Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01
Mark Smith <markzzzsmith@yahoo.com.au> Fri, 16 November 2012 06:31 UTC
Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F7721F878C for <v6ops@ietfa.amsl.com>; Thu, 15 Nov 2012 22:31:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FROM_LOCAL_NOVOWEL=0.5, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oz2lPjcD1ZKl for <v6ops@ietfa.amsl.com>; Thu, 15 Nov 2012 22:31:30 -0800 (PST)
Received: from nm36-vm5.bullet.mail.bf1.yahoo.com (nm36-vm5.bullet.mail.bf1.yahoo.com [72.30.238.141]) by ietfa.amsl.com (Postfix) with ESMTP id 819B321F877C for <v6ops@ietf.org>; Thu, 15 Nov 2012 22:31:30 -0800 (PST)
Received: from [98.139.215.142] by nm36.bullet.mail.bf1.yahoo.com with NNFMP; 16 Nov 2012 06:31:29 -0000
Received: from [98.139.212.233] by tm13.bullet.mail.bf1.yahoo.com with NNFMP; 16 Nov 2012 06:31:29 -0000
Received: from [127.0.0.1] by omp1042.mail.bf1.yahoo.com with NNFMP; 16 Nov 2012 06:31:29 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 602136.8853.bm@omp1042.mail.bf1.yahoo.com
Received: (qmail 99848 invoked by uid 60001); 16 Nov 2012 06:31:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s1024; t=1353047489; bh=HkLkB9MNAaDTsYZnHcEP4T2DHT0uPInRhIGlJ7DUrkM=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=OvzMyDlt5W7GopBy+EN6BbOQpUgEQumUtiiedd8qj4OdQNFGQuOe10gDRKQdW/Kj1JevN5vLPwz8Gr5xpXKBeGHCQXm4OwJUeWooe37RnjnMJ/554/lPYmPc+mOMye2QsNFLqd1nmG0MfjVykesmZvMf4FN32xal/hFlUKlT8f0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Dpjyu0tWoAzlcnyWG9jRqqYAL4eYj7lwOOWRAq+fBNS7Mc8l+dpZRo2FsoRqemNO7eg3fhFp9vnu/k6kUFgsQtF0UuMxaXciNAgHjhGKclLpqTiKyxppbW2yRdJP0Cw0hbHewl/BmMJexdLr+BA9d6IYCLp9xtuxrCeGtFC/NgA=;
X-YMail-OSG: JBiZBxMVM1mc5PInCGYsde.IJvMiixNrIuFPwEltS4CnVGP Gr5Ysp8Y0D3aQ1piUuvEK.EBkN3VdG11FNF2XXF5iGbYrQA7wogIQ8bm_98e 3OgRGiefRGj94alZ1RxrGKpFNAEYRuZjqCiueHtsnGnMhl4NPzZjkaBcN.FP 5nryDV5ODu6_tbcVxJqSZjo4p9AtvqVpZLoUo6zcYXiwDYahdDy9W_dkQKIA kEoFTEm3aVsiK81mbMPHOux5PATDmwyjAwWEmApO3D464sDe3MOFtcxN_hR4 BPQufth7G3c_rbD3TVKUtQl1GoxcSPZgSYIf2syxZFAtB2EWOPkXbSFDNjIy D5.bHROi0kzOQZ3uzVl_aVSw8AbETLY3evPXEz9.IBl75Dj2BWEKk3Z9KAuF 52hMO_z0pPYSl1YWXvNxy6wG1dd84spzv8mjLpDRsE1UvLaAdJJyHMqJK_or JiSdeKb0qDHa7LB1aBCNIT_MqSCaTawtILdycEPyA.dlnDlsGvxWWUePXnUf HuY.jRA054yXThfdjOipQOlbsGUBQB45xbISxYzwiOvwakhyCdDVg55s_Rpr EH4UNeEnOuPitctkASXK3vrYTWWlYGjfqc7tnvSVg_ShoEQ--
Received: from [121.200.231.211] by web32501.mail.mud.yahoo.com via HTTP; Thu, 15 Nov 2012 22:31:28 PST
X-Rocket-MIMEInfo: 001.001, SSBhZ3JlZSB3aXRoIEpvZWwsIEkgdGhpbmsgb2JzZXJ2YXRpb24gYnkgbW9zdCBsaWtlbHkgYSByb3V0ZXIgaXMgYSBiZXR0ZXIgbWV0aG9kLCBhcyBpdCB3aWxsIGNhcHR1cmUgYWRkcmVzcyBpbmZvcm1hdGlvbiByZWdhcmRsZXNzIG9mIHdoZXRoZXIgaXQgd2FzIGNvbmZpZ3VyZWQgdmlhIHN0YXRpYywgU0xBQUMgb3IgREhDUHY2IChvciBhbnkgZnV0dXJlIG1ldGhvZHMpLgoKSSBoYXZlbid0IGhhZCBhIGNoYW5jZSB0byBydW4gRmVybmFuZG8ncyB1dGlsaXR5LCBob3dldmVyIEkgdW5kZXJzdGFuZCBpdCABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.123.460
References: <50A33EFA.7070008@bogus.com> <5D36713D8A4E7348A7E10DF7437A4B9239F8E40C@szxeml545-mbx.china.huawei.com> <50A59C1F.2040407@bogus.com> <5D36713D8A4E7348A7E10DF7437A4B9239F8E520@szxeml545-mbx.china.huawei.com> <50A5BB8E.6010308@bogus.com> <5D36713D8A4E7348A7E10DF7437A4B9239F8E5CB@szxeml545-mbx.china.huawei.com>
Message-ID: <1353047488.86944.YahooMailNeo@web32501.mail.mud.yahoo.com>
Date: Thu, 15 Nov 2012 22:31:28 -0800
From: Mark Smith <markzzzsmith@yahoo.com.au>
To: Sheng Jiang <jiangsheng@huawei.com>, joel jaeggli <joelja@bogus.com>
In-Reply-To: <5D36713D8A4E7348A7E10DF7437A4B9239F8E5CB@szxeml545-mbx.china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, IPv6 Ops WG <v6ops@ietf.org>, "draft-ietf-dhc-addr-registration@tools.ietf.org" <draft-ietf-dhc-addr-registration@tools.ietf.org>
Subject: Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Mark Smith <markzzzsmith@yahoo.com.au>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 06:31:31 -0000
I agree with Joel, I think observation by most likely a router is a better method, as it will capture address information regardless of whether it was configured via static, SLAAC or DHCPv6 (or any future methods). I haven't had a chance to run Fernando's utility, however I understand it implements address recording using observation. http://www.si6networks.com/tools/ipv6mon/ ----- Original Message ----- > From: Sheng Jiang <jiangsheng@huawei.com> > To: joel jaeggli <joelja@bogus.com> > Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>; IPv6 Ops WG <v6ops@ietf.org>; "draft-ietf-dhc-addr-registration@tools.ietf.org" <draft-ietf-dhc-addr-registration@tools.ietf.org> > Sent: Friday, 16 November 2012 5:11 PM > Subject: Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01 > >>>>> In reality, malicious hosts do not follow the RFCs. >>>> untrustworthy hosts aren't necessarily malicious. >>> Ok. Let's discuss which part you don't trust from hosts. There > are several >>> possibilities I can think out: a) hosts refuse to register their > addresses, b) hosts >>> register wrong address/mac on purpose > >> What is wrong MAC in this case? > > I referred to these malicious hosts, who uses faked MAC to get network access or > plays to be other hosts. > >> MACs are generally but not always stable >> (vrrp6 is a pretty good case for not stable), in any event they are >> reconfigurable. A MAC is a layer 2 binding and if you have a strong >> layer-2 authentication (as some centrally managed networks do) then >> forgery is essentially irrelvant. beyond that the correctness of a MAC >> absent ACLs, is limited to it's presence in the bridge table and any >> l2/l3 bindings it may have. > > Then, why hosts are untrustworthy to register address? > >>>> I can with relatively minor effort on the part of a vendor capture > the >>>> same information, with a lot less signaling out of the NDP cache on > my >>>> routers, and do so without consideration of hosts behavior. >>> I agree with you if we only discuss the scenario that first-hop router > is fully >>> under management by ISPs. But there are other scenarios, in which > first-hop >>> router is home gateway, mobile node and others. For these scenarios, ISP >>> cannot get the address information unless host registering. > >> Either the network is centrally managed or it isn't. The draft describes >> a management entity (enterprise) which is fully in control of the first >> hop router(s). Here you're describing a transitory trust model where my >> first hop router managed by me passes a registration option to my hosts >> to register addresses used on my network with my ISP. That's not, in >> your document. > > Yes, it was not in the document. Since this document is a DHC draft, we focused > on the DHCP Protocol interaction and option definition. We did not do very well > to describe suitable scenarios until recently. We will work on that. Thanks to > help us improve the document. > >> The network in my house, or my enterprise is managed by me, my ISP once >> they've assigned or delegated a prefix doesn't get to determine if I > can >> use an address or not. It is no business of my ISP, if my fridge, or >> thermostat decides to use SLAAC to assign an address from the prefix >> which it plans to use becuase it's covered by RA. >> >>> Another point is this new registration is bi-direction interaction. It > gives ISPs >>> a chance to manage these host-generated addresses, such as denying > certain >>> address (such as low sec-value CGA), etc. For now, ISPs has to accept > all >>> host-generated addresses. If ISP denies access because of any >>> address-relevant reasons, there is no mechanism to tell hosts why and > how to >>> fix it. > >> Interesting use case. It's not in the document however, which you do >> have is. >> >> After receiving this address registration request, the address >> registration server MUST register the requested address in its >> address database, which may further be used by other network >> functions, such as DNS, network access control lists, etc. >> >> so presumably you tell the IA that it can't have an address by setting >> preferred-lifetime and valid-lifetime fields to 0, that doens't seem > like an >> extremely useful message to send back out a client trying to register an >> address. > > Agree, more information should be provided in the case of reject address. > Actually, the specific case of denying CGA with low sec-value was solved by > another dedicated draft > (http://tools.ietf.org/html/draft-ietf-dhc-cga-config-dhcpv6) , in which a new > DHCPv6 option has been defined to feedback a recommended Sec value. > > We will improve this part in next update. > > Best regards, > > Sheng > >> Fundamentally if you don't control the network you shouldn't be > managing >> address selection on it since you don't know what people will attach. if >> you do then by all means do so. >> >> >>> Best regards, >>> >>> Sheng >>> >>>>> Best regards, >>>>> >>>>> Sheng >>>>> >>>>>> If a strong assertion of L2 identity in support of l2/l3 > bindings is >>>>>> required 802.1x or the wireless equivalanet seems > appropiate, e.g. it's >>>>>> what we do today. >>>>>> >>>>>> Availing oneself of a dhcp/ra option entails a lot of > signaling for what >>>>>> is likely a relatively ephemeral port (windows machines and > macs >>>>>> registering privacy addresses for example). specifiying a > binding >>>>>> lifetime seems of limited utility since the host will > probably discard >>>>>> the address long before the lifetime expires if it's > sufficently long >>>>>> enough to allow for long lived connections using that > address. >>>>>> _______________________________________________ >>>>>> v6ops mailing list >>>>>> v6ops@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/v6ops >>> > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] some feedback on http://tools.ietf.org/ht… joel jaeggli
- Re: [v6ops] some feedback on http://tools.ietf.or… Sheng Jiang
- Re: [v6ops] some feedback on http://tools.ietf.or… Sheng Jiang
- Re: [v6ops] some feedback on http://tools.ietf.or… joel jaeggli
- Re: [v6ops] some feedback on http://tools.ietf.or… Sheng Jiang
- Re: [v6ops] some feedback on http://tools.ietf.or… joel jaeggli
- Re: [v6ops] some feedback on http://tools.ietf.or… Sheng Jiang
- Re: [v6ops] some feedback on http://tools.ietf.or… Mark Smith
- Re: [v6ops] some feedback on http://tools.ietf.or… Ted Lemon
- Re: [v6ops] some feedback on http://tools.ietf.or… Mark Smith
- Re: [v6ops] some feedback on http://tools.ietf.or… Tim Chown
- Re: [v6ops] some feedback on http://tools.ietf.or… Sheng Jiang
- Re: [v6ops] [dhcwg] some feedback on http://tools… Ted Lemon
- Re: [v6ops] [dhcwg] some feedback on http://tools… Sheng Jiang
- Re: [v6ops] [dhcwg] some feedback on http://tools… Sheng Jiang