-softwire-6rd-ipv6-config-00
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2010 15:14:54 -0000
On Aug 19, 2010, at 1:27 AM, Xu Xiaohu wrote: > With multicast, many DHCP authentication mechanisms will not be available > any more, e.g., IPsec mechanism for securing the messages exchanged between > servers and relay agents, and CGA usage for DHCP server authentication. By > the way, is the 6rd domain deemed as a secure network for DHCP message > exchange? I don't see how you would use IPsec for authenticating DHCP from the client--how would the client choose a security association? Hm, okay, maybe that works because the client has the DHCP server's IP address. Still, this doesn't seem to fit the problem very well--the client would have to go around with a long list of server IP addresses and security associations. If CGA authentication is one of the major goals, a solution to this would be for the client to request a unicast response. Servers that don't implement that would respond normally; servers that do implement it would respond via unicast to the client's unicast address, and could sign their response using CGA. The client could also send a CGA-based signature along with the message containing the unicast request--since the CGA address the client would be providing will only work if it belongs to the client, this is useful authentication. > I admit that the DHCP relay agent on the CPE could relay the > information-request message to ALL_SERVERS_OR_RELAY-AGENT_ADDRESS in a 6rd > tunnel towards a 6rd BR, However, is it actually an optimal choice? We have to remember that "optimal" can mean a lot of different things in this context. I agree that in principal what you are proposing is optimal in some cases, but overall, I am concerned that it creates a lot of problems for a very small benefit--thus all the questions.
- [Softwires] Is tunnelling DHCP multicast messages… Xu Xiaohu
- Re: [Softwires] [dhcwg] Is tunnelling DHCP multic… Ted Lemon
- Re: [Softwires] [dhcwg] Is tunnelling DHCP multic… Xu Xiaohu
- Re: [Softwires] [dhcwg] Is tunnelling DHCP multic… Xu Xiaohu
- Re: [Softwires] [dhcwg] Is tunnelling DHCP multic… Ted Lemon
- Re: [Softwires] [dhcwg] Is tunnelling DHCP multic… Xu Xiaohu
- Re: [Softwires] [dhcwg] Is tunnelling DHCP multic… Mark Townsley
- Re: [Softwires] [dhcwg] Is tunnelling DHCP multic… Rémi Després