[dhcwg] Comments for draft-ietf-dhc-dhcpv4-leasequery-00.txt

[Ted Lemon <mellon at fugue.com>]

There are a lot of editorial comments here, and a few comments having  
to do with protocol issues.   I should note that we have had no  
independent readings of the document other than mine, and it received  
no support during the working group last call.   As of now I believe  
the document requires revision before we do another working group last  
call, so there's no need to rush in now and state your support for it.

Thanks to Kim, Bernie, Neil and Mark for their hard work in merging  
the two previous bulk leasequery documents.   I'm sorry my comments  
here are so voluminous, but I feel like they were worth the effort it  
took to do them, and I hope the authors take them as constructive and  
not nitpicky.



This:

The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) has been  
extended with a Leasequery capability that allows a requestor to  
request information about DHCPv4 bindings. That mechanism is limited  
to queries for individual bindings. In some situations individual  
binding queries may not be efficient, or even possible. This document  
expands on the DHCPv4 Leasequery protocol to allow for bulk transfer  
of DHCPv4 address binding data via TCP.

Might be better worded this way:

The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) Leasequery  
extension allows a requestor to request information about DHCPv4  
bindings. This mechanism is limited to queries for individual  
bindings. In some situations individual binding queries may not be  
efficient, or even possible. This document extends the DHCPv4  
Leasequery protocol to allow for bulk transfer of DHCPv4 address  
binding data via TCP.

Page 3:

configured DHCPv4 servers (see Figure 1). In this process, some relay  
agents also glean the lease information sent by the server and  
maintain this locally. This information is used for a variety of  
purposes, including prevention of spoofing attempts from the DHCPv4  
clients and to install routes. When a relay agent reboots, this  
information is frequently lost.

maybe change to this:

configured DHCPv4 servers (see Figure 1). In this process, some relay  
agents also glean lease information sent by the server and cache it  
locally. This information is used for a variety of purposes.   Two  
examples are prevention of spoofing attempts from the DHCPv4 clients,  
and installation of routes. When a relay agent reboots, this  
information is frequently lost.

Page 4:

Different query types are needed where a relay agent can query the  
server without waiting for the traffic from or for the clients, as  
well as a different transmission technique more conducive to the  
transmission of large quantities of data.

maybe change to this:

Some applications require the ability to query the server without  
waiting for traffic from or to clients. This query capability in turn  
requires an underlying transport more suitable to the bulk  
transmission of data.

Page 7:

For a DSLAM having multiple DSL ports, multiple IP addresses may be  
assigned using DHCPv4 to a single port and the number of DHCPv4  
clients on a port may be unknown. The DSLAM may also not know the  
network portions of the IP addresses that are assigned to its DHCPv4  
clients.

maybe change to this:

For a DSLAM having multiple DSL ports, multiple IP addresses may be  
assigned to DHCPv4 clients on a single port and the number of DHCPv4  
clients on that port may be unknown. The DSLAM may also not know the  
network portions of the IP addresses that are assigned to its DHCPv4  
clients.

Page 8:

The existing data driven approach required by [RFC4388] means that the  
Leasequeries can only be performed after an Access Concentrator  
receives data. To implement antispoofing, packets need to be dropped  
until it gets the lease information from DHCPv4 server. If an Access  
Concentrator finishes the Leasequeries before it starts receiving  
data, then there is no need to drop legitimate packets. In this way,  
outage time may be reduced.

to:

The existing data driven approach required by [RFC4388] means that the  
Leasequeries can only be performed after an Access Concentrator  
receives data. To implement antispoofing, the concentrator must drop  
packets for each client until it gets lease information from DHCPv4  
server for that client. If an Access Concentrator finishes the  
Leasequeries before it starts receiving data, then there is no need to  
drop legitimate packets. In this way, outage time may be reduced.

Page 15:

The start-time-of-state option allows the receiver to determine the  
time at which the IP address transitioned into its current state.

to:

The start-time-of-state option allows the receiver to determine the  
time at which the IP address made the transition into its current state.

Page 16, section 7.2.5:

You have a lot of admonitions about what the query start time must be  
and must not be, which I don't think actually communicate what you  
want the implementation to do.   You should just tell the  
implementation how to compute this value; otherwise I don't see how an  
interoperable implementation that follows the rules you've given here  
is possible.

maybe something like this:

7.2.5. query-start-time

The query-start-time option specifies a start query time to the DHCPv4  
server. If specified, only bindings that have changed on or after the  
query-start-time should be included in the response to the query.    
The requester MUST compute the query-start-time relative to a lease it  
has recovered from stable storage, and MUST specify that time in terms  
of the DHCPv4 server's clock at the time of the query recovered from  
stable storage.

For example, suppose the requester had previously received information  
on a lease from the server.   At that time, the server had sent a base- 
time option containing a time of X.   Subsequently the server sent a  
DHCPLEASEACTIVE message with a lease time of Y.   If this is the last  
lease the requester remembers receiving, it would use X+Y for the  
query start time, indicating that it would like to receive all updates  
from that time onward.

The same comment applies to query-end-time.

In section 7.2.7, I don't really understand why the relay agent needs  
to know more than that the lease is still active, or is no longer  
active.   This seems to be an extension on the functionality provided  
by DHCPLEASEQUERY, relating to failover, but (a) it seems unnecessary,  
(b) I have no idea what the DSLAM would do with it, and (c) because of  
that, it seems like it could result in interoperability problems as  
different implementors make different guesses as to how to handle  
it.   You could save a lot of text by just taking this out.   Same  
with data-source.

I can see where it might be helpful to use this for disambiguating in  
cases where one server reports a lease as free and another reports it  
as allocated, but it might be better to simply specify rules for when  
a server should claim to have knowledge about a lease - if a  
particular IP address is in its peer's pool, and is not known to have  
been allocated, perhaps that IP address should simply not be mentioned  
in a DHCPBULKLEASEQUERY reply.   It would be entirely permissible and  
expected in some cases for that to happen.

Page 21:

Messages from the DHCPv4 server come as multiple responses to a single  
DHCPBULKLEASEQUERY message. Thus, each DHCPBULKLEASEQUERY request MUST  
have a xid (transaction-id) unique on the connection on which it is  
sent, and all of the messages which come as a response to it all  
contain the same xid as the request. It is the xid which allows the  
data-streams of two different DHCPBULKLEASEQUERY requests to be  
demultiplexed by the requestor.

to:

Messages from the DHCPv4 server come as multiple responses to a single  
DHCPBULKLEASEQUERY message. Thus, each DHCPBULKLEASEQUERY request MUST  
have a xid (transaction-id) unique on the connection on which it is  
sent.   All of the messages which come as a response to that message  
will contain the same xid as the request. It is the xid which allows  
the data-streams of two different DHCPBULKLEASEQUERY requests to be  
demultiplexed by the requestor.

Page 21:

A requestor MAY send a DHCPBULKLEASEQUERY request to a DHCPv4 server  
and immediately close the transmission side of its TCP connection, and  
then read the resulting response messages from the DHCPv4 server. This  
is not required, and the usual approach is to leave both sides of the  
TCP connection up until at least the conclusion of the Bulk Leasequery.

You don't need to say this; I would take it out.

Page 23:

Both of the query-start-time and query-end-time options (if they  
appear) MUST be in the time context of the DHCPv4 server to which the  
Bulk Leasequery is directed. In the absence of information to the  
contrary, the requestor SHOULD assume that the time context on the  
DHCPv4 server is identical to the time context on the requestor.

In the event that previous operations have determined that the time  
context on the DHCPv4 server to which the Bulk Leasequery is addressed  
differs from the time context of the requestor, the time context of  
the DHCPv4 server MUST be used. Use of the query-start-time or the  
query-end-time options or both can serve to reduce the amount of data  
transferred over the TCP connection by a considerable amount.

You really haven't told us what to do here.   I don't see how  
interoperability can be achieved.   See my comments on these options  
earlier.   I would just delete this text, since you already have text  
explaining this earlier in the document.

Page 23:

If the TCP connection becomes blocked or stops being writeable while  
the requestor is sending its query, the requestor SHOULD be prepared  
to terminate the connection after BULK_LQ_DATA_TIMEOUT. We make this  
recommendation to allow requestors to control the period of time they  
are willing to wait before abandoning a connection, independent of  
notifications from the TCP implementations they may be using.

How does an implementation "prepare to terminate" the connection?   I  
think what you mean is something like this:

The TCP connection may become blocked or stop being writeable while  
the requestor is sending its query.   Should this happen, the  
implementation's behavior is controlled by two variables:  
BULK_LQ_DATA_TIMEOUT, and whatever configuration the operator may have  
provided.   When this situation is detected, the requester SHOULD set  
a timer using the lesser of BULK_LQ_DATA_TIMEOUT or the operator- 
configured timeout.   If that timer expires, the requester SHOULD  
terminate the connection.

This same comment applies to section 8.3, and the prescribed antidote  
is the same.

Also on Page 23:

If a response message does not contain a DHCPv4 server-identifier  
option (option 54), then the server-identifier option from the  
previous message should be used. Thus, the DHCPv4 server MUST send the  
server-identifier option in the first response message, and MAY send  
it in subsequent response message for the same request.

Why aren't you saying this?

The DHCPv4 server MUST send a server-identifier option (option 54) in  
the first response to any DHCPBULKLEASEQUERY message.   The DHCPv4  
server SHOULD NOT send server identifier options in subsequent  
responses to that DHCPBULKLEASEQUERY message.   The requester MUST  
cache the server-identifier option from the first response and apply  
it to any subsequent responses.

(In a large response dataset, the space consumed by repetition of the  
same server-identifier option could be substantial.   Either that, or  
make sending the option mandatory in every message.   If you have to  
have this code in the requester, might as well take advantage of it.)

Section 8.4 is unimplementable as written.   I'm sure it describes an  
implementation that someone has done, but it provides no concrete  
guidance or math for the implementor.   As such, it should either be  
deleted, or made explicit.

Regarding section 8.6, as I've said previously in this commentary, I  
think it would be better to specify the client behavior in such a way  
that the conflicts proposed in this section simply do not happen.    
This section is not specific enough to foster interoperability.

Page 28:

A server MAY process more than one query at a time. A server that does  
not support more than one query at a time on a single connection MUST  
return a DHCPLEASEQUERYDONE message containing a dhcp-message option  
with a status-code of NotAllowed to the unsupported queries.  
Alternatively, a server that does not support more than one query at a  
time on a single connection MAY chose to simply read one query and  
only read any subsequent queries after processing of the current query  
is complete.

There are two problems with this paragraph.   First, you have given  
implementors an option where no option is necessary.   Just specify  
one or the other.   Second, if you specify that the server needn't  
read each message from the connection until it's ready to process it,  
then you need to change the last paragraph in section 8.2, since a  
conforming implementation could easily set up a situation where the  
connection appears to be blocked, which would trigger the requester to  
drop the connection, even though nothing was wrong.

Section 8.8:

Either the requestor or DHCPv4 server MAY close the TCP connection at  
any time. The requestor MAY choose to retain the connection if it  
intends to issue additional queries or if other queries are currently  
using the connection. Note that this requestor behavior does not  
guarantee that the connection will be available for additional  
queries: the server might decide to close the connection based on its  
own configuration.

This seems broken.   It's easy to imagine situations where one side or  
the other closes the connection in compliance with this statement and  
triggers a timeout on the other end which causes legitimate data to be  
discarded.   I think you need to specify a non-error connection  
termination protocol to make this work (and you should - otherwise  
nobody's allowed to close the connection, which would be worse).

In section 9.1, you seem to be specifying an authorization model based  
on the IP source-address of the requestor.   You do not mention this  
in the security considerations section.   This is likely to trigger  
pushback from the IESG.

You use the same "should be prepared" language in these sections that  
you used in section 8.2 and 8.3.   You need to specify exactly what  
the server does, not just say "should be prepared."   The language I  
suggested for section 8.2, with appropriate modifications, would be  
acceptable here as well, at least to me.

Page 30, 31:

A Bulk Leasequery response MUST contain no more than one message for  
each IP address configured in the DHCPv4 server. In addition, a Bulk  
Leasequery may well take significant time between the beginning and  
end of the processing of all of the messages required to satisfy the  
Bulk Leasequery query. During this time, the state of some of the IP  
addresses sent early in the response may change prior to the  
completion of the entire response to the Bulk Leasequery. This is  
normal and expected -- there is no requirement for the entire response  
to a Bulk Leasequery to represent an instantaneous snapshot of the  
state of the IP address bindings of a DHCPv4 server. Quite the  
contrary -- as the cursor moves through the IP addresses in whatever  
order is convenient to the DHCPv4 server, the state of IP addresses  
already examined can change and a DHCPv4 server MUST NOT try to  
examine IP addresses already scanned in an attempt to "keep up" with  
the ongoing state changes of all of the IP addresses. To do so would  
make it difficult to meet the requirement to send only one message per  
IP address in response to a Bulk Leasequery and would also make it  
difficult to know when to finish the Bulk Leasequery.

to:

When responding to a DHCPBULKLEASEQUERY message, the DHCPv4 server  
MUST NOT send more than one message for each applicable IP address,  
even if the state of some of those IP addresses changes during the  
processing of the message.   Updates to such IP address state are  
already handled by normal protocol processing, so no special effort is  
needed here. (I hope!)

Page 33:

A DHCPv4 server MAY always compare the address binding information for  
an IP address against a time window if it follows the following  
guidelines. If there is no query-start-time, then the DHCPv4 server  
MUST assume the query-start-time is equivalent to a time prior to any  
time that resides in any IP address binding. If there is no query- end- 
time, the DHCPv4 server MUST assume that the query-end-time is  
equivalent to a time that is later than any time that resides in any  
IP address binding.

You can't use "MAY" like this.   This text is an implementation  
suggestion; I would suggest that you state this simply in terms of  
requirements, without talking about how those requirements might be  
implemented.

Also page 33:

Even if the query-start-time or query-end-time option value is being  
used to limit the amount of data flow from the DHCPv4 server to the  
requestor, there is no requirement placed on the DHCPv4 server to  
return address binding data in any order and certainly not in any  
order based on time.

When the DHCPv4 server has no additional information to send to the  
requestor, it will send a DHCPLEASEQUERYDONE message.

to:

The DHCPv4 server MAY return address binding data in any order, as  
long as binding information for any given IP address is not  
repeated.   When all binding data for a given DHCPBULKLEASEQUERY has  
been sent, the DHCPv4 server MUST send a DHCPBULKLEASEQUERYDONE message.

Page 34:

[RFC2131] and [RFC4388] specify that every response message MUST  
contain the server-identifier option. However, that option will be the  
same for every response from a particular DHCPBULKLEASEQUERY request.  
Thus, the DHCPv4 server MUST include the server-identifier option in  
the first message sent in response to a DHCPBULKLEASEQUERY. It MAY  
include the server-identifier in later messages as well, but there is  
no requirement for it to do so.

I strongly suggest that you change the MAY here to a SHOULD NOT.    
Also, note that you are repeating something you specified earlier, so  
it would be good to delete one or the other paragraph.

Also on page 34:

The message type of DHCPLEASEACTIVE or DHCPLEASEUNASSIGNED is based on  
the value of the dhcp-state option.  If the dhcp-state option value is  
ACTIVE, then the message type is DHCPLEASEACTIVE, otherwise the  
message type is DHCPLEASEUNASSIGNED.

Once again I suggest you get rid of the dhcp-state message and simply  
say what should happen here for IP addresses that are managed by  
failover and those that are managed by a single server.

Specifically, any IP address that is in the FREE state on the primary  
is DHCPLEASEUNASSIGNED.   Any IP address that is in the BACKUP state  
on the primary is not reported on at all.   Any IP address that is in  
the FREE state on the secondary is not reported on at all.   Any IP  
address that is in the BACKUP state on the secondary is  
DHCPLEASEUNASSIGNED.   Likewise for all the other permutations; I  
think that in any of the states where the failover peer would renew  
the lease, it's active, and in states where it wouldn't renew the  
lease, it's either unassigned, or shouldn't be mentioned.

Also, in point 4, you mention a grace period on the expired state, but  
as far as I know no such thing exists.

Page 35:

As discussed in Section 8.3, requestors may want to leverage an  
existing connection if they need to make multiple queries. Servers MAY  
support reading and processing multiple queries from a single  
connection. A server MUST NOT read more query messages from a  
connection than it is prepared to process simultaneously.

to:

As discussed in Section 8.3, requestors may want to use a connection  
that has already been established when they need to make additional  
queries. Servers MAY support reading and processing multiple queries  
from a single connection. A server MUST NOT read more query messages  
from a connection than it is prepared to process simultaneously.

And:

DHCPv4 server implementations may offer administrative control to  
enable or disable this feature. DHCPv4 server implementations that are  
able to process queries in parallel should offer be configurable to  
limit the number of simultaneous queries permitted from any one  
requester.

[And in total?]

Page 36:

The server MUST close its end of the TCP connection if it encounters  
an error sending data on the connection. The server MUST close its end  
of the TCP connection if it finds that it has to abort an in- process  
request. A server aborting an in-process request SHOULD attempt to  
signal that to its requestors by using the QueryTerminated status code  
in the dhcp-message option in a DHCPLEASEQUERYDONE message, including  
a message string indicating details of the reason for the abort. If  
the server detects that the requesting end of the connection has been  
closed, the server MUST close its end of the connection after it has  
finished processing any outstanding requests.

This is in conflict with section 8.8, which says the server can drop  
the connection at any time.   Also, why should the server finish  
processing outstanding requests if the remote end of the connection  
has closed?   Shouldn't it just drop the connection immediately?

Section 10:

As I mentioned earlier, the only authorization model for this protocol  
is based on the requestor's IP address, and there is no  
authentication.   At a minimum this should be mentioned in the  
security considerations section.

I think the appendix belongs in a requirements document, or on the  
mailing list, not in the draft.