Re: TSVDIR review of draft-ietf-dhc-dhcpv4-bulk-leasequery

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, Kim,

First, thank you for your detailed response to my quite lengthy review.

Some further clarifications and confirmations appear below.

Joe

On 2/17/2012 12:09 PM, Kim Kinnear wrote:

Joe,

Thank you for your review.

My responses are indented, below...

On Feb 13, 2012, at 5:00 PM, Joe Touch wrote:

Hi, all,

> I've reviewed this document as part of the transport area
directorate's ongoing effort to review key IETF documents. These
comments were written primarily for the transport area directors,
but are copied to the document's authors for their information and
to allow them to address any issues raised. The authors should
consider this review together with any other last-call comments
they receive. Please always CC tsv-dir@xxxxxxxx if you reply to or
forward this review.

This request was received Feb. 2, 2012.

This document describes an extension to DHCPv4 for the bulk query
andtransfer of current lease status over TCP.

The following transport issues were noted, and are significant:

UPDATES- The document updates DHCP with support for TCP, and as
suchthis document seems like it should UPDATE RFC2131

	While this document clearly builds on RFC 2131, it
	doesn't actually change anything that anyone is doing
	that is currently based on RFC 2131.  My understanding of
	"updates" is that, in order to understand the first RFC
	(in this case, RFC 2131), you need to read all of the
	RFC's that "update" it.  That isn't the case here -- you
	can be very happy reading and implementing DHCPv4 by
	reading RFC 2131 and never have to know that DHCPv4 Bulk
	Leasequery exists.  In general, in the DHC WG, we seem to
	set a pretty high bar for what "udpates" another RFC.  I
	don't see that this document has met those requirements.
	But this isn't really my call.  I'll let Ralph Droms and
	the DHC WG chairs decide on this one, and I'll do
	whatever they tell me to do.

Agreed. FWIW, my "bar" for that is whether implementing DHCPv4 as per RFC 2131 is changed by this doc. If DHCP fundamentally starts requiring TCP port support, then this doc then changes the spec as described in 2131 IMO.

Here are the reasons I think it DOES modify DHCP:

	- Sec 10 requests option codes that extend the tables defined
	in the original RFC

I couldn't locate a recommendation on whether DHCP servers MAY implement this extension, SHOULD, or MUST (did I miss it? if not, it should be added). Regardless, that too would be a reason for this as an update to 2131. It's only NOT an update if this service is independent, IMO, and it doesn't read that way to me.

PORT USE- Although DHCPv4 has an assigned TCP port, this document
should clearly indicate that there is no other specified use of that
. port other than the bulk lease query described in this document

	Sure.

It should further explain why no other existing DHCP exchanges are
not valid on the TCP port.

	I've been taken to task by various IETF folks at
	varying levels of seniority for explaining too *much* of
	the "why".  My understanding is that this is a protocol
	specification and not a design document, and as such it
	is not only not necessary but frequently
	counter-productive to give lots of justifications for the
	decisions made when constructing the protocol.

	In this case, I can't speak for the wG at large, because
	we never proposed anything else.  The reason we didn't
	propose anything else was that we didn't want to "update"
	RFC 2131 with a new way to do DHCPv4 in general.  But
	that all kind of comes down to "because we said so".  We
	were trying to keep this draft focused.  But if I put
	words in the document which say that, someone in the WG
	would tell me to take them out.

	I have no problem motivating the "interesting" decisions
	we've made, or perhaps the contentious ones, but this one
	was a no-brainer that never even came up (to the best of
	my memory).

	Having said all of that, I'll put something in that says
	that we were trying to keep it simple.

Thanks. In this case, it's important to suggest why others should not add conventional DHCP query support to the TCP port.

CONNECTION MANAGEMENT- The document describes the use of TCP
connections for bulk transfer, but needs to be more specific about which
side (relay client or server) closes the connection, under what
circumstances, and with what mechanism (e.g., graceful CLOSE vs. ABORT,
as per RFC 793)

	Here is what we have now, 7.8 is for clients, 8.5 is for
	servers:

7.8.  Closing Connections  [Client Section]

    The requestor SHOULD close the connection after the
    DHCPLEASEQUERYDONE message is received for the last outstanding query
    that it has sent, if it has no more queries to send.

Under what conditions is it useful to not close at this time, and if so, when/why is it eventually closed?

In this case it's also useful to explain what "no more queries to send" means - are clients encouraged to keep the connection open in case there are more to send, or do you expect that the client knows when it opens the connection whether it has more to send - and if so, shouldn't it have already sent them?


8.5.  Closing Connections   [Server Section]

    The DHCPv4 server SHOULD start a timer for BULK_LQ_DATA_TIMEOUT
    seconds for a particular connection after it sends a
    DHCPLEASEQUERYDONE message over that connection and if there is no
    current query outstanding for that connection.  It should clear this

Is this a SHOULD?

And should the timer be cleared or restarted?

Under what conditions is it useful to not close at this time, and if so, when/why is it closed?

    timer if a query arrives over that connection.  If the timer expires,
    the DHCPv4 server should close the connection.

Is this a SHOULD, as well?

Again, under what conditions is it useful to not close at this time, and if so, when/why is it closed?

    The server MUST close its end of the TCP connection if it encounters
    an error sending data on the connection.  The server MUST close its
    end of the TCP connection if it finds that it has to abort an in-
    process request.  A server aborting an in-process request SHOULD
    attempt to signal that to its requestors by using the QueryTerminated
    status code in the status-code option in a DHCPLEASEQUERYDONE
    message, including a message string indicating details of the reason
    for the abort.   If the server detects that the requesting end of the
    connection has been closed, the server MUST close its end of the
    connection.

OK. I found it a bit confusing to have this in separate places, but I viewed this from the transport perspective. This is fine.

	All connections are closed with a graceful CLOSE, and not
	with an ABORT.  I'll add that to the document.

	I'm at a loss to know how to be more specific about which
	side of the connection closes the connection.  There are
	rules for the client in 7.8, and rules for the server in
	8.5.

Somewhere you should state that the protocol exchange typically involves the client closing the connection, and that the server closes only under exceptions.

sec 7.3 indicates some conditions for terminating connections; this
section should indicate which side performs this, and by what
method(CLOSE, ABORT)

	Section 7.3 discusses in two places where the "requestor" may
	drop the connection.  The term "requestor" is used to
	indicate which "side" performs the actions.  All of
	Section 7 is about "Requestor Behavior", and the specific
	details of section 7.3 in all cases indicate that the
	instructions for dealing with the connection concern the
	"requestor" explicitly.

	I'll enhance the explanation to include that CLOSE should
	be used.

	If there is a specific set of instructions that are
	unclear, I don't see them, so it would help me if you
	could give me more detailed guidance than "Section 7.3".
	Thanks.

It's probably sufficient to replace "requestor" with "client" to be consistent. However, this section then supercedes the description in 7.8 and 8.5 above - i.e., you are handling exceptions on the client side as well.

I.e., 7.8 needs to include the exception cases listed in 7.3, or they should just be moved there.

this sec also allows connections to stay open after all pending
transactions are complete (MAY); the rationale for this should be
given, or the connection MUST be closed.

	I will add some words which clarify the reasons why you
	might want to leave the connection open after all pending
	transactions are complete.

FWIW, again this contradicts 7.8 which says the client SHOULD close after the response is received if it has no more queries to send.

This says "MAY" leave open. That's not the complement to SHOULD close.

the same issue applies to sec 7.8 and 8 throughout; sec 8.5 is
particularly problematic on this issue because it discusses aborting a
request using in-band data, which may not be available if the connection
is closed using ABORT. the state of other pending connection shsould be
discussed too.

	The in-band data is not required for proper protocol
	operation, it is valuable because it can limit the amount
	of data required when and if the connection is
	reestablished.  All connections are closed by CLOSE.  I
	assume that, in your comment, "other pending
	connection[s]" means other data flows that might exist on
	the TCP connection that is coming down.  I will add some
	words that say that those Bulk Leasequery data flows will
	also be stopped.

OK.

TIMEOUTS- Sec 6.3 defines a timeout for the TCP connection; is
this intended to supercede any TCP timeout? or is it intended to be
the min of the TCP timeout and the specified one?

	The BULK_LQ_DATA_TIMEOUT is completely application
	specific and essentially independent of the underlying
	connection timeout.  I will add words to that effect
	in the document.

OK.

This section should more carefully explain behavior when a
connection is dropped and the reason - e.g., timeout, abort,
close.
	
	The application employing Bulk Leasequery doesn't
	care about *why* the connection went away.  It
	doesn't have to know if it was abort, close, or
	timeout.  I will say that in this section.

Hmm. I would think that this information would be passed up to the application.

INTERLEAVING- sec 7.7 says that the server MUST interleave
replies;
there doesn't seem a valid reason for this requirement. clearly the
receiver MUST tolerate interleaved replies. having the server interleave
replies is relevant only if each request/reply has its own timeout --
which should be overridden if there is another response in progress
anyway. This issue should be more clearly explained and motivated.

	Robert Sparks offered clarification, which I like
	a lot and have already agreed to use:

I didn't see that; can you send that to tsv-dir@xxxxxxxx and me?

	Is the requirement you are really trying to capture "MUST
	NOT block sending replies on new queries until all
	replies for the existing query are complete."?

There were some other issues noted in this document. These
comments appear below, and although not focused on transport
issues, they represent significant issues that IMO should be
addressed as well.

NOTE - regarding some terminology issues, I did not survey current
DHCP RFCs for consistency, but IMO these terms should be corrected
even if they are then inconsistent with existing specs.
Joe

-----------

Major non-transport issues:

- In many places the doc allows inaction to substitute for either
positive or negative confirmation. IMO, this invites implementation
errors, and should be avoided. E.g., status return codes, data source
option missing, query-for-all-configured-IPs, etc.

	While I personally tend to agree with you on this one, I
	have clear direction from the DHC WG that this is *not*
	the approach that the WG wants to take.  Here is the
	status code text:

    A status-code option MAY appear in the options field of a DHCPv4
    message.  If the status-code option does not appear, it is assumed
    that the operation was successful.  The status-code option SHOULD NOT
    appear in a message which is successful unless there is some text
    string that needs to be communicated to the requestor.

	This was wrangled over at some length in the DHC WG,
	and this was the way that it needed to be to pass
	last call.  I don't feel that I can change it
	at this time.

AOK. I'll go down on the record as noting this as a bad idea that invites erroneous implementations, and the IESG can decide what it wants to recommend.


- the data source option reserved codes need more detailed
specification. if these are intended for future use, then they MUST be
ignored by the receiver (at least). if they are to mean anything at all,
at least one bit (typically all of them) MUST be set to zero by the
transmitter for implementations that do not support any of the component
fields.

further, the length of this option MUST be 1

	Yes, subsequent to the creation of this section,
	Amanda Baber of IANA enlightened me regarding
	the different between RESERVED and UNASSIGNED.
	These should be UNASSIGNED, and I will add words
	that say that a receiver should ignore the
	bits that are unassigned.

Good.


- The protocol supports bulk transfer that is not data driven.
This could represent a security vulnerability by exposing
information that may not be on the data path (and thus already
accessible) to a relay agent. This should be discussed in the
security considerations section.

	All data that is exposed has already been
	exposed using UDP to regular DHCP port.   But please see
	my response to Stephen Farrell (which is too long to include
	here) to see if it covers the issues about which you
	have concerns.

Again, I didn't see it; please send a copy to tsv-dir@xxxxxxxx


- Integer quantities should be referred to as "unsigned 32-bit integers" throughout.

	Good point (though some are 16 bits).  The signed-ness is not
	specified and should be.  I'll make sure that it is.

AOK.


- "VPN" is used throughout to refer to "private" addresses (RFC 1918); a VPN is not just private addressing.

	Hmm.  Actually, VPN in this document does not refer to RFC 1918
	private addressing.  If this is important to you, could you
	be more specific as to your concern?

OK. I don't understand how it's being used, but if it's consistent with the rest of DHCP, that's fine.

However, I got thrown off by your use of 10.x.x.x.

There are appropriate addresses to use as examples in RFCs - see RFC 5737, and please change this example accordingly.

- (this is a nit with all IDs, FWIW) SHOULD and SHOULD NOT are
used throughout without context. Any time SHOULD is used instead of
MUST (or SHOULD NOT rather than MUST NOT), it is useful to explain
a viable exception. If no such exception exists, the rationale for
selecting SHOULD over MUST should be included.

	This is an interesting approach, which is new to me.  I
	can see the value in looking for viable exceptions.  I
	think justifying SHOULD and not MUST is a bit much, and
	wouldn't make it through the "keep it short and simple"
	filters that the DHC WG seems to place on DHC drafts.
	But as I said, I'll look at every SHOULD (NOT) and see if
	I can find concise examples of reasons.  But I'm
	concerned that this will greatly lengthen the draft.

I would argue that any SHOULD that cannot be justified ought to be converted to a MUST ;-) That still keeps it short.

- It would be useful to explain why STATUS-CODE strings MUST NOT
be null-terminated; is that a protocol violation, or are you just
saying that NULLs are valid in these strings? the description
should be clear that the string field describes the string length
without any termination characters.

	I will clarify this.  Nulls are not allowed in the strings.
	DHCP options have an unfortunate history where some
	large vendors null terminated their strings even though
	they were not supposed to, so now we always make a big
	deal out of it so it doesn't happen again.

Good.

- start-time-of-state is expressed as an offset from base-time;
this appears to be the only time indicated as an offset rather than
as an absolute. That inconsistency invites implementation errors;
IMO, this should be absolute too.

	There are two kinds of time options here, input options
	and output options.  The input options are all absolute
	times.  The output options are all offset times from the
	base time (which by design is the only absolute time in
	the output packets).

That'd be very useful to explain this way. Is this typical for DHCP? It's quite confusing IMO.

>       ...There are several input options
	defined in this document.  The start-time-of-state is the
	only output option defined in this draft.  It is defined
	as a offset to the base time in large part because the
	*other* output options that are used in the DHCP packet
	are *also* offsets to the base time.  These options are
	not new, but are options that already exist in other
	RFC's.  So, while it looks like the state-time-of-state
	is the odd man out at first glance, it actually is an
	offset time because the *other* options with which it
	will appear are also offset times.


- option lengths: throughout, the doc refers to option lengths as
being "an octet"; they are *indicated* in one octet. Some are constant
(e.g., DCHP-STATE), some allow the contents of the octet to vary. Again,
this is an *unsigned integer* octet.

	Yes, the size of an option is stored in
	one octet.  So, yes, the length is *indicated*
	by the value in that one octet.

	But the length may be 1 octet, it may be
	5 octets, it may vary between 8 and 10 octets.

	I don't understand your concern.  Are you	
	saying that the length should not be
	stated to be "1 octet" or "5 octets"?

The length should be "indicated in 1 octet". I'm just suggesting a change to the way it's described. When you say "the length is an octet", that is ambiguous and can mean that the length value is 1, not just that this value is stored in one octet.

	I will fix the integer to be specifically
	unsigned (as previously indicated).

- some of the information provided (in DHCP-STATE) goes beyond
that of DHCP. It would be useful to motivate the need for this
information in a bulk query, and why it is not similarly available
for nodes using UDP (e.g., as an extension to DHCPv4, not just to
the bulk transfer command). again, absence of state information
should not indicate state. State should always be expressed
explicitly. these states are further meaningless without a state
diagram explaining them. if such a diagram is not possible (as
noted at end of sec 6.2.7), then the states are irrelevant and the
option should not be included.

	The state transition diagram can certainly be drawn, but
	as it is fully connected, such a picture conveys no
	useful information.

It's sufficient to indicate this then.

>	... The transitions are not themselves
	useful in any case, as the the Bulk Leasequery is a
	snapshot of information at one instant of time.  There is
	every reason to assume that as the state moves from one
	value to another that an external entity would not see
	all (or even many) of these transitions.  This is a
	snapshot of the DHCP state, and could be nothing else in
	the environment of Bulk Leasequery.

	The reason why the state transition graph is fully
	connected is due to the common practice in DHCPv4 of
	having two servers running in a failover relationship.
	There are then two state machines for the lease state,
	and at times one "leads" and the other "follows", and at
	other times the other "leads" and its partner "follows".
	So, examined individually, the state machines for each
	individual failover partner is fully connected because at
	any time it may receive an update from its partner that
	it decides to accept that will simply "set" the state to
	the value supplied by the partner.

	All of this is orthogonal to the Bulk Leasequery protocol
	-- except that we want the user of the Bulk Leasequery
	protocol to be able to make sense out of information
	supplied by each of the failover partners.  Or any
	partners running any increased availability solution.

	So, that is the reason why the dhcp-state option exists
	at all -- to allow the user of Bulk Leasequery to make
	sense out of the results of sending a Bulk Leasequery to
	two different (but cooperating) DHCPv4 servers.

	The DHC WG felt that this information was worthwhile to
	have in this document, and I agree (or we wouldn't have
	put it in).

Using the failover case as a justification would be helpful.

> - in sec 6.2.9 the term "not allowed" should be explained - are
they reserved for future use and thus ignored? or are they "not
allowed" - in which case the doc should indicate handling if they
appear.

	Ah, good catch.  The "not allowed" will become UNASSIGNED,
	based on my conversation with Amanda Baber of IANA.
	I will add words that suggest that they should be
	ignored.

	The point of this table is, actually, not how to
	handle them (that is the up to the vpn-option draft/RFC),
	but rather to define a single new value.

AOK.

- sec 7.4 states that the clock skew of zero is desired; this
assumes E2E delays under 1sec. An explanation of why this is
desired should be given, as well as the consequences of it not.

	I have given specific instructions on how to handle non-zero
	clock skews.  There are no "consequences".  You code it
	so that it works with non-zero clock skew.  Period.

	It is desired because it is less confusing to humans.

I would argue that this then irrelevant, and there should be no statement about a skew of zero being preferred, since it could drive implementations that way unnecessarily.

Other non-transport issues:

- The document includes definitions and references to irrelevant
deployment and implementation issues, notably DSLAMs, concentrators, and
access concentrators. These should not appear formally; they should be
used only to usefully illustrate currently intended uses.

	These appear in the text in order to give
	the otherwise abstract design goals some concrete
	examples.   We already removed a lot of the design
	goals, are you suggesting that they all be removed?

Actually, yes, except as examples in the intro/motivation. Elsewhere they are IMO distracting.

- The doc refers to "real-time", which could imply requirements not supported. This should be replaced with "rapid".

	I'll fix this.

- "absolute time" *indicates* (rather than contains) the number of seconds...

	I'll fix this.

- "third party agent" should be explained, i.e., neither DHCP client nor DHCP server.

	I will fix this.

- "downstream" and "upstream" should be defined as both away from the server *and towards the client* ("away from the server" has two directions).

	Sure, I'll add these words.

AOK to all above.

- sec 3 should refer to relays, and returning the entire set or
individual bindings; there is no reason to explain the goals in terms of
access concentrators.

	I don't know about this.  I could certainly change it,
	but is this really important to you?  There was quite a
	bit of negotiation in the WG about these examples.  I
	don't want to restart that discussion and have it all
	over again.  Does this really matter that much to you?

The examples should focus on client/server/relay terminology. If other example terms are used, they should be parenthetical examples:

	relay (e.g., at a concentrator)

The point is that this is relevant without the concentrator. A concentrator is just one current example of where a relay exists, not the only one.

- sec 3.2 appears to provide contradictory advice - caching is required, but should be avoided? it would be useful to resolve this inconsistency.

	Use of Bulk Leasequery is designed to help you avoid
	caching.

OK - it'd be useful to be clear on that in sec 3.2.

- sec 3.3 refers to 'fast path', but this term doesn't make sense in this context because fast-path is a forwarding issue. it would be useful to explain what you mean, and pick a different term

	Yes, it is a forwarding issue, and many devices
	will not forward unless they know that they are forwarding
	to a device that has received a valid DHCPv4 address.
	The point (well, one point) of Bulk Leasequery is to
	allow these forwarders to gather data so that they
	can make the correct decision in the fast path.

Per-IP validation of that sort of permission isn't a fast-path decision. Fast-path involves forwarding and policy decisions (which are not typically /32 decisions).

It would be useful to say this information is useful so such routers can make the appropriate decision, but the path (fast or slow) is irrelevant IMO.

------------

	Regards -- Kim


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]