IETF Logo Mail Archive

Conflict between RA and DHCP in MIF case

Hui Deng <denghui02@gmail.com> Mon, 14 November 2011 01:46 UTC

Return-Path: <denghui02@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2CF11E80EB; Sun, 13 Nov 2011 17:46:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.598
X-Spam-Level:
X-Spam-Status: No, score=-103.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oSgSO8jebU7y; Sun, 13 Nov 2011 17:46:48 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 02D7111E80D7; Sun, 13 Nov 2011 17:46:47 -0800 (PST)
Received: by yenq4 with SMTP id q4so2790660yen.31 for <multiple recipients>; Sun, 13 Nov 2011 17:46:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=riLXQ7m/yrNPXAPA6MiN9WsBqkItDrclgZJ7qm51WTg=; b=wyB81GAxHTRw+ZRYj+jPwpzwXUcJPmhSWWpsvSNhBHlt5RRsqHeLe+ALwspSHFjum0 myWIJ6Ai8hFR4NBVxzrsP8L2EwlLsZto0NwxgajEgv+RnK1Jymxx0SWPh9ZqL8PWderW Y7060hIZUgF0PPJmYr4ztEqDd2VVxvTOfrYLY=
MIME-Version: 1.0
Received: by 10.236.197.72 with SMTP id s48mr11227596yhn.81.1321235207615; Sun, 13 Nov 2011 17:46:47 -0800 (PST)
Received: by 10.146.84.10 with HTTP; Sun, 13 Nov 2011 17:46:47 -0800 (PST)
Date: Mon, 14 Nov 2011 09:46:47 +0800
Message-ID: <CANF0JMCo8ZnXtY7DKcoeGApYKu0Enq=O-DFvSmrmkjpSUWzB9g@mail.gmail.com>
Subject: Conflict between RA and DHCP in MIF case
From: Hui Deng <denghui02@gmail.com>
To: ipv6@ietf.org, MIF Mailing List <mif@ietf.org>, dhc WG <dhcwg@ietf.org>
Content-Type: multipart/alternative; boundary="20cf303f6c8036f66204b1a80bca"
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2011 01:46:48 -0000

Hello 6MAN and DHCP,

Especially thanks *Wes Beebee*, Hemant Singh, Brian Carpenter, Alex and
Ted's discussion.

MIF is going to discuss the confliction between RA and DHCP on tuesday
afternoon MIF session (15:20-17:00)
the author Tomasz has propose below resolution:

The problem is about potential conflict between RA and DHCP. Our
proposed answer is as follows:

RA provides configuration to all hosts in a network. DHCP can provide
configuration on a per host basis. Therefore it may be useful to use
DHCP to "override" configuration for some hosts in a network (e.g.
engineering department has extra routes defined for a lab network). As
such, DHCP should be preferred.

However, there is also a matter of security. Both RA and DHCPv6 can be
secured. If SEND is deployed, RA is more trustworthy than DHCP, so it
should be preferred. Finally, there is such thing as secure DHCP, so if
both RA and DHCP are secure, prefer SEND. I must admit that I never
heard about any realistic deployments of secure DHCP, but it will change
over time.

This approach can be summed as: favor secure, favor DHCP. Or to be more
explicit, there's a complete list of all cases:
a) RA vs DHCP => prefer DHCP
b) RA(SEND) vs DHCP => prefer RA
c) RA vs secure DHCP => prefer DHCP
d) RA(SEND) vs secure DHCP => prefer DHCP

Does it sound reasonable?

This approach is very similar to what was described in DNS configuration
over RA and DHCP (except the part about both RA and DHCP being secure
that is not covered in RFC6106).

To summarize the discussion so far, Ted Lemon on MIF list agreed that
DHCP should be preferred. Herman Singh on 6MAN list suggested to go look
at what DNS over RA proposes and use the same approach. RFC6106, section
5.3.1covers cases a) and b). c) and d) are logical extension that takes
DHCPv6 security into consideration. My understanding is that proposed
solution will be satisfactory to everyone.

v2.23.0 | Report a Bug | By Email