Right.
Given a host stack that already implements CGAs for autoconfigured
addresses, I think the changes needed to allow CGAs as hints for DHCP are
fairly minor.
So I think the question is, are network administrators concerned enough
about address spoofing on networks where addresses are configured through
DHCPv6 that they would be interested in deploying this?
jak
----- Original Message -----
From: "Ralph Droms" <[EMAIL PROTECTED]>
To: "James Kempf" <[EMAIL PROTECTED]>; "Thomas Narten"
<[EMAIL PROTECTED]>
Cc: "INT Area" <[EMAIL PROTECTED]>
Sent: Wednesday, June 20, 2007 10:27 AM
Subject: Re: DHCPv6 and CGA (was: Re: [Int-area] SeND & CGA Extensions BOF)
I think the usual deployment scenario to use DHCPv6 will be to configure
routers to send RAs with M/O bits set and PIOs for prefixes on the link with
'A' bits not set. That is, hosts will be aware of prefixes on the link, for
routing decisions, while using only addresses assigned through DHCP. We've
tested this deployment scenario with Vista and some flavors of *NIX and it
works as expected.
And, I think the usual deployment scenario will be to coordinate the routers
and the DHCP service so that the same prefixes are advertised on the link
and used for address assignment.
Assuming DHCP is desired by the network administrator, the host could, in
fact, generate CGA addresses and send them to the DHCP server as a hint.
If you're postulating changes to the IPv6 stack to generate the CGAs, it
seems reasonable to me that the DHCPv6 implementation could be extended to
send the CGA as a hint.
In the case that the network administrator wants to assign an address from,
say, only one of the available prefixes on the link, I suppose the host
could generate a CGA from each prefix, and then the DHCP server can select
the appropriate CGA to actually assign.
- Ralph
On 6/20/07 12:58 PM, "James Kempf" <[EMAIL PROTECTED]> wrote:
The basic issue is that the host must know which subnet prefix to use
prior
to sending the DHCP REQUEST if it is to generate a CGA. The prefix is part
of the CGA parameters data structure used in the hash calculation for the
crypto-id, as described in Section 3 of RFC 3972. The host then includes
an
IA Address Option (Section 22.6 of RFC 3315) with the address in a DHCP
REQUEST. So that means that the RA must include a prefix information
option
so that the host has the prefix in order to generate the address.
Exactly how that interacts with address autoconfiguration is something
that
would need to be addressed in generating the draft describing how to do
CGAs
with DHCP. I don't know whether hosts using DHCPv6 commonly propose
addresses today, but I suspect probably not, since it isn't done in IPv4
and
I suspect DHCPv6 is most commonly used in a way that works as much like
the
v4 case as possible. Others with more operational and deployment knowledge
of DHCP use please correct me if I am wrong.
jak
----- Original Message -----
From: "Thomas Narten" <[EMAIL PROTECTED]>
To: "James Kempf" <[EMAIL PROTECTED]>
Cc: "marcelo bagnulo braun" <[EMAIL PROTECTED]>; "Stig Venaas"
<[EMAIL PROTECTED]>; "INT Area" <[EMAIL PROTECTED]>
Sent: Wednesday, June 20, 2007 8:32 AM
Subject: Re: DHCPv6 and CGA (was: Re: [Int-area] SeND & CGA Extensions
BOF)
"James Kempf" <[EMAIL PROTECTED]> writes:
I think it is already possible for a node to use CGAs with DHCPv6. The
node
sends an Interface ID Option (Section 22.18 of RFC 3315) along with the
REQUEST, containing a cryptographically generated interface id. The DHCP
server assigns the address having this id. For this to work, the subnet
prefixes must be advertised in the RA even though the 'M' flag is set,
since
the cryptographic generation process uses the subnet prefix. If the RA
advertises more than one subnet, there might be a problem, since there is
no
way to indicate to the server which subnet the host has selected.
Do you mean that the RA must include a prefix information option? If
so, with which bits set? if the autoconfigure bit must be set for this
to work, that seems like a non-starter, since now there is no point in
using DHCP to get an address you already legitimitely have. (I don't
know the details right off here, hence I'm asking.)
Thomas
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
