IETF Logo Mail Archive

Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01

Sheng Jiang <jiangsheng@huawei.com> Fri, 16 November 2012 06:11 UTC

Return-Path: <jiangsheng@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D89721F8853; Thu, 15 Nov 2012 22:11:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.199
X-Spam-Level:
X-Spam-Status: No, score=-6.199 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oTNVAcyUYbi; Thu, 15 Nov 2012 22:11:55 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id 5CC3B21F8669; Thu, 15 Nov 2012 22:11:54 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml204-edg.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.5-GA FastPath queued) with ESMTP id ALP73199; Fri, 16 Nov 2012 06:11:52 +0000 (GMT)
Received: from LHREML403-HUB.china.huawei.com (10.201.5.217) by lhreml204-edg.china.huawei.com (172.18.7.223) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 16 Nov 2012 06:11:36 +0000
Received: from SZXEML460-HUB.china.huawei.com (10.82.67.203) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 16 Nov 2012 06:11:51 +0000
Received: from szxeml545-mbx.china.huawei.com ([169.254.1.6]) by szxeml460-hub.china.huawei.com ([10.82.67.203]) with mapi id 14.01.0323.003; Fri, 16 Nov 2012 14:11:45 +0800
From: Sheng Jiang <jiangsheng@huawei.com>
To: joel jaeggli <joelja@bogus.com>
Thread-Topic: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01
Thread-Index: AQHNw5zqb/SB0+d2NUqed+yzFK7R8pfrtqcg//+bQwCAAJFR0A==
Date: Fri, 16 Nov 2012 06:11:45 +0000
Message-ID: <5D36713D8A4E7348A7E10DF7437A4B9239F8E5CB@szxeml545-mbx.china.huawei.com>
References: <50A33EFA.7070008@bogus.com> <5D36713D8A4E7348A7E10DF7437A4B9239F8E40C@szxeml545-mbx.china.huawei.com> <50A59C1F.2040407@bogus.com> <5D36713D8A4E7348A7E10DF7437A4B9239F8E520@szxeml545-mbx.china.huawei.com> <50A5BB8E.6010308@bogus.com>
In-Reply-To: <50A5BB8E.6010308@bogus.com>
Accept-Language: en-GB, zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.140]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, IPv6 Ops WG <v6ops@ietf.org>, "draft-ietf-dhc-addr-registration@tools.ietf.org" <draft-ietf-dhc-addr-registration@tools.ietf.org>
Subject: Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 06:11:56 -0000

>>>>In reality, malicious hosts do not follow the RFCs.
>>> untrustworthy hosts aren't necessarily malicious.
>> Ok. Let's discuss which part you don't trust from hosts. There are several
>>possibilities I can think out: a) hosts refuse to register their addresses, b) hosts
>>register wrong address/mac on purpose

>What is wrong MAC in this case? 

I referred to these malicious hosts, who uses faked MAC to get network access or plays to be other hosts.

>MACs are generally but not always stable
>(vrrp6 is a pretty good case for not stable), in any event they are
>reconfigurable. A MAC is a layer 2 binding and if you have a strong
>layer-2 authentication (as some centrally managed networks do) then
>forgery is essentially irrelvant. beyond that the correctness of a MAC
>absent ACLs, is limited to it's presence in the bridge table and any
>l2/l3 bindings it may have.

Then, why hosts are untrustworthy to register address?

>>> I can with relatively minor effort on the part of a vendor capture the
>>> same information, with a lot less signaling out of the NDP cache on my
>>> routers, and do so without consideration of hosts behavior.
>> I agree with you if we only discuss the scenario that first-hop router is fully
>>under management by ISPs. But there are other scenarios, in which first-hop
>>router is home gateway, mobile node and others. For these scenarios, ISP
>>cannot get the address information unless host registering.

>Either the network is centrally managed or it isn't. The draft describes
>a management entity (enterprise) which is fully in control of the first
>hop router(s). Here you're describing a transitory trust model where my
>first hop router managed by me passes a registration option to my hosts
>to register addresses used on my network with my ISP. That's not, in
>your document.

Yes, it was not in the document. Since this document is a DHC draft, we focused on the DHCP Protocol interaction and option definition. We did not do very well to describe suitable scenarios until recently. We will work on that. Thanks to help us improve the document.

>The network in my house, or my enterprise is managed by me, my ISP once
>they've assigned or delegated a prefix doesn't get to determine if I can
>use an address or not. It is no business of my ISP, if my fridge, or
>thermostat decides to use SLAAC to assign an address from the prefix
>which it plans to use becuase it's covered by RA.
>
>> Another point is this new registration is bi-direction interaction. It gives ISPs
>>a chance to manage these host-generated addresses, such as denying certain
>>address (such as low sec-value CGA), etc. For now, ISPs has to accept all
>>host-generated addresses. If ISP denies access because of any
>>address-relevant reasons, there is no mechanism to tell hosts why and how to
>>fix it.

>Interesting use case. It's not in the document however, which you do
>have is.
>
>    After receiving this address registration request, the address
>    registration server MUST register the requested address in its
>    address database, which may further be used by other network
>    functions, such as DNS, network access control lists, etc.
>
>so presumably you tell the IA that it can't have an address by setting
>preferred-lifetime and valid-lifetime fields to 0, that doens't seem like an
>extremely useful message to send back out a client trying to register an
>address.

Agree, more information should be provided in the case of reject address. Actually, the specific case of denying CGA with low sec-value was solved by another dedicated draft (http://tools.ietf.org/html/draft-ietf-dhc-cga-config-dhcpv6) , in which a new DHCPv6 option has been defined to feedback a recommended Sec value.

We will improve this part in next update.

Best regards,

Sheng

>Fundamentally if you don't control the network you shouldn't be managing
>address selection on it since you don't know what people will attach. if
>you do then by all means do so.
>
>
>> Best regards,
>>
>> Sheng
>>
>>>> Best regards,
>>>>
>>>> Sheng
>>>>
>>>>> If a strong assertion of L2 identity in support of l2/l3 bindings is
>>>>> required 802.1x or the wireless equivalanet seems appropiate, e.g. it's
>>>>> what we do today.
>>>>>
>>>>> Availing oneself of a dhcp/ra option entails a lot of signaling for what
>>>>> is likely a relatively ephemeral port (windows machines and macs
>>>>> registering privacy addresses for example). specifiying a binding
>>>>> lifetime seems of limited utility since the host will probably discard
>>>>> the address long before the lifetime expires if it's sufficently long
>>>>> enough to allow for long lived connections using that address.
>>>>> _______________________________________________
>>>>> v6ops mailing list
>>>>> v6ops@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>

v2.23.0 | Report a Bug | By Email