IETF Logo Mail Archive

Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02

David Farmer <farmer@umn.edu> Mon, 09 October 2023 00:42 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61311C151091 for <v6ops@ietfa.amsl.com>; Sun, 8 Oct 2023 17:42:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ok3YB5bmlO0U for <v6ops@ietfa.amsl.com>; Sun, 8 Oct 2023 17:42:01 -0700 (PDT)
Received: from mta-p5.oit.umn.edu (mta-p5.oit.umn.edu [134.84.196.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8306C15108E for <v6ops@ietf.org>; Sun, 8 Oct 2023 17:42:00 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 4S3gGH3d8Rz9vBtD for <v6ops@ietf.org>; Mon, 9 Oct 2023 00:41:59 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PDo9Z0IITksp for <v6ops@ietf.org>; Sun, 8 Oct 2023 19:41:59 -0500 (CDT)
Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 4S3gGG4gN6z9vBt8 for <v6ops@ietf.org>; Sun, 8 Oct 2023 19:41:58 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4S3gGG4gN6z9vBt8
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4S3gGG4gN6z9vBt8
Received: by mail-ej1-f70.google.com with SMTP id a640c23a62f3a-993c2d9e496so311010766b.0 for <v6ops@ietf.org>; Sun, 08 Oct 2023 17:41:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; t=1696812116; x=1697416916; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3GYmlx5+ukg0Dql8D/AmmL8kgCacDIWdY03WrDxVn/k=; b=XY5oGo3uMsOLj6Ipw14s1ne9FAfODiZfBTawLBXg1o8pDOhmpDmvg7MdjKx6BsmXXJ JmB03YQAzTHel8UypDzr66LVknFI3bNYet1Op48zVjHEO2aNpApdovz7YZ9cYc3DU8I/ YlaTDZShqA9HllJF1p1MYaV/CgvIYqoyT7V+7bU569BJo6QHY1WrsHHv3ABfmBV6tDNV UjkleZPOitn6K60rRf1FUrk0L1A9tuvfz8s7UL4zPfoV+MRHI5klk6za3M/Pz+4YCfS7 tFHbYf4YiRTpFiUW5F43MCQI15Z6tfXjKLDm/NUymqqE8xZwMgaSN2OFwIUZltzz5MF0 R3Xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696812116; x=1697416916; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3GYmlx5+ukg0Dql8D/AmmL8kgCacDIWdY03WrDxVn/k=; b=CK1Sa7ZwY00OudvZktA5wWrW8DNSUbJdCR/swGj2Ku0F5MmiUJTjFK94bTM/VYqveo 4EP1PEiY0tv0WCBL5UD1BjUpXqH91NHiEmJkQa1Hne8VFXWUPqvgCT3GOZLyzGlip+y+ FSmtSPEm2KI0V1vVU29gMMmZvMXQ5fw4E979NMktDbSRVI0NbK9ttcKGwxXbN776v+ty 9tzWwkiRL3SF39sShzhD4zmZ6MdoY91ie4pfhLwF/vmAeCn16VN7GwiHjAEfFHjkCn34 ki4Oj01rg/C8jfwKU/gvSrvCBUUcIXFiXCwCWX9CfVqL2+YhgkOKtIqBj4t6ayxPS1oZ xhjA==
X-Gm-Message-State: AOJu0YxnK084UzvLrltjcKEMQxttDOEnE0/XnFqJRbgix86BUS1E4pQV hFL8K7TxvSq8KfRRLMuuPrQekzgi5eQHioMBZuMfS4pV39tgG18bPeGmLlr+Mz3dXBQx0y1/X/T NRd1g9pwZHln0c3ojuFpEIWSRuz/sgc2toXNc
X-Received: by 2002:a17:906:1ba9:b0:9ae:57b8:ad1b with SMTP id r9-20020a1709061ba900b009ae57b8ad1bmr12017343ejg.21.1696812116539; Sun, 08 Oct 2023 17:41:56 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFVsr62mPWrWR/Q5NUPLRMoLSxoc9jGMvjtJM6mvy92Q7TamkmlrElJA2Hy0L0mJrYG9kr9J6zXxkD0FE3CBSE=
X-Received: by 2002:a17:906:1ba9:b0:9ae:57b8:ad1b with SMTP id r9-20020a1709061ba900b009ae57b8ad1bmr12017335ejg.21.1696812116001; Sun, 08 Oct 2023 17:41:56 -0700 (PDT)
MIME-Version: 1.0
References: <5b0e0e82cd8844c987a4fbfd26f07135@huawei.com> <05711977-E061-4185-BE97-F6DECED13A59@employees.org>
In-Reply-To: <05711977-E061-4185-BE97-F6DECED13A59@employees.org>
From: David Farmer <farmer@umn.edu>
Date: Sun, 08 Oct 2023 19:41:38 -0500
Message-ID: <CAN-Dau3mc-pbeLQJWdHebEu39G3t6J-gFm5P9dmLxvFg8WmdtA@mail.gmail.com>
To: Ole Trøan <otroan=40employees.org@dmarc.ietf.org>
Cc: Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>, v6ops@ietf.org
Content-Type: multipart/mixed; boundary="0000000000006cf9f406073ddb4f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/nQNL_-bkLdcJQuhbyJscQP033fA>
Subject: Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2023 00:42:05 -0000

At a very high level, I've been thinking about alternatives to DHCP
Snooping for PD route injection.

The first alternative would be having the client participate in a network
routing system and advertise its own PD route. However, the network must
trust the client not to inject other routes. It would be possible for the
first-hop routers to apply a policy that only allows the client to inject
its own PD route. But to apply such a policy, the first-hop router needs
the same information from DHCP snooping that it needs to inject the PD
route on behalf of the client.

Another alternative would be to change the attachment point for the PD
route in the routing architecture. The draft uses the client's link-local
address as the attachment point for the PD route. Therefore, since the
link-local address is only valid in the context of the attached link, the
client itself or a first-hop router on the attached link must be
responsible for injecting the PD route into the routing system. However, if
a ULA or GUA were used as the attachment point in the routing architecture,
then a routing protocol that allows for a remote next-hop, such as BGP,
could be used, and the DHCP server could be responsible for injecting the
PD route, possibly through a BGP route server.

While many people find DHCP snooping distasteful, given the draft's desire
to reduce the ND context as much as possible and, therefore, using the
client's link-local address as the routing attachment point, DHCP snooping
or a similar mechanism will be necessary to get the appropriate information
to the first-hop router for it to inject the PD route into the routing
system on behalf of the client.

Thanks

On Thu, Oct 5, 2023 at 1:41 AM Ole Trøan <otroan=
40employees.org@dmarc.ietf.org> wrote:

> Snooping is indeed tricky.
> For PD route injection I don’t think much has happened since:
> IPv6 Prefix Delegation routing state maintenance approaches
> <https://datatracker.ietf.org/doc/html/draft-stenberg-pd-route-maintenance-00>
> datatracker.ietf.org
> <https://datatracker.ietf.org/doc/html/draft-stenberg-pd-route-maintenance-00>
> [image: ietf-logo-nor-180.png]
> <https://datatracker.ietf.org/doc/html/draft-stenberg-pd-route-maintenance-00>
> <https://datatracker.ietf.org/doc/html/draft-stenberg-pd-route-maintenance-00>
>
>
> Any better ideas?
>
> O.
>
> On 5 Oct 2023, at 08:28, Vasilenko Eduard <vasilenko.eduard=
> 40huawei.com@dmarc.ietf.org> wrote:
>
> 
>
> IMHO: Paolo and Pascal are effectively talking (in a different way) that
> snooping is not reliable mechanism to depend routing on it.
>
> Ed/
>
> *From:* Paolo Nero [mailto:oselists@gmail.com]
> *Sent:* Thursday, October 5, 2023 1:47 AM
> *To:* Jen Linkova <furry13@gmail.com>
> *Cc:* Pascal Thubert <pascal.thubert@gmail.com>; v6ops@ietf.org;
> Vasilenko Eduard <vasilenko.eduard@huawei.com>
> *Subject:* Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02
>
>
>
> Hi Jen,
>
>
>
> On Wed, Oct 4, 2023 at 1:27 PM Jen Linkova <furry13@gmail.com> wrote:
>
>
> Oh I see the source of the confusion. As I've said in another email -
> the text *implies* that the relay injects the routes into IGP and
> we'll make it explicit in the next revision.
>
>
>
> please forgive me if I'm missing something, but what would be the
> consequence, in a topology with multiple first-hop routers/relays, of one
> of the routers missing a RELEASE message (e.g. due to packet loss of the
> multicast transmission)? Would that router keep injecting the route into
> the infrastructure at large? On first thought it seems this would be more
> impactful than when simply snooping IA_NA, or when losing a REPLY message.
> Could that prefix be reassigned elsewhere while the route is still "stuck"?
>
>
>
> Thanks,
>
>
>
> Paolo
>
>
>
>
>
> >
> >
> > Le mer. 4 oct. 2023 à 09:47, Lorenzo Colitti <lorenzo@google.com> a
> écrit :
> >>
> >> Pascal,
> >>
> >> I'm not sure I understand how what we are proposing is different to
> what is in use today. Today, any network that uses DHCPv6 snooping (e.g.,
> for SAVI purposes) must snoop DHCPv6 replies, no? Those replies are sent
> unicast by the DHCPv6 server through the relays to the client. The same set
> of devices that snoops replies and processes IA_NA options can process the
> IA_PD options in those replies.
> >>
> >> There is a bit of a difference in the sense that for IA_NA the snooping
> devices only populate ACLs, whereas for IA_PD, some of the snooping devices
> - likely the first-hop router(s) - must inject into the IGP mesh a route
> pointing to the prefix assigned to the client. But I don't understand why
> this matters. Those devices snoop the DHCPv6 reply anyway, no?
> >>
> >> Cheers,
> >> Lorenzo
> >>
> >> On Wed, Oct 4, 2023 at 4:38 PM Pascal Thubert <pascal.thubert@gmail.com>
> wrote:
> >>>
> >>> Hello Eduard and Jen
> >>>
> >>> Snooping by all access routers might appear to be working in a lab but
> there’s no way to impose that in an enterprise network.
> >>>
> >>> There can be multiple / many access routers (think ToRs), possibly
> distributed over the WAN as an overlay.  In such network one would choose
> that either all ToRs run a dhcp relay but then they block the broadcast or
> there’s only only relay ( with appropriate HA ). But it is unrealistic to
> expect that the DHCP request will be relayed by all ToRs. I hope we do not
> write such a recommendation in an ops document!
> >>>
> >>> Moreover there is ample experience with ND and MLD that snooping
> broadcast protocols is the sure recipe for repeated calls to support for
> unpredictable and difficult to debunk issues.
> >>>
> >>> And then there’s the problem of routing from the higher aggregation
> point to the ToR. Some routes will have to be injected somewhere.
> >>>
> >>> Bottom line is that as written, the draft will only add to the long
> list of arguments for enterprise people who claim that IPv6 is not for
> them, along with the issues that the draft attempts to solve, e.g., SLAAC.
> >>>
> >>> Suggestion for this draft would be to at least recognize that there’s
> a missing link in the standard suite and indicate on the positive side that
> 6MAN has an architecture on the works that solves the issue in a secure
> fashion.
> >>>
> >>> Regards,
> >>>
> >>> Pascal
> >>>
> >>> > Le 3 oct. 2023 à 15:58, Vasilenko Eduard <vasilenko.eduard=
> 40huawei.com@dmarc.ietf.org> a écrit :
> >>> >
> >>> > OK. Therefore it is a new requirement for the DHCP server. It does
> look not very difficult.
> >>> > But it is interesting anyway: Do DHCP vendors support it out of the
> box (just configuration) or is development needed?
> >>> > Ed/
> >>> >> -----Original Message-----
> >>> >> From: Jen Linkova [mailto:furry13@gmail.com]
> >>> >> Sent: Tuesday, October 3, 2023 4:42 PM
> >>> >> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> >>> >> Cc: v6ops@ietf.org
> >>> >> Subject: Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02
> >>> >>
> >>> >>> On Tue, Oct 3, 2023 at 6:39 AM Vasilenko Eduard
> >>> >>> <vasilenko.eduard@huawei.com> wrote:
> >>> >>> Are you sure that the DHCP server would answer many client requests
> >>> >> (received through different relays) with the same transaction-id?
> >>> >>> Where in RFC 8415 is it stated?
> >>> >>
> >>> >> I do not think it's stated there, it's up to implementation. Hence
> we
> >>> >> have a specific text in Section 7, saying that "while deploying this
> >>> >> solution, please configure your server that way".
> >>> >>
> >>> >>> Why server should do it?
> >>> >>
> >>> >> Why shouldn't it?
> >>> >>
> >>> >>> Eduard
> >>> >>>> -----Original Message-----
> >>> >>>> From: Jen Linkova [mailto:furry13@gmail.com]
> >>> >>>> Sent: Tuesday, October 3, 2023 4:17 PM
> >>> >>>> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> >>> >>>> Cc: v6ops@ietf.org
> >>> >>>> Subject: Re: [v6ops] WGLC: draft-ietf-v6ops-dhcp-pd-per-device-02
> >>> >>>>
> >>> >>>> On Mon, Oct 2, 2023 at 5:04 AM Vasilenko Eduard
> >>> >>>> <vasilenko.eduard=40huawei.com@dmarc.ietf.org> wrote:
> >>> >>>>
> >>> >>>>> "(it should be noted that [I-D.dhcwg-dhc-rfc8415bis] deprecates
> the
> >>> >> Server
> >>> >>>> Unicast option exactly because it is not compatible with multiple
> relays
> >>> >>>> topology). Therefore as long as the Server Unicast option is not
> used, all
> >>> >> first-
> >>> >>>> hop routers shall be able to install the route for the delegates
> prefix".
> >>> >>>>> dhcwg-dhc-rfc8415bis looks critical but it is expired. Is it
> possible to
> >>> >> delete
> >>> >>>> this reference?
> >>> >>>>
> >>> >>>> Sorry, I'll fix the reference - it should be
> >>> >>>> https://datatracker.ietf.org/doc/draft-ietf-dhc-rfc8415bis/
> which is
> >>> >>>> an active draft.
> >>> >>>>
> >>> >>>>> " As per Section 18.4 of [RFC8415] the server is not supposed to
> accept
> >>> >>>> unicast traffic when it is not explicitly configured to do, and
> unicast
> >>> >>>> transmission is only allowed for some messages and only if the
> Server
> >>> >>>> Unicast option ([RFC8415], Section 21.12) is used."
> >>> >>>>> This is not relevant information - it is about the client
> transmission.
> >>> >>>>
> >>> >>>> It is relevant, because as long as the client sends multicast
> >>> >>>> messages, all routers (relays) see the message and relay it. So
> each
> >>> >>>> really would send a relay message - as a unicast - to the server.
> Each
> >>> >>>> relay would receive a unicast Relay-repy, which will be used to
> snoop
> >>> >>>> the route and send to the client.
> >>> >>>>
> >>> >>>>> Another router should see the server unicast reply to understand
> the
> >>> >> prefix.
> >>> >>>>
> >>> >>>> Indeed it would receive a unicast reply. The source address of the
> >>> >>>> IPv6 packet containing the relayed message would be the relay
> address.
> >>> >>>>
> >>> >>>>> On 9/30/2023 4:42 PM, Xipengxiao wrote:
> >>> >>>>>
> >>> >>>>> Hi Folks,
> >>> >>>>>
> >>> >>>>> This message initiates a WGLC for
> draft-ietf-v6ops-dhcp-pd-per-device-
> >>> >> 02.
> >>> >>>> The call will end on Oct 14, 2023.  Your opinion will be valued.
> >>> >>>>>
> >>> >>>>> Ron & XiPeng
> >>> >>>>>
> >>> >>>>>
> >>> >>>>>
> >>> >>>>> _______________________________________________
> >>> >>>>> v6ops mailing list
> >>> >>>>> v6ops@ietf.org
> >>> >>>>> https://www.ietf.org/mailman/listinfo/v6ops
> >>> >>>>> _______________________________________________
> >>> >>>>> v6ops mailing list
> >>> >>>>> v6ops@ietf.org
> >>> >>>>> https://www.ietf.org/mailman/listinfo/v6ops
> >>> >>>> --
> >>> >>>> SY, Jen Linkova aka Furry
> >>> >>>
> >>> >>
> >>> >>
> >>> >> --
> >>> >> SY, Jen Linkova aka Furry
> >>> >
> >>> > _______________________________________________
> >>> > v6ops mailing list
> >>> > v6ops@ietf.org
> >>> > https://www.ietf.org/mailman/listinfo/v6ops
> >>>
> >>> _______________________________________________
> >>> v6ops mailing list
> >>> v6ops@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/v6ops
> >
> >
> >
> > --
> > Pascal
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
>
>
>
> --
> SY, Jen Linkova aka Furry
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email