IETF Logo Mail Archive

Re: [v6ops] [dhcwg] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements

Timothy Winters <tim@qacafe.com> Wed, 04 November 2020 13:02 UTC

Return-Path: <tim@qacafe.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 867EC3A1139 for <v6ops@ietfa.amsl.com>; Wed, 4 Nov 2020 05:02:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qacafe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-Qb338KV8qe for <v6ops@ietfa.amsl.com>; Wed, 4 Nov 2020 05:02:03 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7BC63A1164 for <v6ops@ietf.org>; Wed, 4 Nov 2020 05:02:02 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id m16so22872269ljo.6 for <v6ops@ietf.org>; Wed, 04 Nov 2020 05:02:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qacafe.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MLGgdDnG2RwKA9NfosbwNjJx2J6EIJ9bMvnRB/dujDU=; b=cPi2Omkn4CDUP+9ArnLe2962rSBsmpaV+VR2Neu3xQdlR5uRndY/585TCR0gSnXGku vrcDGc2mudT8ueWscKa4zCkJma/OlCRoAwxq24z0xcvIRSBnQkDFNu5zIgQwJ9sqbLCy oAxAa5nyWA/RFtpb4o3HcuZ4HEMbOlWi8ub5U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MLGgdDnG2RwKA9NfosbwNjJx2J6EIJ9bMvnRB/dujDU=; b=f2nd2Q1S75wINd5/mTbmwlXEYaeBUGvO/W2UnbVSOdGbFyGitndktHRUnKqF4LgNzx YCBFKU8vsJh+ZBNSypofRVaBJ3FiUt6iX3xCTwFzfUvqNiLbloo3Vd73tidne98f/4bK MKK9y+YcMIG2rhRd4JcBfhlPbUnSoBDXlEjAQ7Yo4X+qtJXR/4JrdmC766sg7v9vs+L7 f6w1yvc4jQPW37gqAL5y6t2WC/nkrE1qYiyVya50/DIfLV+L56/aZwdneqx4z6JmoKUY ba1zLZQCsf4z8qEp3iPd4v0Ljm86XKMDrRd6AMO/IGrbJbFTMCVCMst+g/fQ88jjFh2l jeVw==
X-Gm-Message-State: AOAM530icvdIS+G7GnS35DwcUrXfS3Eoz/6tOYaSmKGvEp2dVF6AoNj5 YfvsjHXvAjjkrV3YeEDZpUb3GCwT+wPjyjBJSboX5w==
X-Google-Smtp-Source: ABdhPJwrCEmwJ1z000HkaUfQTEDOXCdv8qhT/N1y/IvayC5z2yFlTAfiwreYWHGDlWeA5MlecFRHiaBkl+UNu7zHxHo=
X-Received: by 2002:a2e:a0d4:: with SMTP id f20mr9926735ljm.350.1604494920252; Wed, 04 Nov 2020 05:02:00 -0800 (PST)
MIME-Version: 1.0
References: <5F6947F2-F7DF-4907-8DD5-28C2B20A91DE@gmx.com> <CAFU7BAT87uhUKZM-G9MjCgtmGbdCwXorP3SfMJm7_Ax7pvwDjg@mail.gmail.com> <f2a9e0188cd84f52adce279cfb04cbcc@boeing.com> <D259F559-8528-428A-A9DF-0D9FB07E6BE4@gmx.com> <BN7PR11MB2547029C572CB32F3C593AD7CF0B0@BN7PR11MB2547.namprd11.prod.outlook.com> <ff36a6d9f0834b5bbf331c6c40df16b8@boeing.com> <A0B74F43-07A4-47C2-B773-3F2071CFCED3@cisco.com> <CAFU7BARUKw_c2c9+3k9kJ0UqrATTruGKPGkVb5NPTo=vspb0NA@mail.gmail.com> <19432.1602258078@localhost> <644565BC-5818-4244-A34A-1B39C3FC9175@gmx.com> <BYAPR11MB25496B31F581D4E32D46542ACF040@BYAPR11MB2549.namprd11.prod.outlook.com> <CAFU7BARy-GFLDx=jRPu8Mst_Lc9fVRNTMT1MxOpEKqJ+qq9oaw@mail.gmail.com> <BCD1B4F1-32F3-4ECB-8A97-C4E58D746F22@gmx.com> <BDA018BA-70A6-4DC3-92FA-21506C72F6D9@cisco.com>
In-Reply-To: <BDA018BA-70A6-4DC3-92FA-21506C72F6D9@cisco.com>
From: Timothy Winters <tim@qacafe.com>
Date: Wed, 04 Nov 2020 08:01:48 -0500
Message-ID: <CAJgLMKt6Zd4H9SdFog3y36HMbCizQ-SsSL0p+DsdtVchz2xjUg@mail.gmail.com>
To: "Bernie Volz (volz)" <volz=40cisco.com@dmarc.ietf.org>
Cc: "ianfarrer@gmx.com" <ianfarrer@gmx.com>, Michael Richardson <mcr+ietf@sandelman.ca>, v6ops list <v6ops@ietf.org>, dhcwg <dhcwg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c41aeb05b34795ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Dahsw0Smh-URGN6-OZqz8YXoBlk>
Subject: Re: [v6ops] [dhcwg] [EXTERNAL] Re: Question to DHCPv6 Relay Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2020 13:02:07 -0000

I agree with Bernie, link-layer address would be an improvement to the
Mac Address.

~Tim

On Wed, Nov 4, 2020 at 7:15 AM Bernie Volz (volz) <volz=
40cisco.com@dmarc.ietf.org> wrote:

> Hi ... looks good but perhaps MAC address is too Ethernet specific and
> just link-layer address would be better?
>
> - Bernie
>
> On Oct 29, 2020, at 12:24 PM, "ianfarrer@gmx.com" <ianfarrer@gmx.com>
> wrote:
>
> 
> Hi,
>
> Sorry for the delay in reply, I’ve been out of the office for the last few
> weeks for various reasons.
>
> Here’s a new wording proposal incorporating Jen & Bernie’s suggestions:
>
> R-4
> To prevent routing loops, the relay SHOULD implement a configurable policy
> to drop packets
> received on a DHCP-PD client facing interface with a destination address
> in a prefix delegated
> to a client connected to that interface, as follows:  For point-to-point
> links, when the packet’s
> ingress and egress interfaces match. For multi-access links, when the
> packet’s ingress and
> egress interface match, and the source MAC and next-hop MAC addresses
> match. An
> ICMPv6 Type 1, Code 6 (Destination Unreachable, reject route to
> destination) error message MAY
> be sent as per [RFC4443], section 3.1.  The ICMP policy SHOULD be
> configurable.
>
> Thanks,
> Ian
>
> On 15. Oct 2020, at 03:51, Jen Linkova <furry13@gmail.com> wrote:
>
> On Wed, Oct 14, 2020 at 12:44 AM Bernie Volz (volz) <volz@cisco.com>
> wrote:
>
> If not, perhaps we just say:
>
> R-4
> To prevent routing loops, the relay SHOULD implement a configurable policy
> to drop traffic received from an uplink interface as follows:
>
>
> I'm not sure 'from an uplink interface' makes sense. In the case of a
> routing loop caused by an amnesiac DHCP-PD client it would be a
> downstream interface.
> The scenario when such traffic arrives from an uplink interface is
> 'the uplink router believes the prefix is delegated to the client but
> the relay does not have a route pointing to the client so it sends
> traffic back' - so more likely 'an amnesiac relay' case.
>
> For point-to-point links, when the packet's ingress and egress interfaces
> match. For multi-access links, when the packet's ingress and egress
> interface match, and the source MAC and next-hop MAC addresses match. An
> ICMPv6 Type 1, Code 6 (Destination Unreachable, reject route to
> destination) error message MAY be sent as per [RFC4443], section 3.1.  The
> ICMP policy SHOULD be configurable.
>
> - Bernie
>
> -----Original Message-----
> From: ianfarrer@gmx.com <ianfarrer@gmx.com>
> Sent: Tuesday, October 13, 2020 9:16 AM
> To: Michael Richardson <mcr+ietf@sandelman.ca>; Jen Linkova <
> furry13@gmail.com>
> Cc: Bernie Volz (volz) <volz@cisco.com>; dhcwg <dhcwg@ietf.org>; 6man <
> ipv6@ietf.org>; v6ops list <v6ops@ietf.org>
> Subject: Re: [dhcwg] [v6ops] [EXTERNAL] Re: Question to DHCPv6 Relay
> Implementors regarding draft-ietf-dhc-dhcpv6-pd-relay-requirements
>
> Hi,
>
> Thanks for all of the discussion on this. We’ve reworked the requirement
> as follows:
>
> R-4
> To prevent routing loops, the relay SHOULD implement a configurable policy
> to drop client traffic as follows:  For point-to-point links, when the
> packet's ingress and egress interfaces match. For multi-access links, when
> the packet's ingress and egress interface match, and the source MAC and
> next-hop MAC addresses match. An ICMPv6 Type 1, Code 6 (Destination
> Unreachable, reject route to
> destination) error message MAY be sent back to the client.  The ICMP
> policy SHOULD be configurable.
>
> Thanks,
> Ian
>
> On 9. Oct 2020, at 17:41, Michael Richardson <mcr+ietf@sandelman.ca>
> wrote:
>
>
> Jen Linkova <furry13@gmail.com> wrote:
>
> I think there is confusion re: the scenario we are talking about.
> I've attached the diagram for the case which concerns me.
> So:
> - The Relay R has an interface eth0 connected to a switch S.
> - Devices A and B are connected to the same switch and using R as a
> default gateway.
> - The prefix 2001:db8::/56 was delegated to a client A via the relay R.
>
>
> a friendly amendment to your example to aid in human comprehension:
>    } - The prefix 2001:db8:0000:0123:/64 was delegated to a client A via
> the relay R.
>    }  - R installs a route for 2001:db8:0000:0123:/64 towards A via eth0.
>
> - The device B (which has an address NOT from the delegated prefix,
> but from another /64 assigned to that common link, let's sat
> 2001:db8:cafe::/64) sends a packet to an address from the delegated
>
>
> now, my brain can more clearly see that 2001:db8:cafe::/64 is not
> within 2001:db8:0000:0123:/64, while I had to use a few extra brain
> cells to see that it wasn't in that ::/56 :-)
>
> What I'd expect to happen (with DHCP-PD or without - e.g. if R has a
> static route towards A, not a dynamic route produced by PD):
> - the packet is sent to A. Well, if A does not have a route to
> 2001:db8::42 then indeed a routing loop might happen. But if A does
> have a route, the packet will be delivered.
>
>
> What seems to be required by R4:
> - R detects that the packet is received via eth0 and needs to be sent
> back to eth0. R4 seems to require such packets to be dropped.
> So if B would never be able to communicate to any address in the
> delegated prefix, right?
>
>
> Am I missing anything?
>
>
> I think that you got it right.
>
> Perhaps the missing piece of the rule is don’t send it back to where it
> came from, based on link layer addresses (or link if point-to-point).
>
>
> Yes. If R4 was saying 'drop the packet if it comes from the same
> link-layer address you are going to send it back' - it would make
> total sense. But I don't think routers do *that*.
>
>
> Yes, if we made the check on L2 address, then it would work.
> And I agree that routers are exactly doing that.
>
> I think that it also works if B is a router with additional interfaces
> downstream, unless there are multiple paths.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>          Sandelman Software Works Inc, Ottawa and Worldwide
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>
>
>
> --
> SY, Jen Linkova aka Furry
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email