IETF Logo Mail Archive

Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02

Vasilenko Eduard <vasilenko.eduard@huawei.com> Thu, 05 October 2023 07:11 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7576AC152561 for <v6ops@ietfa.amsl.com>; Thu, 5 Oct 2023 00:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.894
X-Spam-Level:
X-Spam-Status: No, score=-6.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RxEEWMamvtf1 for <v6ops@ietfa.amsl.com>; Thu, 5 Oct 2023 00:11:56 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB567C1524DE for <v6ops@ietf.org>; Thu, 5 Oct 2023 00:11:55 -0700 (PDT)
Received: from mscpeml500002.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4S1N5p38V3z6K6gc; Thu, 5 Oct 2023 15:11:42 +0800 (CST)
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml500002.china.huawei.com (7.188.26.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Thu, 5 Oct 2023 10:11:53 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2507.031; Thu, 5 Oct 2023 10:11:53 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Paolo Nero <oselists@gmail.com>, Ole Trøan <otroan@employees.org>
CC: Jen Linkova <furry13@gmail.com>, IPv6 Operations <v6ops@ietf.org>
Thread-Topic: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02
Thread-Index: Adnz3pAS304OkC4qSGCA09yigaKgsf//05WAgARnLbH///rpcP//2bSA///MOSAALAv+gAAAUCuAAAQ4yAAAA3JyAAAXwEUA//9NYND//si8AP/9jv2A//rnwlA=
Date: Thu, 05 Oct 2023 07:11:53 +0000
Message-ID: <7e4494a1a9fe40d38b7d64be2542f8da@huawei.com>
References: <5b0e0e82cd8844c987a4fbfd26f07135@huawei.com> <05711977-E061-4185-BE97-F6DECED13A59@employees.org> <CALNgcmOwVUtBECuXAF-_+Oss9Y0a1YTBugrEc=BOYHjrBcP4mw@mail.gmail.com>
In-Reply-To: <CALNgcmOwVUtBECuXAF-_+Oss9Y0a1YTBugrEc=BOYHjrBcP4mw@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.199.56.242]
Content-Type: multipart/alternative; boundary="_000_7e4494a1a9fe40d38b7d64be2542f8dahuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/7poECGcxjL3LFdnoMFLHs-tqP1U>
Subject: Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Oct 2023 07:11:58 -0000

Indeed, snooping could be completely cancelled.
But then the prefix for this link should be big enough to withstand the biggest crowd attacking this WiFi link.
It would need renumbering in many cases.
But then we could have a workaround: the link could have an additional prefix (even with a different size) – clients do not have local communication anyway.

All in all, it would be very similar to ordinary DHCP, where snooping is not needed, and parent prefixes are attached to the link manually.
Ed/
From: Paolo Nero [mailto:oselists@gmail.com]
Sent: Thursday, October 5, 2023 9:50 AM
To: Ole Trøan <otroan@employees.org>
Cc: Vasilenko Eduard <vasilenko.eduard@huawei.com>; Jen Linkova <furry13@gmail.com>; IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02

Why not prescribe/suggest to use a pool from the prefix already routed to the site in the first place? It seems this would be in line with the spirit of the draft, i.e. exploiting the richness of addressing in a /48.

Relays could still fail to see the REPLY then, but you would be guaranteed that at least one of them saw it and the issue would be limited to the "inside" route and not the IGP.

Thanks

Paolo

On Thu, Oct 5, 2023, 08:41 Ole Trøan <otroan@employees.org<mailto:otroan@employees.org>> wrote:
Snooping is indeed tricky.
For PD route injection I don’t think much has happened since:
IPv6 Prefix Delegation routing state maintenance approaches<https://datatracker.ietf.org/doc/html/draft-stenberg-pd-route-maintenance-00>
datatracker.ietf.org<https://datatracker.ietf.org/doc/html/draft-stenberg-pd-route-maintenance-00>

[ietf-logo-nor-180.png]<https://datatracker.ietf.org/doc/html/draft-stenberg-pd-route-maintenance-00>




Any better ideas?

O.


On 5 Oct 2023, at 08:28, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>> wrote:

IMHO: Paolo and Pascal are effectively talking (in a different way) that snooping is not reliable mechanism to depend routing on it.
Ed/
From: Paolo Nero [mailto:oselists@gmail.com<mailto:oselists@gmail.com>]
Sent: Thursday, October 5, 2023 1:47 AM
To: Jen Linkova <furry13@gmail.com<mailto:furry13@gmail.com>>
Cc: Pascal Thubert <pascal.thubert@gmail.com<mailto:pascal.thubert@gmail.com>>; v6ops@ietf.org<mailto:v6ops@ietf.org>; Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>>
Subject: Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02

Hi Jen,

On Wed, Oct 4, 2023 at 1:27 PM Jen Linkova <furry13@gmail.com<mailto:furry13@gmail.com>> wrote:

Oh I see the source of the confusion. As I've said in another email -
the text *implies* that the relay injects the routes into IGP and
we'll make it explicit in the next revision.

please forgive me if I'm missing something, but what would be the consequence, in a topology with multiple first-hop routers/relays, of one of the routers missing a RELEASE message (e.g. due to packet loss of the multicast transmission)? Would that router keep injecting the route into the infrastructure at large? On first thought it seems this would be more impactful than when simply snooping IA_NA, or when losing a REPLY message. Could that prefix be reassigned elsewhere while the route is still "stuck"?

Thanks,

Paolo


>
>
> Le mer. 4 oct. 2023 à 09:47, Lorenzo Colitti <lorenzo@google.com<mailto:lorenzo@google.com>> a écrit :
>>
>> Pascal,
>>
>> I'm not sure I understand how what we are proposing is different to what is in use today. Today, any network that uses DHCPv6 snooping (e.g., for SAVI purposes) must snoop DHCPv6 replies, no? Those replies are sent unicast by the DHCPv6 server through the relays to the client. The same set of devices that snoops replies and processes IA_NA options can process the IA_PD options in those replies.
>>
>> There is a bit of a difference in the sense that for IA_NA the snooping devices only populate ACLs, whereas for IA_PD, some of the snooping devices - likely the first-hop router(s) - must inject into the IGP mesh a route pointing to the prefix assigned to the client. But I don't understand why this matters. Those devices snoop the DHCPv6 reply anyway, no?
>>
>> Cheers,
>> Lorenzo
>>
>> On Wed, Oct 4, 2023 at 4:38 PM Pascal Thubert <pascal.thubert@gmail.com<mailto:pascal.thubert@gmail.com>> wrote:
>>>
>>> Hello Eduard and Jen
>>>
>>> Snooping by all access routers might appear to be working in a lab but there’s no way to impose that in an enterprise network.
>>>
>>> There can be multiple / many access routers (think ToRs), possibly distributed over the WAN as an overlay.  In such network one would choose that either all ToRs run a dhcp relay but then they block the broadcast or there’s only only relay ( with appropriate HA ). But it is unrealistic to expect that the DHCP request will be relayed by all ToRs. I hope we do not write such a recommendation in an ops document!
>>>
>>> Moreover there is ample experience with ND and MLD that snooping broadcast protocols is the sure recipe for repeated calls to support for unpredictable and difficult to debunk issues.
>>>
>>> And then there’s the problem of routing from the higher aggregation point to the ToR. Some routes will have to be injected somewhere.
>>>
>>> Bottom line is that as written, the draft will only add to the long list of arguments for enterprise people who claim that IPv6 is not for them, along with the issues that the draft attempts to solve, e.g., SLAAC.
>>>
>>> Suggestion for this draft would be to at least recognize that there’s a missing link in the standard suite and indicate on the positive side that 6MAN has an architecture on the works that solves the issue in a secure fashion.
>>>
>>> Regards,
>>>
>>> Pascal
>>>
>>> > Le 3 oct. 2023 à 15:58, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>> a écrit :
>>> >
>>> > OK. Therefore it is a new requirement for the DHCP server. It does look not very difficult.
>>> > But it is interesting anyway: Do DHCP vendors support it out of the box (just configuration) or is development needed?
>>> > Ed/
>>> >> -----Original Message-----
>>> >> From: Jen Linkova [mailto:furry13@gmail.com<mailto:furry13@gmail.com>]
>>> >> Sent: Tuesday, October 3, 2023 4:42 PM
>>> >> To: Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>>
>>> >> Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>
>>> >> Subject: Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02
>>> >>
>>> >>> On Tue, Oct 3, 2023 at 6:39 AM Vasilenko Eduard
>>> >>> <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>> wrote:
>>> >>> Are you sure that the DHCP server would answer many client requests
>>> >> (received through different relays) with the same transaction-id?
>>> >>> Where in RFC 8415 is it stated?
>>> >>
>>> >> I do not think it's stated there, it's up to implementation. Hence we
>>> >> have a specific text in Section 7, saying that "while deploying this
>>> >> solution, please configure your server that way".
>>> >>
>>> >>> Why server should do it?
>>> >>
>>> >> Why shouldn't it?
>>> >>
>>> >>> Eduard
>>> >>>> -----Original Message-----
>>> >>>> From: Jen Linkova [mailto:furry13@gmail.com<mailto:furry13@gmail.com>]
>>> >>>> Sent: Tuesday, October 3, 2023 4:17 PM
>>> >>>> To: Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>>
>>> >>>> Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>
>>> >>>> Subject: Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02
>>> >>>>
>>> >>>> On Mon, Oct 2, 2023 at 5:04 AM Vasilenko Eduard
>>> >>>> <vasilenko.eduard=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>> wrote:
>>> >>>>
>>> >>>>> "(it should be noted that [I-D.dhcwg-dhc-rfc8415bis] deprecates the
>>> >> Server
>>> >>>> Unicast option exactly because it is not compatible with multiple relays
>>> >>>> topology). Therefore as long as the Server Unicast option is not used, all
>>> >> first-
>>> >>>> hop routers shall be able to install the route for the delegates prefix".
>>> >>>>> dhcwg-dhc-rfc8415bis looks critical but it is expired. Is it possible to
>>> >> delete
>>> >>>> this reference?
>>> >>>>
>>> >>>> Sorry, I'll fix the reference - it should be
>>> >>>> https://datatracker.ietf.org/doc/draft-ietf-dhc-rfc8415bis/ which is
>>> >>>> an active draft.
>>> >>>>
>>> >>>>> " As per Section 18.4 of [RFC8415] the server is not supposed to accept
>>> >>>> unicast traffic when it is not explicitly configured to do, and unicast
>>> >>>> transmission is only allowed for some messages and only if the Server
>>> >>>> Unicast option ([RFC8415], Section 21.12) is used."
>>> >>>>> This is not relevant information - it is about the client transmission.
>>> >>>>
>>> >>>> It is relevant, because as long as the client sends multicast
>>> >>>> messages, all routers (relays) see the message and relay it. So each
>>> >>>> really would send a relay message - as a unicast - to the server. Each
>>> >>>> relay would receive a unicast Relay-repy, which will be used to  snoop
>>> >>>> the route and send to the client.
>>> >>>>
>>> >>>>> Another router should see the server unicast reply to understand the
>>> >> prefix.
>>> >>>>
>>> >>>> Indeed it would receive a unicast reply. The source address of the
>>> >>>> IPv6 packet containing the relayed message would be the relay address.
>>> >>>>
>>> >>>>> On 9/30/2023 4:42 PM, Xipengxiao wrote:
>>> >>>>>
>>> >>>>> Hi Folks,
>>> >>>>>
>>> >>>>> This message initiates a WGLC for draft-ietf-v6ops-dhcp-pd-per-device-
>>> >> 02.
>>> >>>> The call will end on Oct 14, 2023.  Your opinion will be valued.
>>> >>>>>
>>> >>>>> Ron & XiPeng
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> _______________________________________________
>>> >>>>> v6ops mailing list
>>> >>>>> v6ops@ietf.org<mailto:v6ops@ietf.org>
>>> >>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>> >>>>> _______________________________________________
>>> >>>>> v6ops mailing list
>>> >>>>> v6ops@ietf.org<mailto:v6ops@ietf.org>
>>> >>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>> >>>> --
>>> >>>> SY, Jen Linkova aka Furry
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> SY, Jen Linkova aka Furry
>>> >
>>> > _______________________________________________
>>> > v6ops mailing list
>>> > v6ops@ietf.org<mailto:v6ops@ietf.org>
>>> > https://www.ietf.org/mailman/listinfo/v6ops
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org<mailto:v6ops@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/v6ops
>
>
>
> --
> Pascal
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org<mailto:v6ops@ietf.org>
> https://www.ietf.org/mailman/listinfo/v6ops



--
SY, Jen Linkova aka Furry

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops
_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email