IETF Logo Mail Archive

[v6ops] Re: DHCPv6 PD in a multi-prefix environment

Ted Lemon <mellon@fugue.com> Wed, 24 July 2024 04:02 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E458C151078 for <v6ops@ietfa.amsl.com>; Tue, 23 Jul 2024 21:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uCBZYh_w7PFG for <v6ops@ietfa.amsl.com>; Tue, 23 Jul 2024 21:02:39 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF204C14F6A8 for <v6ops@ietf.org>; Tue, 23 Jul 2024 21:02:39 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id 46e09a7af769-7037c464792so3434121a34.2 for <v6ops@ietf.org>; Tue, 23 Jul 2024 21:02:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1721793759; x=1722398559; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=txVK1t/0/9OCQIFlpdPdchPU4CzxxWhXDhoOxznpw+0=; b=sZaGznxx1KH8cmZYRs5LanrtSiH583I9R8uKvtMygUvQ5eoJaxGzmuexMg4dbmQwSo 3bJvfFGghsWqZl8+LkJCe2gcQlwLkhyu3H4AS04NUnFR55XbMKzljN7ocfDuJFbNlrmv RLLptiBHlXTxVVuze/jjTct4rIyrJ+ujvWECzYp0rDk96XDyA/3CKloSiBsg5hXUBKRz 3LE51w3kq9kNG+VSLJjAcqqFAlgPo7b9MDygu499EOpUj4qAcVfF2udZCbutB2uu5C/y YTllIQ1IfX1dFKvTccOfQTIRANPgQVNobnGb8Ee0fyXJyHceAEgjrKBJlnnC3Pn1n9pA OwgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721793759; x=1722398559; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=txVK1t/0/9OCQIFlpdPdchPU4CzxxWhXDhoOxznpw+0=; b=AauhmHITVv9KzXm6oK6kBGYrg5Sk19OtMpm+ndpguRHEje52HFG5u+Mone6sOoba06 AkYa+SCcIr2dn8t/Lp4QKcS8nOQIXiv2JLdZfbNrFXC5kDZBW7XnHfX8RVyfpYFB6HFM 2MMKEJLDA6A8x317NwgI8PTSF3M/QZkwyAPGNoK7ihrZzTaMi9fkZCWdIZhNtWshtNlm Srsj8vhTkhfvM9hWxaykV9/wUV0keVRLDnppwS656FmMTBmkdvUdKZGosO81sqMYUUGN fl5RH1pmje6y5zYu12uKSgIqmHvTHW63F2uHbfNug+yZRS1VjFhHJuf3GjY0CRY/Odqd UOpA==
X-Gm-Message-State: AOJu0YznOk0RaVFNE6h98TIprwb7wzfEwK6UqVrKsvvCPUy/hsKMJtYr i5OozAZ9u3HZgmv4gB9kC7J6bwOx8cQnPC7gfALFV1FXVU4fJT85+1TZ6dEuV6I7gki30VMOt+f 0as+qIH5plhJND0XT87tH9AMUIe0ogS9wpP55xw==
X-Google-Smtp-Source: AGHT+IG5pbt1/vz4aKgdjbA1Xl+tSj526s+kY77Th+f8IgheNUTW6IyyCT8sCPHW0eBIrKIi4Wi/Bi/OS4/7vdDXtWM=
X-Received: by 2002:a05:6870:b50c:b0:260:f24b:625 with SMTP id 586e51a60fabf-261216b3b6cmr12406903fac.47.1721793758655; Tue, 23 Jul 2024 21:02:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAN-Dau1tRp02p58O8RKcCAVeXKqnkJt_b14KM5iCcDTm4JmnGQ@mail.gmail.com> <CAPt1N1ntZmL47HH-zkryVey6NmzEenKfBzZ90hcUQaduZV3sLw@mail.gmail.com> <CAN-Dau1udnxJTWWknwwTjzTa7cQejoE0qcVk94u5ijd3RaBXrw@mail.gmail.com> <CAPt1N1mEPLo6BN6=xLd7r+WJ7PiNhjW3GtUboZtTBZeU6dy-0Q@mail.gmail.com> <CAN-Dau0icgiM5+9_KYhEiaKwfRD2tUcA9qSpC=R5sVgSecRcGQ@mail.gmail.com> <CAN-Dau2oAAVZqO_NTi1JupUtXcg5fTgLC-T90mo3Zha01KpogQ@mail.gmail.com>
In-Reply-To: <CAN-Dau2oAAVZqO_NTi1JupUtXcg5fTgLC-T90mo3Zha01KpogQ@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Wed, 24 Jul 2024 00:02:27 -0400
Message-ID: <CAPt1N1mDDJT=GG6YRH7xJu2N3tsEhAdkX5U2akYnNJRuj=5uEg@mail.gmail.com>
To: David Farmer <farmer@umn.edu>
Content-Type: multipart/alternative; boundary="0000000000005c9353061df65909"
Message-ID-Hash: XURNEUKVVVUO3QYW7CFEEBFXIMHEGKFD
X-Message-ID-Hash: XURNEUKVVVUO3QYW7CFEEBFXIMHEGKFD
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: V6 Ops List <v6ops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [v6ops] Re: DHCPv6 PD in a multi-prefix environment
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/IL_d8jvXsADb1SZl_Lu375Rnflg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

The general assumption is that a snac router is being used on a network
that is managed in a way that makes sense. Eg if there is a 7084 router,
the devices on the stub network can in principle reach out to the internet,
but can’t receive incoming connections and shouldn’t be attackable. If it’s
connected to an enterprise network, the assumption is that that network is
managed similarly.

But the bottom line is that we have to take what the network offers. I
don’t think it makes sense to codify some complex set of heuristics to
adapt to various possible network setups we might encounter, because there
are too many possibilities, none of which seem at all likely other than the
two I just described. And in those two cases, we just ask for a prefix and
take whatever we get. I think that’s okay.

Op di 23 jul 2024 om 20:53 schreef David Farmer <farmer@umn.edu>

> from the Introduction of draft-ietf-snac-simple;
>
> The term "stub" refers to the way the network is seen by the link to which
> it is connected: there is reachability through a stub network router to
> devices on the stub network from the infrastructure link, but there is no
> reachability through the stub network to any link beyond that one.
>
>
> I was reading that as networks downstream of the SNAC router. Is this
> supposed also to mean upstream of the infrastructure link?
>
> I wanted the SNAC network to have ULA addresses to reduce the attack
> surface. But if the SNAC network cannot, by policy, communicate with the
> Internet through the infrastructure link, then providing the SNAC router
> with a ULA prefix is not advantageous. I'm fine proving the SNAC router
> with a GUA prefix.
>
> That may be how I misunderstood the scenario.
>
> Thanks
>
> On Tue, Jul 23, 2024 at 10:09 PM David Farmer <farmer@umn.edu> wrote:
>
>> So, are you saying the SNAC router should use a GUA prefix in all cases
>> and expose the IOT devices to the Global Internet?
>>
>> On Tue, Jul 23, 2024 at 9:55 PM Ted Lemon <mellon@fugue.com> wrote:
>>
>>> No, I mean can you describe a real-world scenario where this would
>>> happen. I get that you could configure a DHCP server to do this. The
>>> question is, when would someone configure the DHCP server that way?
>>>
>>> On Tue, Jul 23, 2024 at 7:49 PM David Farmer <farmer@umn.edu> wrote:
>>>
>>>> I already did scenario A.3 in draft-ietf-snac-simple. It is appropriate
>>>> for the SNAC router to obtain a ULA prefix instead of a GUA prefix to
>>>> reduce the attack surface of the IOT devices.
>>>>
>>>> On Tue, Jul 23, 2024 at 9:33 PM Ted Lemon <mellon@fugue.com> wrote:
>>>>
>>>>> Can you give us an example of a situation where such a decision would
>>>>> need to be made?
>>>>>
>>>>> On Tue, Jul 23, 2024 at 6:48 PM David Farmer <farmer=
>>>>> 40umn.edu@dmarc.ietf.org> wrote:
>>>>>
>>>>>> The classic ISP use case for DHCPv6 PD, as envisioned initially by
>>>>>> RFC3633 and integrated into RFC8415, typically expected a single prefix to
>>>>>> be delegated to a requesting router from the ISP. Meanwhile, many of the
>>>>>> draft-ietf-v6ops-cpe-lan-pd use cases probably expect a subdelegation from
>>>>>> this ISP provided prefix. Nevertheless, an RFC7084 CE Router may also have
>>>>>> a ULA prefix to subdelegate from, and a ULA prefix may be more appropriate
>>>>>> for some of the use cases. Not to mention, there may be prefixes from more
>>>>>> than one ISP or additional prefixes while renumbering.
>>>>>>
>>>>>> Should the delegating router in draft-ietf-v6ops-cpe-lan-pd advertise
>>>>>> subdelegations from all prefixes it may have and let the requesting router
>>>>>> choose one or more? How does the requesting router know which prefixes it
>>>>>> is appropriate to select in what circumstances? If the delegating router
>>>>>> doesn't advertise subdelegations from all prefixes, how does it know which
>>>>>> prefixes to advertise to which requesting routers?
>>>>>>
>>>>>> You can also ask the question from the opposite direction: How does
>>>>>> the requesting router solicit for a ULA prefix instead of a GUA prefix if
>>>>>> that is more appropriate for its use case?
>>>>>>
>>>>>> These questions came to mind while reading draft-ietf-snac-simple, as
>>>>>> it would seem reasonable to want the SCAC router to obtain a ULA prefix
>>>>>> from the delegating router and not a GUA prefix, especially in the scenario
>>>>>> described in A.3. However, similar questions exist for downstream RFC7084
>>>>>> or PD-per-device in a multi-prefix environment.
>>>>>>
>>>>>> Thanks.
>>>>>> --
>>>>>> ===============================================
>>>>>> David Farmer               Email:farmer@umn.edu
>>>>>> Networking & Telecommunication Services
>>>>>> Office of Information Technology
>>>>>> University of Minnesota
>>>>>> 2218 University Ave SE        Phone: 612-626-0815
>>>>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>>>>> ===============================================
>>>>>> _______________________________________________
>>>>>> v6ops mailing list -- v6ops@ietf.org
>>>>>> To unsubscribe send an email to v6ops-leave@ietf.org
>>>>>>
>>>>>
>>>>
>>>> --
>>>> ===============================================
>>>> David Farmer               Email:farmer@umn.edu
>>>> Networking & Telecommunication Services
>>>> Office of Information Technology
>>>> University of Minnesota
>>>> 2218 University Ave SE        Phone: 612-626-0815
>>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>>> ===============================================
>>>>
>>>
>>
>> --
>> ===============================================
>> David Farmer               Email:farmer@umn.edu
>> Networking & Telecommunication Services
>> Office of Information Technology
>> University of Minnesota
>> 2218 University Ave SE        Phone: 612-626-0815
>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>> ===============================================
>>
>
>
> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
>

v2.36.0 | Report a Bug | By Email | System Status