Re: [savi] Last Call: <draft-ietf-savi-dhcp-12.txt> (SAVI Solution for DHCP) to Proposed Standard

eric levy-abegnoli <elevyabe@cisco.com> Tue, 13 March 2012 15:05 UTC

Return-Path: <elevyabe@cisco.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC2C21F886B; Tue, 13 Mar 2012 08:05:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y8bSj9-M2hvt; Tue, 13 Mar 2012 08:05:39 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 2C25721F886A; Tue, 13 Mar 2012 08:05:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=elevyabe@cisco.com; l=3122; q=dns/txt; s=iport; t=1331651139; x=1332860739; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=CCYv3DmWqCOKt0gkbeSOHJxx0KnWVx9DX9xUA7cyqnc=; b=hQDTDA1W3wG5io2bA6t7+pYZ2EyJfS7t3QQssgTvLX/VJ2vZVJmmGuSM riznQW4aIjDAVk8SWtRLfpeAwwlJzzszw351hjYZZQx5exG1soEc48c7C ZAzWe+IsO0DFOgcVQ6IiQrrZ5EwFT0K17+W+iSufDAn8aCoTk4PdzgN+n 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAMJhX0+Q/khL/2dsb2JhbABDtV+BB4IJAQEBBAEBAQ8BJS8HCgEQCxgJFg8JAwIBAgEVHxETAQUCAQEXB4doC51rAZ8HkGUElVCFaYo6gmaBVRc
X-IronPort-AV: E=Sophos;i="4.73,577,1325462400"; d="scan'208";a="132187796"
Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-1.cisco.com with ESMTP; 13 Mar 2012 15:05:37 +0000
Received: from xbh-ams-201.cisco.com (xbh-ams-201.cisco.com [144.254.75.7]) by ams-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id q2DF5bY4024863; Tue, 13 Mar 2012 15:05:37 GMT
Received: from xmb-ams-105.cisco.com ([144.254.74.80]) by xbh-ams-201.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 13 Mar 2012 16:05:37 +0100
Received: from [144.254.53.114] ([144.254.53.114]) by xmb-ams-105.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 13 Mar 2012 16:05:37 +0100
Message-ID: <4F5F623F.3030907@cisco.com>
Date: Tue, 13 Mar 2012 16:05:35 +0100
From: eric levy-abegnoli <elevyabe@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19
MIME-Version: 1.0
To: ietf@ietf.org
References: <20120306150141.8315.38572.idtracker@ietfa.amsl.com>
In-Reply-To: <20120306150141.8315.38572.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 13 Mar 2012 15:05:37.0071 (UTC) FILETIME=[BF248BF0:01CD012A]
Cc: savi@ietf.org
Subject: Re: [savi] Last Call: <draft-ietf-savi-dhcp-12.txt> (SAVI Solution for DHCP) to Proposed Standard
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2012 15:05:40 -0000

Hi,
here are my substantive comments
Look for  [eric].
Eric

7.3.1. Timer Expiration Event

    EVE_ENTRY_EXPIRE: The lifetime of an entry expires

[eric] 2 minutes sounds very long. DHCP client timeout is 1 sec for the 
first
message. Then multiplied by 2, etc. What is the rational behind this 
value, which increase the window for DoS attacks?

8. Supplemental Binding Process
[eric] This section is very unclear. The conditional SHOULD
    based on  "vendor ability" sounds like a "MAY" to me, which is not
    what I remember of the WG consensus. In addition, hosts are not
    required to (DHCP) re-configure upon link flapping, even when they
    are directly attached.  The text seems to indicate otherwise.
    In practice, in the absence of such mechanism, traffic will be blocked.

   8.1. Binding Recovery Process
[eric] It is unclear what the address is bound to. In the normal case,
      the entry is created upon receiving a message (i.e. REQUEST) from
      the client, and the anchor is stored by that time. You should
      specified where the anchor comes from in this scenario, and where
      was it stored (given that the section specifies the binding entry 
creattion on LQ Reply)

10. State Restoration
[eric] Requiring non-volatile memory sounds wrong. Other techniques
exists such as redundant boxes (switches) synchronizing states. I
don't recall that non-volatile memory was discussed at length in the
WG, especially given that it carries its own challenges: frequency
for saving states, load incurred, etc)
The one technique that was discussed in the WG was Binding Recovery
process.  One solution should be enough.

Eric

On 06/03/12 16:01, The IESG wrote:
> The IESG has received a request from the Source Address Validation
> Improvements WG (savi) to consider the following document:
> - 'SAVI Solution for DHCP'
>    <draft-ietf-savi-dhcp-12.txt>  as a Proposed Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send substantive comments to the
> ietf@ietf.org mailing lists by 2012-03-20. Exceptionally, comments may be
> sent to iesg@ietf.org instead. In either case, please retain the
> beginning of the Subject line to allow automated sorting.
>
> Abstract
>
>
>     This document specifies the procedure for creating bindings between a
>     DHCPv4 [RFC2131]/DHCPv6 [RFC3315] assigned source IP address and a
>     binding anchor [I-D.ietf-savi-framework] on SAVI (Source Address
>     Validation Improvements) device. The bindings can be used to filter
>     packets generated on the local link with forged source IP address.
>
>
>
>
> The file can be obtained via
> http://datatracker.ietf.org/doc/draft-ietf-savi-dhcp/
>
> IESG discussion can be tracked via
> http://datatracker.ietf.org/doc/draft-ietf-savi-dhcp/ballot/
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
> _______________________________________________
> savi mailing list
> savi@ietf.org
> https://www.ietf.org/mailman/listinfo/savi
>