IETF Logo Mail Archive

Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01

joel jaeggli <joelja@bogus.com> Fri, 16 November 2012 01:51 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1546B1F0C49; Thu, 15 Nov 2012 17:51:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.228
X-Spam-Level:
X-Spam-Status: No, score=-102.228 tagged_above=-999 required=5 tests=[AWL=-0.229, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HcAiNrGATG4l; Thu, 15 Nov 2012 17:51:32 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 80DE31F0C44; Thu, 15 Nov 2012 17:51:32 -0800 (PST)
Received: from joels-MacBook-Air.local (c-98-234-216-143.hsd1.ca.comcast.net [98.234.216.143]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id qAG1pRfY075727 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Fri, 16 Nov 2012 01:51:29 GMT (envelope-from joelja@bogus.com)
Message-ID: <50A59C1F.2040407@bogus.com>
Date: Thu, 15 Nov 2012 17:51:27 -0800
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Sheng Jiang <jiangsheng@huawei.com>
References: <50A33EFA.7070008@bogus.com> <5D36713D8A4E7348A7E10DF7437A4B9239F8E40C@szxeml545-mbx.china.huawei.com>
In-Reply-To: <5D36713D8A4E7348A7E10DF7437A4B9239F8E40C@szxeml545-mbx.china.huawei.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (nagasaki.bogus.com [147.28.0.81]); Fri, 16 Nov 2012 01:51:29 +0000 (UTC)
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, IPv6 Ops WG <v6ops@ietf.org>, "draft-ietf-dhc-addr-registration@tools.ietf.org" <draft-ietf-dhc-addr-registration@tools.ietf.org>
Subject: Re: [v6ops] some feedback on http://tools.ietf.org/html/draft-ietf-dhc-addr-registration-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 01:51:33 -0000

On 11/15/12 4:51 PM, Sheng Jiang wrote:
>> There's a couple issues that are quite striking. I kind of concur with
>> Fred  Baker that the most appropiate method for tracking l2/l3 binding
>> for address identification is probably more akin to syslog.
>>
>> That is, since you don't really trust the hosts, having a switch/router,
>> simply sysloging all new NDP cache entries pretty much achives the same
>> thing execept with a lot less signaling.
> Hi, Joel,
>
> I am not agree the precondition you have here: "since you don't really trust the hosts". The assume we take is that hosts, at least host IP stack, would do this right. Or at least they will do right things by standard definitions.
That's an interesting assumption given that all pre-existing host stacks 
will be unaware of the availability of the mechanism and therefore not 
use it.
>   In reality, malicious hosts do not follow the RFCs.
untrustworthy hosts aren't necessarily malicious.
>   Therefore, they are considered as security issues. It only means more security mechanism/infrastructure should be deployed. It should not deny the meaning of address registration. It servers most of ordinary hosts, which may be 99% of all users.
I can with relatively minor effort on the part of a vendor capture the 
same information, with a lot less signaling out of the NDP cache on my 
routers, and do so without consideration of hosts behavior.
> Best regards,
>
> Sheng
>
>> If a strong assertion of L2 identity in support of l2/l3 bindings is
>> required 802.1x or the wireless equivalanet seems appropiate, e.g. it's
>> what we do today.
>>
>> Availing oneself of a dhcp/ra option entails a lot of signaling for what
>> is likely a relatively ephemeral port (windows machines and macs
>> registering privacy addresses for example). specifiying a binding
>> lifetime seems of limited utility since the host will probably discard
>> the address long before the lifetime expires if it's sufficently long
>> enough to allow for long lived connections using that address.
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email