IETF Logo Mail Archive

Re: [v6ops] New I-D: SLAAC and DHCPv6 (Fwd: New Version Notification for draft-gont-v6ops-host-configuration-00.txt)

otroan@employees.org Wed, 01 March 2017 19:41 UTC

Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 316F9129683 for <v6ops@ietfa.amsl.com>; Wed, 1 Mar 2017 11:41:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=otroan@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ob2v0QwlWN3N for <v6ops@ietfa.amsl.com>; Wed, 1 Mar 2017 11:41:29 -0800 (PST)
Received: from esa01.kjsl.com (esa01.kjsl.com [IPv6:2607:7c80:54:3::87]) by ietfa.amsl.com (Postfix) with ESMTP id AB75D129676 for <v6ops@ietf.org>; Wed, 1 Mar 2017 11:41:29 -0800 (PST)
Received: from cowbell.employees.org ([198.137.202.74]) by esa01.kjsl.com with ESMTP; 01 Mar 2017 19:41:29 +0000
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id 2B27DD788B; Wed, 1 Mar 2017 11:41:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; s=selector1; bh=l6OWlJaQfUsOoLPX7rfP6Tep1I4=; b= olLV/jhAFWvE22m+12zPMHBH1cCAnZ2EXhzZnaoXiQhkFZ4Y46m3qhRMFukYGFFi 2F2RWlDr0qOvT+pa+TXzBSMyCaPoCqxXoSzP9CXj5Y6EHB8eDKzpv/tqapOGF4XD r/gg0ctwmDeP2G+fQfSb4cRIj8eD9y8EcTow5l1uklg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; q=dns; s=selector1; b=FVEdQAsD6DDvr8BD6ykOsS9 4CSl9L2wMnIRdApZbz63Kd09fd4U21tRZbWD4w+zHx7D4NrYdKSnGZSw0UrTV1zg zO3YhFJ6v0L9f6hKOb9BeXfgpyMZ0DGaIp9D0RKpXPtIP323z6oiwQcLvo2QcLs6 L3P0zOCo6wQVE9mCB/nw=
Received: from h.hanazo.no (96.51-175-103.customer.lyse.net [51.175.103.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by cowbell.employees.org (Postfix) with ESMTPSA id CA2A2D788A; Wed, 1 Mar 2017 11:41:28 -0800 (PST)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id 1E6BC91E5952; Wed, 1 Mar 2017 20:41:26 +0100 (CET)
From: otroan@employees.org
Message-Id: <1A390EF1-84B3-4B09-8B13-BC92C052D4B7@employees.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_9558A7EA-034C-4EF4-B68A-A3B139157537"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 01 Mar 2017 20:41:25 +0100
In-Reply-To: <B1A4D771-E497-4F3D-8030-2F99390D0F37@google.com>
To: james woodyatt <jhw@google.com>
References: <148826826343.13815.15231542802790001626.idtracker@ietfa.amsl.com> <7dcf6972-d09f-d559-2f84-592adb01b5ff@si6networks.com> <2646FC7F-A008-4A5F-8D33-4607D306B8AE@google.com> <3e733fa0-744b-28d8-28d2-dbf3ace3c8b3@si6networks.com> <edc46f7f-3aaa-9195-dc23-28e90e386778@gmail.com> <74EF0172-F021-4941-92EE-76D11C3F9401@employees.org> <49a10ca2-6d6c-4d92-fffb-902e20566d9d@gmail.com> <B46D64AB-E87E-44CD-B6B0-81D48E4312D8@employees.org> <B1A4D771-E497-4F3D-8030-2F99390D0F37@google.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Fivo6X5pqUOL813kjYrB9n3PfNE>
Cc: IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] New I-D: SLAAC and DHCPv6 (Fwd: New Version Notification for draft-gont-v6ops-host-configuration-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 19:41:31 -0000

James,

Thanks for the summary. There is also more here:
https://tools.ietf.org/html/draft-ietf-ipngwg-dns-discovery-analysis-00
https://tools.ietf.org/html/rfc4339

The reason I questioned the assumption is because of the information leakage associated with a recursive resolver.
Using the recursive resolver offered by the network, means you entrust the network with every DNS query you make.
Does that make sense for the FreePublicWIFI at the airport, the coffee shop, the home CPE, or the Enterprise?

Apart from running a resolving server on the host and doing DNS over DTLS I'm not sure how to resolve that.

Perhaps the local network must provide a recursive resolver, but the practice of using it for all queries by default is perhaps something we should wean ourselves off.

Ole




> On 1 Mar 2017, at 19:56, james woodyatt <jhw@google.com> wrote:
> 
> On Mar 1, 2017, at 00:15, otroan@employees.org wrote:
>> 
>> Why do we assume that the local network should even provide DNS configuration?
> 
> Because the Domain Name System (DNS) is an essential service of the Internet. Allow me to provide a bit of history from memory in the hopes it will explain how this particular assumption came to be established here.
> 
> —
> 
> Many years ago, when I was implementing the predecessor of RFC 6106, while it was still an Internet Draft, I remember half-heartedly proposing in 6MAN and here in V6OPS that the way host operating systems needing automatic DNS server address configuration should cope with RA messages with the O flag cleared by querying for the SRV record at _dns._udp.local over mDNS.
> 
> I was just about to start writing an Internet Draft to that effect when various IETF participants here suggested there could be serious Security Considerations there. (Never mind that DHCPv6 has the same Security Consideration. We sort-of had DHCP Shield for that problem. There was no mDNS Shield yet.)
> 
> So I said, “What should I do? The RA message says not to expect any DHCPv6 service here. On the other hand, I have a perfectly sane ad-hoc multicast service discovery protocol already defined to do this in the event there is no DHCPv6 service. I’ve got to implement something.”
> 
> And somebody said, “What if we resurrect my old RDNSS draft?”
> 
> And other people, including me, said, “Yeah, but is there an RA Guard equivalent of DHCP Shield?”
> 
> And the answer to that was, “Well, I guess we could publish that draft too.”
> 
> And I said, “Okay, I can live with that."
> 
> And so I implemented RDNSS in the router, and I helped get RDNSS implemented in the hosts we cared most about. (I also needed to implement Stateless DHCPv6 service in the router so that another vendor’s hosts would get DNS information too. And that’s why RFC 7084 says to do both.)
> 
> —
> 
> Here’s really how we got into this mess:
> 
> 1. we made DNS an essential service of the Internet;
> 
> 2. then we made DHCPv6 the only way to configure hosts with DNS service automatically;
> 
> 3. and we made DHCPv6 optional by giving routers a way to say “there is no DHCPv6 here."
> 
> When we did that, we set ourselves up for having more than one way to configure hosts with DNS configuration. One using DHCPv6, and another for when DHCPv6 is not available.
> 
> I can think of five (5) different IETF published Standards Track protocols that are available for hosts to configure their DNS information automatically: DHCPv6, RDNSS, mDNS-SD, SLP and CoRE-RD. I can think of several more non-standard ones beyond those.
> 
> Only one of those standard protocols is one that IPv6 hosts are generally already required to implement: Router Discovery. It’s perfectly okay with me if IETF publishes a BCP that says hosts with DNS clients MUST be capable of processing RDNSS to configure their DNS information automatically. Because they are generally required to process RA messages to configure their IP service automatically. It would be a very low impact requirement.
> 
> I am opposed to dealing with this problem by telling host implementers they MUST implement a DHCPv6 client, and they MUST use it even when RA messages are telling them “there is no DHCPv6 here,” for all the reasons I enumerated previously.
> 
> 
> --james woodyatt <jhw@google.com>
> 
> 
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email