IETF Logo Mail Archive

Re: [v6ops] Benjamin Kaduk's No Objection on draft-ietf-v6ops-cpe-slaac-renum-07: (with COMMENT)

"Bernie Volz (volz)" <volz@cisco.com> Thu, 25 February 2021 21:10 UTC

Return-Path: <volz@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F4BE3A0AB4; Thu, 25 Feb 2021 13:10:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.898
X-Spam-Level:
X-Spam-Status: No, score=-11.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ltwrMlgw; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Z4uYzqKR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzH9W0J-_ybf; Thu, 25 Feb 2021 13:10:17 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06CF03A0691; Thu, 25 Feb 2021 13:10:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6048; q=dns/txt; s=iport; t=1614287417; x=1615497017; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ekwhIrb3ye3ODVcx2GyviqvP3HHPvKGaKqNJbJuEyG8=; b=ltwrMlgwUcFebaUmlskcjzE/KqKWkCt02haHqKhxnz88u1h6PbrIPgQj v04JnjOCWLCw4rfBQqFXyfrQvItxmbh20lcWzMxzb2J+iGfXBn2IhZxMC RWU3ZD8tMcC1OifR3i8DiQ/4J6lL/R5ZcA67tjhxZiUSQxmiFXfGVnLhL c=;
IronPort-PHdr: 9a23:fzphIBDff7v0fk+chAWsUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qw30g3SXNvd5u5bjPDVqObrXmlTqZqCsXVXdptKWldFjMgNhAUvDYaDDlGzN//laSE2XaEgHF9o9n22Kw5ZTcD5YVCBuXzs6zMOBRLlNhEzLePwScbeis2t3LW0/JveKwxDmDu6Z+Z0KxO75QXcv8Ubm81sMKE0nxDIuXBPPe9RwDBl
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BMBgDdEDhg/49dJa1ZCQ4OAQEBAQEBBwEBEgEBBAQBAUCBT4FTUQeBUDYxCgGENoNIA4U5iGUDmSCBQoERA1QLAQEBDQEBMgIEAQGETQIXgWECJTgTAgMBAQsBAQUBAQECAQYEcYVhDYZEAQEBAwEjEQwBATcBBAcEAgEIDgMEAQEDAiYCAgIwFQgIAgQBDQUIhT4DDiEBpXcCiiV2gTKDBAEBBoUhGIISCYEOKoJ2gnASPkiCUoNzJhyCB4EQAUOBWX4+hAESFBokgnA0giuBWXFoczAIQCyRRINBlBiRTAqCfIQqmBWjTY9IhBF1nUEIGIQ5AgQCBAUCDgEBBoFrI4FXcBWDJFAXAg2OHwwWFIM5ihhBczgCBgoBAQMJfIoIAYEOAQE
X-IronPort-AV: E=Sophos;i="5.81,207,1610409600"; d="scan'208";a="865479345"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Feb 2021 21:10:15 +0000
Received: from mail.cisco.com (xbe-aln-006.cisco.com [173.36.7.21]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 11PLAFnu020838 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 25 Feb 2021 21:10:15 GMT
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xbe-aln-006.cisco.com (173.36.7.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Thu, 25 Feb 2021 15:09:48 -0600
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Thu, 25 Feb 2021 15:09:48 -0600
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Thu, 25 Feb 2021 15:09:48 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HZVFyXdiK7tbMAtbszrxyWJpBsKiW7LPlgQKezr6vDTpagvSfpI50ZW9pIxci+0+Gg4OtpidmD4QsQJL676tUjv7VI3VAFHQFV7jnVdIliYEZmL4a1IcELPJoultPmgXsRJzjvI7wZJPGWGBDDUDPv4x6+VUWF06po4eLqvAgpgZ01YWg4Il5Vz/BPOQxg4rSypehTaWe24htu46sp2A/6ezu8Hw+yOauSo93Azj4YY7+nmEJ17uPtrQnInXvDMJctUwqAAWneIntKWUcUKxkAPmubuf30gGip9m8dQfw4bGv8C6qKn3DViujkbyePRcE0QeoHwc6VsP4amM9SwqVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ekwhIrb3ye3ODVcx2GyviqvP3HHPvKGaKqNJbJuEyG8=; b=BUS+NUVwY4Ul2hHk/Yc/ihpM4VLDVk6CmW7W9KMWWYqfxXqk27N2f8fLDwwr0FbaXPvYazS2UNnBN8effONBMohfWBze/zGOJv5gul7m2pWowA79Y9GLrhjcEZ/4AklRtm6uVC7GdjUYjz2kpMZT3aAbnX1+MIZ2vJMGFKcDZEuxMIijJZ49V+bd8wCEbAYiZXyjoSZOFNxcFAKeQ9ai5KTSZ687aUbbx+lPbugnbLS5xl3SDSooXdsf3unRWCZ83OR8ZHurzh4qJQ2zPe9xPeYktsW7b4j5WOTxeXSQEHvq/xcMCw3kekhSHcDTuXmGtkFN0u8QEd37h6aJbgD6sA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ekwhIrb3ye3ODVcx2GyviqvP3HHPvKGaKqNJbJuEyG8=; b=Z4uYzqKRbADJvw/3r6JtC5cAOXEkpzu/iEzldkuiSurQh0U8NwQskRsQyB+fVMzH8NUiKSeuCloRGLBQsZM9PXo2jCoYTYK3IdBFW50C8WCyaLEQ1oy7MxRaA/1c8x9abIpOrTTwJx7/070TP+PbQmY7nhua9ABJ7LX/jWsry8c=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR1101MB2225.namprd11.prod.outlook.com (2603:10b6:405:58::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.20; Thu, 25 Feb 2021 21:09:47 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::d835:66a9:f60c:3567]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::d835:66a9:f60c:3567%5]) with mapi id 15.20.3890.020; Thu, 25 Feb 2021 21:09:47 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Fernando Gont <fgont@si6networks.com>, Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-v6ops-cpe-slaac-renum@ietf.org" <draft-ietf-v6ops-cpe-slaac-renum@ietf.org>, "v6ops-chairs@ietf.org" <v6ops-chairs@ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>, Owen DeLong <owen@delong.com>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-v6ops-cpe-slaac-renum-07: (with COMMENT)
Thread-Index: AQHXC7U47cnlz9uTSEi2PRrf/DXgJKppW61Q
Date: Thu, 25 Feb 2021 21:09:47 +0000
Message-ID: <BN7PR11MB25479DA70A9E62A0BA91BED3CF9E9@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <161411841162.993.9337833948854729986@ietfa.amsl.com> <2f375954-aae1-8089-c59c-f575d2ef8dde@si6networks.com>
In-Reply-To: <2f375954-aae1-8089-c59c-f575d2ef8dde@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: si6networks.com; dkim=none (message not signed) header.d=none;si6networks.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.85]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b4ee13d3-944f-4736-1b88-08d8d9d1ae96
x-ms-traffictypediagnostic: BN6PR1101MB2225:
x-microsoft-antispam-prvs: <BN6PR1101MB2225E28421F2F6BB59D51187CF9E9@BN6PR1101MB2225.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bOLyiZersOzwPn+vTzb3S5WcxJcT1e4bocotfnq5cDkG52huZKvAP5DhIkWTZl+UxipW0HfmB7b/do5D7/69FHQV/3pTyaxRRROOZixlItaUgiJgsuf2NE7rVWTTHb6zvPdilc4b8Scd6O80T/C5acgZZ3ApHrSmmhwpcFRPwCM5R5pg1EQ7SMS64004wCLe0uYSWl3bCWQC+UbYhYqBKJhOJQjaIr9Wf+fF9rm7n9X4eTuNWERyXsVFmnspzt8mpdSvJCrmuKSNBk7E2Q1UDJLVGTa2CIGnT/Tto3Sv4a+V+MCOsUnKSzLve0qy3BHXBEKtlUomM80ZoNJiGOWMJs/nqFGETRay9T9d9a/S6sWu77JclCsqXv5jaEnpA+IpDv3SepDcVeNTfHf2jJsHMlBXMvg7E0Nq9+0djrCln2BPlJ+Y/oTO/5oEQ2ViMyhvMyp2re44jSJqNITBog0q/ZjXpk54snWvgzAqT8ur8k9SBi5XxHsEaXRXaFH2dE7Ps3f9bx9uICQvq6nhxplKDg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(366004)(346002)(396003)(39860400002)(376002)(2906002)(9686003)(66574015)(4326008)(55016002)(83380400001)(110136005)(316002)(54906003)(52536014)(26005)(7696005)(66446008)(64756008)(66476007)(76116006)(66556008)(186003)(86362001)(71200400001)(33656002)(6506007)(8676002)(8936002)(5660300002)(53546011)(478600001)(66946007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: xgslwIw5lpkHbCVgi2rzyXcTozLcIzznYgZ69OMSfAN9njldu4XQ4mgshbPhXdrb43aVtOXNJ0+hT+/buZVxLeOhvWM/f/YxdAmDKkkdQ3E846pkRw+TZx0DxYFon/evPenws6YJgqzIttGR82W/ikasARJ4JzFrID75p4M7NiiIh061LPTVmd5V6OEWeDKI//7pfJb+rqHFIsMCvi2UF9Xer4PFJShBbI1+Jao5+4EBwGTvVyPhMPT0bmhh2vNwRitE/ZGkgQoUzAaw5INglMfk7ajvt6+aMSBQG7DAd+Pfk52fIafkGmHpRm9muh8XF4IoXycqGK7n5JJAtW+/7vzJjB01BApm9RZRPEeHhtrylo/3aUObA9p2mByxGQ4tUJsVENLujSj3TRbfXPNxuiPaj2wkztPbt+rcR2zi3yDSalFkZdOZ8fh1U4ir6xqR5n2A8cxOD9mBkfZE+TOHXy2Zc8yna8VdKSXAThtrL9YYra8d340upa6ep163eerwHPKePF0EufxuExXtQFMNT/uomyvAog6KHMLaQG44q6cNCRer/sQsmmHpfBRSIiIzmJE2Og6N/tgCm85Dbw7WfYNE+3XrRQx0qigfovyWHD8nqNRpkEvC1IPGfWkXGAynd1EmUlbgKznGJrFZa11EQq/SQKK0SN6qxJ54quVNp2v2tpTHaK6Dx6/bYsvJzmkDY9jmKcKS+rUh3hAviv+1KaWnLknGD2goWnCHzkTAJq0XJYf/kR+C1TN55PXRfklhrh7quzmcXU6az49q/rXIMhJ4rypSJ3B1auF8OYZhgG/FQro9480Yh9vXKrZgaHx6X5mtlsy76uIi270C8xQVYhYx3Xy+y6ztleq3tcmMihdzL296OJN8iljn+bcgkMDxQULYsl1kO06BptO+ktHP2Z9O2hIZ1Z1vdgV6g02BLSAkuwSuO4Ipcg/U5x41IYET/5sy7XtFeeO1o6WqO+G8ludL1D+e8KA8nvtI0OgYzUNn20rgrnDRNsjiq69ZI4U83CmbXrx0A/lSEKB+WWst4CzICeNcCb7gm08t9S1QEoIikdmORUqXyXZ2fJmbUfOs6PCPqMqj6GkjJlFuHTwBC6FrkFRw2rpWI4eaUxrecQHgZzDF7qEzkniAaOQohwVjFlToUIL4oqJbqzUiV2PtUe/k+mh7a6DzHNQHcfe0HIW9l3BtR3vrXpqYOBAPTH7Z4IuVJaqvY4o0pgD+z98iSbJFj1Eyg4Zo2nDABVauouQqDJ7z0J5PvzXgMpvksuBlTwVLj/jKdFGmhkQO6/47rjNqrsgiXzuYpeeJDCrbIGiTQ4dUPwkqhVnKYuhUBD+W
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b4ee13d3-944f-4736-1b88-08d8d9d1ae96
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2021 21:09:47.2470 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kj/Ea5OkwH8njNQdMohGkI1mSgrA1CTqbXr0hFIJnbESMbWOnQKeQPKaCemVaZES
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2225
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.21, xbe-aln-006.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/AGmZM_nd-WO-kjCgLpRqlB7gnEo>
Subject: Re: [v6ops] Benjamin Kaduk's No Objection on draft-ietf-v6ops-cpe-slaac-renum-07: (with COMMENT)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 21:10:19 -0000

As DHCPv6 uses the DUID and IA Type (this is fixed based on what client wants - such as IA_PD) and IA_ID, a device should keep these consistent (across reboots, ...).

If the DUID changes, then there's no reason that the IA_ID cannot change (it's a different client).

If the DUID doesn't change, you MUST keep the IA_ID for a particular interface constant (I'm not sure I would tie this to the interface's link-layer address, but I guess you could).

If a device changes the IA_ID (without changing the DUID), the problem is that the DHCPv6 server will think this is a "different" request than the earlier IA_ID and assign new prefixes or addresses (and no communication about previously used ones). 

If the DUID changes, it is a different client anyway - so then the IA_ID can be a new value.

- Bernie

-----Original Message-----
From: Fernando Gont <fgont@si6networks.com> 
Sent: Thursday, February 25, 2021 3:28 PM
To: Benjamin Kaduk <kaduk@mit.edu>; The IESG <iesg@ietf.org>
Cc: draft-ietf-v6ops-cpe-slaac-renum@ietf.org; v6ops-chairs@ietf.org; v6ops@ietf.org; Owen DeLong <owen@delong.com>
Subject: Re: Benjamin Kaduk's No Objection on draft-ietf-v6ops-cpe-slaac-renum-07: (with COMMENT)

Hello, Ben,

Thanks a lot for our comments! In-line....

On 23/2/21 19:13, Benjamin Kaduk via Datatracker wrote:
[....]
> Section 3
> 
>     o  WPD-10: CE Routers MUST by default use a stable IAID value that
>        does not change between CE Router restarts, DHCPv6 client
>        restarts, or interface state changes. e.g., Transient PPP
>        interfaces.  See Section 3.2 for further details.
> 
> The text in Section 3.2 goes into a bit more detail to clarify that 
> this is basically a pre-existing requirement from RFC 8415, but the 
> short text here is easy to misread as imposing a requirement to use a 
> stable persistent identifier, which would have lousy privacy 
> properties.  RFC
> 8415 does acknowledge this issue to some extent, but the most 
> applicable text about it seems to be in Section 4.5 of RFC 7844, that 
> clarifies that the IAID needs to be consistent for the association *as 
> long as the link-layer address remains constant*, which is a very 
> natural scope and consistent with best practices for simultaneously 
> changing identifiers at different layers when needed for privacy improvement.

You're right that if the CE Router changes its link-layer address, it's probably because it's trying to its identity, and hence the IAID should also change.

(FWIW, to a large extent we phrased the text as is because I know of no CE Router that randomizes it's link-layer address, so in practice it would result in the same thing). Not surprisingly, I'm keen to improve the specification of this numeric id ;-), so how about:

      o  WPD-10: CE Routers MUST by default use an IAID
         value on the WAN-side that does not change between CE Router
         restarts, DHCPv6 client restarts, or interface state changes
         (e.g., Transient PPP interfaces), as long as the underlying
         link-layer address (if any) does not change..  See Section 3.2
         for further details.


Or maybe:
      o  WPD-10: CE Routers MUST by default use a WAN-side IAID
         value that is stable between CE Router
         restarts, DHCPv6 client restarts, or interface state changes
         (e.g., Transient PPP interfaces), as long as the underlying
         link-layer address (if any) does not change..  See Section 3.2
         for further details.

?



> It would be
> great if we could spend a few words here to clarify that this is not a 
> permanent identifier that could be abused for tracking, perhaps "(Per 
> [RFC8415] it is still expected to change when the link-layer address 
> changes.)", though I was hoping to have something shorter.

Is it? There doesn't seem to be such provision in RFC8415. And RFC7844 is really an opt-in...



> Additionally, while RFC 8415 is clear that the IAID is assigned by the
> client, this text might benefit from noting (e.g.) which interface it is
> used on, since the CE router will often be on both ends of different
> DHCPv6 exchanges.

You mean like the "WAN-side" text above?

Thanks!

Regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email