[secdir] SECDIR and OPSDIR review of draft-ietf-dhc-vpn-option-11

"David Harrington" <ietfdbh@comcast.net> Thu, 15 October 2009 15:32 UTC

Return-Path: <ietfdbh@comcast.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B44E28C10C for <secdir@core3.amsl.com>; Thu, 15 Oct 2009 08:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.967
X-Spam-Level:
X-Spam-Status: No, score=-1.967 tagged_above=-999 required=5 tests=[AWL=0.632, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hDePWXyWjY0V for <secdir@core3.amsl.com>; Thu, 15 Oct 2009 08:32:54 -0700 (PDT)
Received: from QMTA08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by core3.amsl.com (Postfix) with ESMTP id 5381328C0FF for <secdir@ietf.org>; Thu, 15 Oct 2009 08:32:54 -0700 (PDT)
Received: from OMTA13.westchester.pa.mail.comcast.net ([76.96.62.52]) by QMTA08.westchester.pa.mail.comcast.net with comcast id syL91c00317dt5G583YCv5; Thu, 15 Oct 2009 15:32:12 +0000
Received: from Harrington73653 ([24.147.240.98]) by OMTA13.westchester.pa.mail.comcast.net with comcast id t3Yw1c00U284sdk3Z3YxsE; Thu, 15 Oct 2009 15:32:58 +0000
From: David Harrington <ietfdbh@comcast.net>
To: secdir@ietf.org, opsdir@ietf.org
Date: Thu, 15 Oct 2009 11:32:55 -0400
Message-ID: <062201ca4dac$c53d4100$0600a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Acok8dFSknGT3MZ4R+WLBKpRUjkJ/AmcfRKw
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Cc: raj@cisco.com, 'IETF-Discussion list' <ietf@ietf.org>, mjs@cisco.com, dhc-chairs@tools.ietf.org, iesg@ietf.org, john_brzozowski@cable.comcast.com, jayk@cisco.com, kkinnear@cisco.com
Subject: [secdir] SECDIR and OPSDIR review of draft-ietf-dhc-vpn-option-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2009 15:32:56 -0000

Hi,

I have reviewed this document as part of the Security Directorate's
ongoing effort to review all IETF documents being processed by the
IESG. ... AND ... I have performed an unofficial Operations
Directorate review.
(i.e., I wasn't assigned as the OPSDIR reviewer)

Background:

   This memo defines a Virtual Subnet Selection (VSS) option for
DHCPv4
   and DHCPv6, and a DHCPv4 relay-agent-information sub-option.  These
   are intended for use by DHCP clients, relay agents, and proxy
clients
   in situations where VSS information needs to be passed to the DHCP
   server for proper address or prefix allocation to take place.

=========================
SECDIR Review
=========================
The security review comments were written primarily for the benefit of
the security area directors. Document editors and WG chairs should
treat these comments just like any other last call comments.

I found the security considerations section reasonably thorough.
Some of the considerations are of the form "there is this known
problem; you should do whatever you can to mitigate it."
I wonder if some specific mitigation mechanisms might have been
described and standardized.

In section 4, a relay agent can insert a VSS option into a client
request, and then remove it from the server response. I am a little
concerned that the server does not actually get to differentiate which
entity is making the VSS request, and the relay is thus masquerading
as the client.

=========================
OPSDIR Review Questions:
=========================
The operations review comments were written primarily for the benefit
of the OPS area directors. Document editors and WG chairs should
treat these comments just like any other last call comments.

I do not normally work at the DHCP level, so some of my comments may
simply be misunderstandings of DHCP.

Is the document readable?
 	yes.
Does it contain nits?
 	yes.
	The document seems to lack a disclaimer for pre-RFC5378 work
Is the document class appropriate?
 	yes.
Is the problem well stated?
 	yes.
Is the problem really a problem?
 	yes.
Does the document consider existing solutions?
 	yes.
Does the solution break existing technology?
 	possibly.
	1) Section 4 says "Deploying relay
   agents which support and emit VSS sub-options in concert with
DHCPv4
   servers which do not support the VSS option or sub-option as
defined
   in this document SHOULD NOT be done, as such an ensemble will not
   operate correctly together because all of the IP addresses will be
   allocated from the global or default VPN regardless of the VPN on
   which the client's reside."

	2) I have concerns that there are potential conflicts that are
not 
	being addressed:
	"   There are many other scenarios which can be created with
multiple
   relay agents each inserting VSS information into different Relay-
   forward messages, relay agent VSS information conflicting with
client
   VSS information, or DHCP server VSS information conflicting with
   relay agent and client VSS information.  Since these scenarios do
not
   describe situations that are useful today, specifying precisely how
   to resolve all of these conflicts is unlikely to be valuable in the
   event that these scenarios actually become practical in the future.

   The current use of the VSS option and sub-option require that each
   entity knows the part that it plays in dealing with VPN data.  Each
   entity -- client, relay agent or agents, and server -- SHOULD know
   through some policy or configuration beyond the scope of this
   document whether it is responsible for specifying VPN information
   using the VSS option or sub-option or responsible for responding to
   VSS information specified by another entity, or simply ignoring any
   VSS information which it might see.

   Some simple conflict resolution approaches are discussed below, in
   the hopes that they will cover simple cases that may arise from
   scenarios beyond those envisioned today.  However, for more complex
   scenarios, or simple scenarios where appropriate conflict
resolution
   strategies differ from those discussed in this document, a document
   detailing the usage scenarios and appropriate conflict resolution
   strategies SHOULD be created and submitted for discussion and
   approval."
	
	3) section 7 says "   In either case above, care should be
taken to ensure that a client or
   relay agent receiving a reply containing a VSS option will
correctly
   understand the VSS option.  Otherwise, the client or relay agent
will
   end up using the address as though it were a global address."
	This could have a negative impact on the existing network
deployment.

Does the solution preclude future activity?
 	yes. It declares the VPN types 2-254 to be invalid "as of this
memo", but doesn't
	discuss how they could become valid in the future. The IANA
section seems to waffle
	on whether it can or cannot be expanded in the future.

Is the solution sufficiently configurable?
 	There is quite a bit of text that says the entity "has been
configured in some way"
	In some cases, the configuration MUST be done correctly for
the system to work, but the 
		configuration requirements are not detailed. 
		For example, Section 4 says "It is important to ensure
that
		each entity ... is configured correctly."
	and "There is no conflict between different entities trying to
specify
   different VSS information -- each entity knows its role through
   policy or configuration external to this document." and
	"In the event that there
   were more than one relay agent involved in this transaction, some
   external configuration or policy would be needed to inform the
DHCPv6
   server into which Relay-reply message the VSS option should go."

	These sound like normative requirements, but there is no
attempt to standardize the configuration.

Can performance be measured?  How?
 	performance measurement is not discussed.

Does the solution scale well?
 	I think this should scale as well as DHCP.
	I suppose that the server might be expected to have lots of
storage if it needs to track the address
	ranges for a large number of VPNs, but I don't think that
would be a limiting factor for a DHCP server.
 
general comments:
1. The Terminology section defines upstream and downstream using terms
that have not been defined.
It is unclear to me whether access concentrator and subscriber are
similar to server and client.

2. In section 3.4, might it be better to declare 2-254 as reserved
rather than invalid?
The text says "invalid as of this memo".
Should there be a mechanism to support enterprise-specific VSS?

3. In section 4, it says DHCP can assign the same IP address to nodes
in a VPN and in the global IP space, because the address is qualified
by the VPN. Is this always true? Is there any potential for conflict,
such as in forwarding loops, if the two addresses spaces are handled
by the same device?

4. I think section 4 would benefit from sub-sections to separate the
scenarios, and all the "in this scenario" phrases could be eliminated.
Diagrams of the scenarios would be helpful.

5. Will legacy DHCP entities ignore the VSS option by default? or will
the presence of the option somehow impact entity behaviors (e.g., by
dropping packets)?

6. In section 5, it says the relay SHOULD insert VSS information into
requests from a client. What happens if the client has inserted a VSS
option? That isn't discussed.

7. Section 5 says
   "Anytime a relay agent places a VSS option or sub-option in a DHCP
   request, it MUST send it only to a DHCP server which supports the
VSS
   option or sub-option." How does it know? is there an option
discovery mechanism?

8. In section 5, if a relays requests a specific VPN, but the server
returns an address not within that VPN, then the relay should drop the
packet. Should the relay let the server know that it dropped the
packet and why? Won't the server assume the address has actually been
assigned to the client, thus reducing the pool of available addresses?

9. In section 5,  "If an IP address that is
   on the requested VPN is not required, then the relay agent is free
to
   accept the IP address that is not on the VPN that was requested."
	Then why request it?
	Under what conditions would it not be required?
	how does the relay know whether it is or is not required?

10. In section 5, it says "There are only two pieces of information
which can be determined ..."
	but the speciied behaviors could also result from
mis-configuration, right?
	And the relay cannot tell whether it is a deliberate behavior
or a mis-configuration.

11. section 5:   " Thus, if a DHCPv4 relay agent has a requirement to
determine if the
   address allocated by a DHCPv4 server is on a particular VPN, it
must
   use some other approach than the appearance of the VSS sub-option
in
   the reply packet to make this determination."
	What other approach works?

12. section 5: "   Note that in some environments a relay agent may
choose to always
   place a VSS option or sub-option into packets and messages that it
   forwards in order to forestall any attempt by a downstream relay
   agent or client to specify VSS information.  In this case, a type
   field of 255 is used to denote the global, default VPN.  When the
   type field of 255 is used, there MUST NOT be any additional VSS
   Information in the VSS option." 
	This section does not say that the relay must check to make
sure there is
	no existing VSS option.
	Section 5 talks about relays inserting VSS options, buit does
not specify that 
	the relay must check that no VSS=255 is present in the message
already.
	But section 7.3 talks about resolving conflicting VSS options.
	I am not sure the potential conflicts abd resolutions are
covered adequately.

13. section 5.1 what does "if the relay agent is unable to honor the
server requirement" mean? 
	This could be made less ambiguous.

14. section 5.1 "   The DHCP server MUST NOT place VSS information in
an outgoing packet
   if the relay agent or DHCP client is unprepared to properly
interpret
   the VSS information." This seems ambiguous. How will the server
know if the other entities
	can properly interpret the VSS information?

s/send in/insert/

15. section 4 says "The DHCP client, in this scenario, does not know
the VPN on which it resides."
    section 6 says "   A DHCPv4 or DHCPv6 client will employ the VSS
option to communicate
   VSS information to their respective servers.  This information MUST
   be included in every message concerning any IP address on a
different
   VPN than the global or default VPN."
	these statements seem to conflict regarding the client's
knowledge.

16. section 6: "   Clients should be aware that some DHCP servers will
return a VSS
   option with different values than that which was sent in.  In
   addition, a client may receive a response from a DHCP server with a
   VSS option when none was sent in by the Client."

	So should subsequent messages from the client use the original
VSS information or
	the server-returned or relay-returned VSS info? 

	Can a return message contain multiple VSS options? If I read
the document correctly,
	multiple relays can add their own VSS options, and a server
typically copies all the
	options. If a client is expected to include the VSS option
information in subsequent 
	messages, does it include multiple VSS options? The second
paragraph of 6 says that
	is not allowed.


David Harrington
dbharrington@comcast.net
ietfdbh@comcast.net
dharrington@huawei.com