IETF Logo Mail Archive

Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01

Mark Smith <markzzzsmith@yahoo.com.au> Fri, 16 November 2012 06:31 UTC

Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F7721F878C for <v6ops@ietfa.amsl.com>; Thu, 15 Nov 2012 22:31:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FROM_LOCAL_NOVOWEL=0.5, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oz2lPjcD1ZKl for <v6ops@ietfa.amsl.com>; Thu, 15 Nov 2012 22:31:30 -0800 (PST)
Received: from nm36-vm5.bullet.mail.bf1.yahoo.com (nm36-vm5.bullet.mail.bf1.yahoo.com [72.30.238.141]) by ietfa.amsl.com (Postfix) with ESMTP id 819B321F877C for <v6ops@ietf.org>; Thu, 15 Nov 2012 22:31:30 -0800 (PST)
Received: from [98.139.215.142] by nm36.bullet.mail.bf1.yahoo.com with NNFMP; 16 Nov 2012 06:31:29 -0000
Received: from [98.139.212.233] by tm13.bullet.mail.bf1.yahoo.com with NNFMP; 16 Nov 2012 06:31:29 -0000
Received: from [127.0.0.1] by omp1042.mail.bf1.yahoo.com with NNFMP; 16 Nov 2012 06:31:29 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 602136.8853.bm@omp1042.mail.bf1.yahoo.com
Received: (qmail 99848 invoked by uid 60001); 16 Nov 2012 06:31:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s1024; t=1353047489; bh=HkLkB9MNAaDTsYZnHcEP4T2DHT0uPInRhIGlJ7DUrkM=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=OvzMyDlt5W7GopBy+EN6BbOQpUgEQumUtiiedd8qj4OdQNFGQuOe10gDRKQdW/Kj1JevN5vLPwz8Gr5xpXKBeGHCQXm4OwJUeWooe37RnjnMJ/554/lPYmPc+mOMye2QsNFLqd1nmG0MfjVykesmZvMf4FN32xal/hFlUKlT8f0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Dpjyu0tWoAzlcnyWG9jRqqYAL4eYj7lwOOWRAq+fBNS7Mc8l+dpZRo2FsoRqemNO7eg3fhFp9vnu/k6kUFgsQtF0UuMxaXciNAgHjhGKclLpqTiKyxppbW2yRdJP0Cw0hbHewl/BmMJexdLr+BA9d6IYCLp9xtuxrCeGtFC/NgA=;
X-YMail-OSG: JBiZBxMVM1mc5PInCGYsde.IJvMiixNrIuFPwEltS4CnVGP Gr5Ysp8Y0D3aQ1piUuvEK.EBkN3VdG11FNF2XXF5iGbYrQA7wogIQ8bm_98e 3OgRGiefRGj94alZ1RxrGKpFNAEYRuZjqCiueHtsnGnMhl4NPzZjkaBcN.FP 5nryDV5ODu6_tbcVxJqSZjo4p9AtvqVpZLoUo6zcYXiwDYahdDy9W_dkQKIA kEoFTEm3aVsiK81mbMPHOux5PATDmwyjAwWEmApO3D464sDe3MOFtcxN_hR4 BPQufth7G3c_rbD3TVKUtQl1GoxcSPZgSYIf2syxZFAtB2EWOPkXbSFDNjIy D5.bHROi0kzOQZ3uzVl_aVSw8AbETLY3evPXEz9.IBl75Dj2BWEKk3Z9KAuF 52hMO_z0pPYSl1YWXvNxy6wG1dd84spzv8mjLpDRsE1UvLaAdJJyHMqJK_or JiSdeKb0qDHa7LB1aBCNIT_MqSCaTawtILdycEPyA.dlnDlsGvxWWUePXnUf HuY.jRA054yXThfdjOipQOlbsGUBQB45xbISxYzwiOvwakhyCdDVg55s_Rpr EH4UNeEnOuPitctkASXK3vrYTWWlYGjfqc7tnvSVg_ShoEQ--
Received: from [121.200.231.211] by web32501.mail.mud.yahoo.com via HTTP; Thu, 15 Nov 2012 22:31:28 PST
X-Rocket-MIMEInfo: 001.001, SSBhZ3JlZSB3aXRoIEpvZWwsIEkgdGhpbmsgb2JzZXJ2YXRpb24gYnkgbW9zdCBsaWtlbHkgYSByb3V0ZXIgaXMgYSBiZXR0ZXIgbWV0aG9kLCBhcyBpdCB3aWxsIGNhcHR1cmUgYWRkcmVzcyBpbmZvcm1hdGlvbiByZWdhcmRsZXNzIG9mIHdoZXRoZXIgaXQgd2FzIGNvbmZpZ3VyZWQgdmlhIHN0YXRpYywgU0xBQUMgb3IgREhDUHY2IChvciBhbnkgZnV0dXJlIG1ldGhvZHMpLgoKSSBoYXZlbid0IGhhZCBhIGNoYW5jZSB0byBydW4gRmVybmFuZG8ncyB1dGlsaXR5LCBob3dldmVyIEkgdW5kZXJzdGFuZCBpdCABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.123.460
References: <50A33EFA.7070008@bogus.com> <5D36713D8A4E7348A7E10DF7437A4B9239F8E40C@szxeml545-mbx.china.huawei.com> <50A59C1F.2040407@bogus.com> <5D36713D8A4E7348A7E10DF7437A4B9239F8E520@szxeml545-mbx.china.huawei.com> <50A5BB8E.6010308@bogus.com> <5D36713D8A4E7348A7E10DF7437A4B9239F8E5CB@szxeml545-mbx.china.huawei.com>
Message-ID: <1353047488.86944.YahooMailNeo@web32501.mail.mud.yahoo.com>
Date: Thu, 15 Nov 2012 22:31:28 -0800
From: Mark Smith <markzzzsmith@yahoo.com.au>
To: Sheng Jiang <jiangsheng@huawei.com>, joel jaeggli <joelja@bogus.com>
In-Reply-To: <5D36713D8A4E7348A7E10DF7437A4B9239F8E5CB@szxeml545-mbx.china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, IPv6 Ops WG <v6ops@ietf.org>, "draft-ietf-dhc-addr-registration@tools.ietf.org" <draft-ietf-dhc-addr-registration@tools.ietf.org>
Subject: Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Mark Smith <markzzzsmith@yahoo.com.au>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 06:31:31 -0000

I agree with Joel, I think observation by most likely a router is a better method, as it will capture address information regardless of whether it was configured via static, SLAAC or DHCPv6 (or any future methods).

I haven't had a chance to run Fernando's utility, however I understand it implements address recording using observation.

http://www.si6networks.com/tools/ipv6mon/



----- Original Message -----
> From: Sheng Jiang <jiangsheng@huawei.com>
> To: joel jaeggli <joelja@bogus.com>
> Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>; IPv6 Ops WG <v6ops@ietf.org>; "draft-ietf-dhc-addr-registration@tools.ietf.org" <draft-ietf-dhc-addr-registration@tools.ietf.org>
> Sent: Friday, 16 November 2012 5:11 PM
> Subject: Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01
> 
>>>>> In reality, malicious hosts do not follow the RFCs.
>>>>  untrustworthy hosts aren't necessarily malicious.
>>>  Ok. Let's discuss which part you don't trust from hosts. There 
> are several
>>> possibilities I can think out: a) hosts refuse to register their 
> addresses, b) hosts
>>> register wrong address/mac on purpose
> 
>> What is wrong MAC in this case? 
> 
> I referred to these malicious hosts, who uses faked MAC to get network access or 
> plays to be other hosts.
> 
>> MACs are generally but not always stable
>> (vrrp6 is a pretty good case for not stable), in any event they are
>> reconfigurable. A MAC is a layer 2 binding and if you have a strong
>> layer-2 authentication (as some centrally managed networks do) then
>> forgery is essentially irrelvant. beyond that the correctness of a MAC
>> absent ACLs, is limited to it's presence in the bridge table and any
>> l2/l3 bindings it may have.
> 
> Then, why hosts are untrustworthy to register address?
> 
>>>>  I can with relatively minor effort on the part of a vendor capture 
> the
>>>>  same information, with a lot less signaling out of the NDP cache on 
> my
>>>>  routers, and do so without consideration of hosts behavior.
>>>  I agree with you if we only discuss the scenario that first-hop router 
> is fully
>>> under management by ISPs. But there are other scenarios, in which 
> first-hop
>>> router is home gateway, mobile node and others. For these scenarios, ISP
>>> cannot get the address information unless host registering.
> 
>> Either the network is centrally managed or it isn't. The draft describes
>> a management entity (enterprise) which is fully in control of the first
>> hop router(s). Here you're describing a transitory trust model where my
>> first hop router managed by me passes a registration option to my hosts
>> to register addresses used on my network with my ISP. That's not, in
>> your document.
> 
> Yes, it was not in the document. Since this document is a DHC draft, we focused 
> on the DHCP Protocol interaction and option definition. We did not do very well 
> to describe suitable scenarios until recently. We will work on that. Thanks to 
> help us improve the document.
> 
>> The network in my house, or my enterprise is managed by me, my ISP once
>> they've assigned or delegated a prefix doesn't get to determine if I 
> can
>> use an address or not. It is no business of my ISP, if my fridge, or
>> thermostat decides to use SLAAC to assign an address from the prefix
>> which it plans to use becuase it's covered by RA.
>> 
>>>  Another point is this new registration is bi-direction interaction. It 
> gives ISPs
>>> a chance to manage these host-generated addresses, such as denying 
> certain
>>> address (such as low sec-value CGA), etc. For now, ISPs has to accept 
> all
>>> host-generated addresses. If ISP denies access because of any
>>> address-relevant reasons, there is no mechanism to tell hosts why and 
> how to
>>> fix it.
> 
>> Interesting use case. It's not in the document however, which you do
>> have is.
>> 
>>     After receiving this address registration request, the address
>>     registration server MUST register the requested address in its
>>     address database, which may further be used by other network
>>     functions, such as DNS, network access control lists, etc.
>> 
>> so presumably you tell the IA that it can't have an address by setting
>> preferred-lifetime and valid-lifetime fields to 0, that doens't seem 
> like an
>> extremely useful message to send back out a client trying to register an
>> address.
> 
> Agree, more information should be provided in the case of reject address. 
> Actually, the specific case of denying CGA with low sec-value was solved by 
> another dedicated draft 
> (http://tools.ietf.org/html/draft-ietf-dhc-cga-config-dhcpv6) , in which a new 
> DHCPv6 option has been defined to feedback a recommended Sec value.
> 
> We will improve this part in next update.
> 
> Best regards,
> 
> Sheng
> 
>> Fundamentally if you don't control the network you shouldn't be 
> managing
>> address selection on it since you don't know what people will attach. if
>> you do then by all means do so.
>> 
>> 
>>>  Best regards,
>>> 
>>>  Sheng
>>> 
>>>>>  Best regards,
>>>>> 
>>>>>  Sheng
>>>>> 
>>>>>>  If a strong assertion of L2 identity in support of l2/l3 
> bindings is
>>>>>>  required 802.1x or the wireless equivalanet seems 
> appropiate, e.g. it's
>>>>>>  what we do today.
>>>>>> 
>>>>>>  Availing oneself of a dhcp/ra option entails a lot of 
> signaling for what
>>>>>>  is likely a relatively ephemeral port (windows machines and 
> macs
>>>>>>  registering privacy addresses for example). specifiying a 
> binding
>>>>>>  lifetime seems of limited utility since the host will 
> probably discard
>>>>>>  the address long before the lifetime expires if it's 
> sufficently long
>>>>>>  enough to allow for long lived connections using that 
> address.
>>>>>>  _______________________________________________
>>>>>>  v6ops mailing list
>>>>>>  v6ops@ietf.org
>>>>>>  https://www.ietf.org/mailman/listinfo/v6ops
>>> 
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email