Re: Re: Request for Advices on the draft "draft-cha-ipv6-ra-mo-00.txt"

To: Brian Haberman <brian at innovationslab.net>
Subject: Re: Re: Request for Advices on the draft "draft-cha-ipv6-ra-mo-00.txt"
From: HYUN WOOK CHA <hyunwook.cha at samsung.com>
Date: Wed, 08 Oct 2008 00:41:19 +0000 (GMT)
Cc: "narten at us.ibm.com" <narten at us.ibm.com>, "dhcwg at ietf.org" <dhcwg at ietf.org>, "ipv6 at ietf.org" <ipv6 at ietf.org>, Ted Lemon <Ted.Lemon at nominum.com>, "volz at cisco.com" <volz at cisco.com>
Delivered-to: ietfarch-ipv6-web-archive at core3.amsl.com
Delivered-to: ipv6 at core3.amsl.com
List-archive: <https://www.ietf.org/mailman/private/ipv6>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
Msgkey: 20081008003730718 at hyunwook.cha
Reply-to: hyunwook.cha at samsung.com
Sender: ipv6-bounces at ietf.org

Hello, Brian.

As I presented last IETF 6MAN meeting, our draft aims to provide automatic revocation of DHCPv6 clients in case that invocation of clients can be done in accordance with the RFC2462. Thus, requirement of our security model is that we should not intoduce additional threats to the existing specification and implementations. Since per-interface state variables are managed through timer based algorithm proposed in the draft, illegal RA messages can not stop clients as long as legal RA messages advertise the availability of DHCPv6 service. Also, we proposed two options when state variables are invalidated: 1) DHCPv6 client may refer state variables to decide whether it should keep its operation or not only after all bindings(leases) expires. 2) DHCPv6 client may be stopped immediately at the transition of variables from 1 to 0. With the first option, client can keep its operation even if state variables will be changed to 0 since legal RA messages are absent within lifetimes by any reasons. 

> It would seem quite dangerous to enable/disable DHCPv6 clients 
> arbitrarily based on bit settings in un-protected RA messages.

I agree with your point. We do not have any security methods and just consider using the SEND. 
Regards, 
Joseph

------- Original Message -------
Sender : Brian Haberman<brian at innovationslab.net> 
Date   : 2008-10-08 04:20 (GMT+09:00)
Title  : Re: Request for Advices on the draft "draft-cha-ipv6-ra-mo-00.txt"

Joseph,
      Do you have a particular security model in mind for giving Router 
Advertisements the power to control software functionality on each node? 
  It would seem quite dangerous to enable/disable DHCPv6 clients 
arbitrarily based on bit settings in un-protected RA messages.

Regards,
Brian

HYUN WOOK CHA wrote:
> Hello, Ted.
> 
> That's correct. I believe that the ability to stop DHCP clients using
> M/O bits in RA is required once they were invoked by M/O bits in RA.
> 
> 
> Joseph
> 
> ------- Original Message ------- Sender : Ted
> Lemon<Ted.Lemon at nominum.com> Date   : 2008-09-30 09:36 (GMT+09:00) 
> Title  : Re: Request for Advices on the draft
> "draft-cha-ipv6-ra-mo-00.txt"
> 
> Joseph, to summarize, it sounds like you believe that the ability to
>  stop DHCP clients broadcasting on a link is a requirement.   And you
>  therefore think that deprecating the M&O bits is not the right 
> answer.   Is that correct?
> 
> 
> 
> -------------------------------------------------------------------- 
> IETF IPv6 working group mailing list ipv6 at ietf.org Administrative
> Requests: https://www.ietf.org/mailman/listinfo/ipv6 
> --------------------------------------------------------------------

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Follow-Ups:
- RE: Re: Request for Advices on the draft "draft-cha-ipv6-ra-mo-00.txt"
  - From: Bernie Volz (volz)

Prev by Date: Re: what problem is solved by proscribing non-64 bit prefixes?
Next by Date: RE: Re: Request for Advices on the draft "draft-cha-ipv6-ra-mo-00.txt"
Previous by thread: Re: Request for Advices on the draft "draft-cha-ipv6-ra-mo-00.txt"
Next by thread: RE: Re: Request for Advices on the draft "draft-cha-ipv6-ra-mo-00.txt"
Index(es):
- Date
- Thread

Re: Re: Request for Advices on the draft "draft-cha-ipv6-ra-mo-00.txt"

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.