DHCPv6 Failover Protocol
draft-ietf-dhc-dhcpv6-failover-protocol-06

[Ballot comment]
A few questions that are not fully clear to me and maybe need some additional explanation in the draft (or maybe it's just me...):

- It's not fully clear to me when a TCP connection is opened or closed. Are the two servers supposed to have one long-lived connection? And if that connection is terminated for any reason, should the primary server try to re-open immediately? And if a (new) connection is (re-)open do I always need to send a CONNECT first, or only if I didn't have any connection with this server before? And if the secondary server goes down and comes up in RECOVER state (sec 8.5.1.), should it open a TCP connection to the primary server, or will always the primary server be the one that opens the connection (and if so when will it do it)?

- Also not really clear to me is why OPTION_F_MAX_UNACKED_BNDUPD  is needed and how the server should know the right value. I guess you would want to calculate this based on the send buffer, however, not all message have the same size and as such I don't know how to calculate that. And is that really needed? If messages will not be accepted by the receiver-side server, the receive window will be zero and the socket on the sending side will be blocked; no additional message can be send. What will be different if the sender knows in advance when it could potentially happen (but also might not if the other end processes the messages quickly and there is no excessive loss).

[Ballot comment]

- I support Ben's discuss about "secure mode" - a few
more details are needed, in particular how a pair
decide to use/not-use TLS - are there different ports
or a STARTTLS equivalent - I can't see that defined
here. (Is it inherited from RFC7653? If so, maybe you
need to say?)

- For the DNS update stuff - is there no need to use
TSIG secrets? If there is, how is that sync'd between
the pair of DHCP servers?  If it is sync'd then don't
you need to say that TLS is a MUST for such
connections? If there is no support for TSIG, is that
likely to work?

[Ballot discuss]
I think the security considerations need some elaboration. The draft says "When operating in secure mode...", but it doesn't discuss when one might want to run in secure more vs non-secure mode. It would be helpful to discuss actual threats. You mention TCP DoS attacks, but, for example, can an eavesdropper learn sensitive or private information? Is there a risk of someone impersonating a partner? Tampering with messages on the network?

There's a mention of using TLS certs for authentication/authorization, but I think there's more to be said there. Is there any authentication or authorization if you aren't using secure mode? How do you match a TLS certificate to the partner name?

The section opens saying that the security considerations from 3315 and 3633 apply, but I doubt either of those contemplated that you would be sending DHCP messages over TCP connections between partner servers.

[Ballot discuss]
I think the security considerations need some elaboration. The draft says "When operating in secure mode...", but it doesn't discuss when one might want to run in secure more vs non-secure mode. It would be helpful to discuss the actual threads. You mention TCP DoS attacks, but, for example, can an eavesdropper learn sensitive or private information? Is there a risk of someone impersonating a partner? Tampering with messages on the network?

There's a mention of using TLS certs for authentication/authorization, but I think there's more to be said there. Is there any authentication or authorization if you aren't using secure mode? How do you match a TLS certificate to the partner name?

The section opens saying that the security considerations from 3315 and 3633 apply, but I doubt either of those contemplated that you would be sending DHCP messages over TCP connections between partner servers.

[Ballot comment]
- 6.1.3: I'm confused by the procedure for checking OPTION_F_PROTOCOL_VERSION in the CONNECTREPLY message. The secondary already checked that it supported the version in the CONNECT message; why does the primary need to check it again? Is it expected that the secondary might choose to send a different version in the CONNECTREPLY than it received in CONNECT? Is it possible that the partners use different protocol versions at the same time?

[Ballot comment]
I have 2 questions that I would like to chat about and should be easy enough to resolve.

1. I know we've discussed in the past why there is no MUST for TLS and it having to do with DHCPv6 use on private networks or isolated.  Is there text in one of the more recent RFCs that covers this explanation that can be cited?  I'd like to make sure that's enough too.

2. The Security Considerations section says not to use Authentication from RFC3316.  SHould authentication instead be done within TLS or how will the session be authenticated.  Did I miss something?  I'm not finding the term authentication elsewhere in the draft and can infer things, but wanted to make sure since nothing is stated explicitly.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-dhc-dhcpv6-failover-protocol-03.txt. If any part of this review is inaccurate, please let us know.

The IANA Services Operator understands that, upon approval of [ RFC-to-be ], there are three actions which we must complete.

First, in the Message Types subregistry of the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) registry located at:

https://www.iana.org/assignments/dhcpv6-parameters/

twelve new Message Types are to be registered as follows:

Value Description Reference
-----------------------+-------------------------+----------------
[ TBD-at-Registration ] BNDUPD [ RFC-to-be ]
[ TBD-at-Registration ] BNDREPLY [ RFC-to-be ]
[ TBD-at-Registration ] POOLREQ [ RFC-to-be ]
[ TBD-at-Registration ] POOLRESP [ RFC-to-be ]
[ TBD-at-Registration ] UPDREQ [ RFC-to-be ]
[ TBD-at-Registration ] UPDREQALL [ RFC-to-be ]
[ TBD-at-Registration ] UPDDONE [ RFC-to-be ]
[ TBD-at-Registration ] CONNECT [ RFC-to-be ]
[ TBD-at-Registration ] CONNECTREPLY [ RFC-to-be ]
[ TBD-at-Registration ] DISCONNECT [ RFC-to-be ]
[ TBD-at-Registration ] STATE [ RFC-to-be ]
[ TBD-at-Registration ] CONTACT [ RFC-to-be ]

Second, in the Option Codes subregistry of the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) registry located at:

https://www.iana.org/assignments/dhcpv6-parameters/

twenty-one new Option Codes are to be registered as follows:

Value Description Reference
-----------------------+--------------------------------+----------------
[ TBD-at-Registration ] OPTION_F_BINDING_STATUS [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_CONNECT_FLAGS [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_DNS_REMOVAL_INFO [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_DNS_HOST_NAME [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_DNS_ZONE_NAME [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_DNS_FLAGS [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_EXPIRATION_TIME [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_MAX_UNACKED_BNDUPD [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_MCLT [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_PARTNER_LIFETIME [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_PARTNER_LIFETIME_SENT [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_PARTNER_DOWN_TIME [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_PARTNER_RAW_CLT_TIME [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_PROTOCOL_VERSION [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_KEEPALIVE_TIME [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_RECONFIGURE_DATA [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_RELATIONSHIP_NAME [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_SERVER_FLAGS [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_SERVER_STATE [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_START_TIME_OF_STATE [ RFC-to-be ]
[ TBD-at-Registration ] OPTION_F_STATE_EXPIRATION_TIME [ RFC-to-be ]

Because this registry requires Expert Review [RFC5226] for registration, we've contacted the IESG-designated expert in a separate ticket to request approval. Expert review should be completed before your document can be approved for publication as an RFC.

Third, in the Status Codes subregistry of the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) registry located at:

https://www.iana.org/assignments/dhcpv6-parameters/

seven new Status Codes are to be registered as follows:

Value Description Reference
-----------------------+--------------------------------+----------------
[ TBD-at-Registration ] AddressInUse [ RFC-to-be ]
[ TBD-at-Registration ] ConfigurationConflict [ RFC-to-be ]
[ TBD-at-Registration ] MissingBindingInformation [ RFC-to-be ]
[ TBD-at-Registration ] OutdatedBindingInformation [ RFC-to-be ]
[ TBD-at-Registration ] ServerShuttingDown [ RFC-to-be ]
[ TBD-at-Registration ] DNSUpdateNotSupported [ RFC-to-be ]
[ TBD-at-Registration ] ExcessiveTimeSkew [ RFC-to-be ]

The IANA Services Operator understands that these three actions are the only ones required to be completed upon approval of [ RFC-to-be ].

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: "Bernie Volz" , volz@cisco.com, dhc-chairs@ietf.org, suresh.krishnan@ericsson.com, draft-ietf-dhc-dhcpv6-failover-protocol@ietf.org, dhcwg@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (DHCPv6 Failover Protocol) to Proposed Standard


The IESG has received a request from the Dynamic Host Configuration WG
(dhc) to consider the following document:
- 'DHCPv6 Failover Protocol'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-01-19. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  DHCPv6 as defined in "Dynamic Host Configuration Protocol for IPv6
  (DHCPv6)" (RFC3315) does not offer server redundancy.  This document
  defines a protocol implementation to provide DHCPv6 failover, a
  mechanism for running two servers with the capability for either
  server to take over clients' leases in case of server failure or
  network partition.  It meets the requirements for DHCPv6 failover
  detailed in "DHCPv6 Failover Requirements" (RFC7031).




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv6-failover-protocol/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv6-failover-protocol/ballot/


No IPR declarations have been submitted directly on this I-D.

Write up for draft-ietf-dhc-dhcpv6-failover-protocol(-03).txt:


(1) What type of RFC is being requested (BCP, Proposed Standard,
    Internet Standard, Informational, Experimental, or Historic)? Why
    is this the proper type of RFC? Is this type of RFC indicated in
    the title page header?

Standards Track. This is the proper type as it defines a new proposed
standard for a DHCPv6 failover protocol.


(2) The IESG approval announcement includes a Document Announcement
    Write-Up. Please provide such a Document Announcement
    Write-Up. Recent examples can be found in the "Action"
    announcements for approved documents. The approval announcement
    contains the following sections:

Technical Summary:

This document defines a protocol implementation to provide DHCPv6
failover, a mechanism for running two servers with the capability
for either server to take over clients' leases in case of server
failure or network partition.  It meets the requirements for DHCPv6
failover detailed in "DHCPv6 Failover Requirements" (RFC7031).

Working Group Summary:

This document defines the DHCPv6 failover protocol based on the
requirements outlined in "DHCPv6 Failover Requirements" (RFC7031).

Document Quality:

This document has had thorough reviews by many interested and
knowledgeable folks, and is based on the DHCPv4 failover design
which had many years of review but never made it to the IESG.
There were no significant points of difficulty or controversy
with the contents of the document.

Personnel:

Bernie Volz is the document shepherd. Suresh Krishnan is the
current responsible AD.


(3) Briefly describe the review of this document that was performed by
    the Document Shepherd. If this version of the document is not
    ready for publication, please explain why the document is being
    forwarded to the IESG.

I read the document thoroughly several times, and submitted editorial
and technical suggestions to the authors, which they implemented. I
believe it is ready for publication.


(4) Does the document Shepherd have any concerns about the depth or
    breadth of the reviews that have been performed?

No, the document has had a good deal of careful review.


(5) Do portions of the document need review from a particular or from
    broader perspective, e.g., security, operational complexity, AAA,
    DNS, DHCP, XML, or internationalization? If so, describe the
    review that took place.

No.


(6) Describe any specific concerns or issues that the Document
    Shepherd has with this document that the Responsible Area Director
    and/or the IESG should be aware of? For example, perhaps he or she
    is uncomfortable with certain parts of the document, or has
    concerns whether there really is a need for it. In any event, if
    the WG has discussed those issues and has indicated that it still
    wishes to advance the document, detail those concerns here.

I think the document is good as written, and serves a useful purpose.

I know of a commercial product (Cisco Prime Network Registrar) that
has implemented a protocol that is very similar to the draft protocol
and it has been deployed in large service provider's networks (as well
as many other deployments).


(7) Has each author confirmed that any and all appropriate IPR
    disclosures required for full conformance with the provisions of
    BCP 78 and BCP 79 have already been filed. If not, explain why?

Yes I have confirmed with co-authors.


(8) Has an IPR disclosure been filed that references this document? If
    so, summarize any WG discussion and conclusion regarding the IPR
    disclosures.

No IPR disclosures have been filed.


(9) How solid is the WG consensus behind this document? Does it
    represent the strong concurrence of a few individuals, with others
    being silent, or does the WG as a whole understand and agree with it?

There is a strong consensus behind this document and in particular from
very active WG participants (i.e. "DHCP experts").


(10) Has anyone threatened an appeal or otherwise indicated extreme
    discontent? If so, please summarise the areas of conflict in
    separate email messages to the Responsible Area Director. (It
    should be in a separate email because this questionnaire is
    publicly available.)

No.


(11) Identify any ID nits the Document Shepherd has found in this
    document. (See http://www.ietf.org/tools/idnits/ and the
    Internet-Drafts Checklist). Boilerplate checks are not enough;
    this check needs to be thorough.

There are none.


(12) Describe how the document meets any required formal review
    criteria, such as the MIB Doctor, media type, and URI type
    reviews.

N/A


(13) Have all references within this document been identified as
    either normative or informative?

Yes (there are 13 normative references; and 1 informative).


(14) Are there normative references to documents that are not ready
    for advancement or are otherwise in an unclear state? If such
    normative references exist, what is the plan for their
    completion?

No.


(15) Are there downward normative references references (see RFC
    3967)? If so, list these downward references to support the Area
    Director in the Last Call procedure.

No.


(16) Will publication of this document change the status of any
    existing RFCs? Are those RFCs listed on the title page header,
    listed in the abstract, and discussed in the introduction? If the
    RFCs are not listed in the Abstract and Introduction, explain
    why, and point to the part of the document where the relationship
    of this document to the other RFCs is discussed. If this
    information is not in the document, explain why the WG considers
    it unnecessary.

No.


(17) Describe the Document Shepherd's review of the IANA
    considerations section, especially with regard to its consistency
    with the body of the document. Confirm that all protocol
    extensions that the document makes are associated with the
    appropriate reservations in IANA registries. Confirm that any
    referenced IANA registries have been clearly identified. Confirm
    that newly created IANA registries include a detailed
    specification of the initial contents for the registry, that
    allocations procedures for future registrations are defined, and
    a reasonable name for the new registry has been suggested (see
    RFC 5226).

There are IANA actions and they are compatible with DHC WG IANA actions
and add new messages, options, and error status codes to the DHCPv6
registries.


(18) List any new IANA registries that require Expert Review for
    future allocations. Provide any public guidance that the IESG
    would find useful in selecting the IANA Experts for these new
    registries.

There are no new registries.


(19) Describe reviews and automated checks performed by the Document
    Shepherd to validate sections of the document written in a formal
    language, such as XML code, BNF rules, MIB definitions, etc.

There are no such parts to the document.

Hi:

I believe we have sufficient rough consensus to move this document forward given the two WGLCs done for this document, the thorough reviews done before the WGLCs, the fact that this builds on the DHCPv4 failover work (which never did get to RFC), and the fact that it has essentially been implemented and is operating in the field.

An update will be needed to address the minor comments raised during this WGLC by Naiming, Tianxiang, and Marcin. Once updated (and changes confirmed), I can finish the shepherd document and request publication.

We did extend the WGLC by about a week, but no new reviews were received. If you do have additional comments, please provide them ASAP so that they can be resolved before sending the document onward.

- Bernie

Hi all,

This message starts the DHC Working Group Last Call to advance draft-ietf-dhc-dhcpv6-failover-protocol-02, DHCPv6 Failover Protocol. This document’s intended status is Proposed Standard. At present, there is no IPR file against this document.

Please send your comments by September 12, 2016. If you do not feel this  document should advance, please state your reasons why.

Note: We are trying another WGLC based on the discussion regarding this document led by Tomek at the Berlin (IETF-96) meeting and the feedback from those in attendance (see https://www.ietf.org/proceedings/96/minutes/minutes-96-dhc).

Bernie Volz is the assigned shepherd (Tomek is a co-author).

- Tomek & Bernie

PS: I decided to make this a 3 week WGLC because some may still be on summer holiday and because of Labor Day (September 5) in the United States. And, some may be need a break from reviewing draft-ietf-dhc-rfc3315bis-05 for the just ending WGLC (August 22nd).

The protocol draft is replacing the design as there is little that would be left in the design document that is not already addressed in the protocol document.