Joe,
Thank you for your review.
My responses are indented, below...
On Feb 13, 2012, at 5:00 PM, Joe Touch wrote:
Hi, all,
I've reviewed this document as part of the transport area directorate's
ongoing effort to review key IETF documents. These comments were written
primarily for the transport area directors, but are copied to the document's
authors for their information and to allow them to address any issues raised.
The authors should consider this review together with any other last-call
comments they receive. Please always CC tsv-dir(_at_)ietf(_dot_)org if you
reply to or forward this review.
This request was received Feb. 2, 2012.
This document describes an extension to DHCPv4 for the bulk query and
transfer of current lease status over TCP.
The following transport issues were noted, and are significant:
UPDATES- The document updates DHCP with support for TCP, and as such this
document seems like it should UPDATE RFC2131
While this document clearly builds on RFC 2131, it
doesn't actually change anything that anyone is doing
that is currently based on RFC 2131. My understanding of
"updates" is that, in order to understand the first RFC
(in this case, RFC 2131), you need to read all of the
RFC's that "update" it. That isn't the case here -- you
can be very happy reading and implementing DHCPv4 by
reading RFC 2131 and never have to know that DHCPv4 Bulk
Leasequery exists. In general, in the DHC WG, we seem to
set a pretty high bar for what "udpates" another RFC. I
don't see that this document has met those requirements.
But this isn't really my call. I'll let Ralph Droms and
the DHC WG chairs decide on this one, and I'll do
whatever they tell me to do.
PORT USE- Although DHCPv4 has an assigned TCP port, this document should
clearly indicate that there is no other specified use of that port other than
the bulk lease query described in this document
Sure.
It should further explain why no other existing DHCP exchanges are not valid
on the TCP port.
I've been taken to task by various IETF folks at
varying levels of seniority for explaining too *much* of
the "why". My understanding is that this is a protocol
specification and not a design document, and as such it
is not only not necessary but frequently
counter-productive to give lots of justifications for the
decisions made when constructing the protocol.
In this case, I can't speak for the wG at large, because
we never proposed anything else. The reason we didn't
propose anything else was that we didn't want to "update"
RFC 2131 with a new way to do DHCPv4 in general. But
that all kind of comes down to "because we said so". We
were trying to keep this draft focused. But if I put
words in the document which say that, someone in the WG
would tell me to take them out.
I have no problem motivating the "interesting" decisions
we've made, or perhaps the contentious ones, but this one
was a no-brainer that never even came up (to the best of
my memory).
Having said all of that, I'll put something in that says
that we were trying to keep it simple.
CONNECTION MANAGEMENT- The document describes the use of TCP connections for
bulk transfer, but needs to be more specific about which side (relay client
or server) closes the connection, under what circumstances, and with what
mechanism (e.g., graceful CLOSE vs. ABORT, as per RFC 793)
Here is what we have now, 7.8 is for clients, 8.5 is for
servers:
7.8. Closing Connections [Client Section]
The requestor SHOULD close the connection after the
DHCPLEASEQUERYDONE message is received for the last outstanding query
that it has sent, if it has no more queries to send.
8.5. Closing Connections [Server Section]
The DHCPv4 server SHOULD start a timer for BULK_LQ_DATA_TIMEOUT
seconds for a particular connection after it sends a
DHCPLEASEQUERYDONE message over that connection and if there is no
current query outstanding for that connection. It should clear this
timer if a query arrives over that connection. If the timer expires,
the DHCPv4 server should close the connection.
The server MUST close its end of the TCP connection if it encounters
an error sending data on the connection. The server MUST close its
end of the TCP connection if it finds that it has to abort an in-
process request. A server aborting an in-process request SHOULD
attempt to signal that to its requestors by using the QueryTerminated
status code in the status-code option in a DHCPLEASEQUERYDONE
message, including a message string indicating details of the reason
for the abort. If the server detects that the requesting end of the
connection has been closed, the server MUST close its end of the
connection.
All connections are closed with a graceful CLOSE, and not
with an ABORT. I'll add that to the document.
I'm at a loss to know how to be more specific about which
side of the connection closes the connection. There are
rules for the client in 7.8, and rules for the server in
8.5.
sec 7.3 indicates some conditions for terminating connections; this section
should indicate which side performs this, and by what method (CLOSE, ABORT)
Section 7.3 discusses in two places where the "requestor" may
drop the connection. The term "requestor" is used to
indicate which "side" performs the actions. All of
Section 7 is about "Requestor Behavior", and the specific
details of section 7.3 in all cases indicate that the
instructions for dealing with the connection concern the
"requestor" explicitly.
I'll enhance the explanation to include that CLOSE should
be used.
If there is a specific set of instructions that are
unclear, I don't see them, so it would help me if you
could give me more detailed guidance than "Section 7.3".
Thanks.
this sec also allows connections to stay open after all pending transactions
are complete (MAY); the rationale for this should be given, or the connection
MUST be closed.
I will add some words which clarify the reasons why you
might want to leave the connection open after all pending
transactions are complete.
the same issue applies to sec 7.8 and 8 throughout; sec 8.5 is particularly
problematic on this issue because it discusses aborting a request using
in-band data, which may not be available if the connection is closed using
ABORT. the state of other pending connection shsould be discussed too.
The in-band data is not required for proper protocol
operation, it is valuable because it can limit the amount
of data required when and if the connection is
reestablished. All connections are closed by CLOSE. I
assume that, in your comment, "other pending
connection[s]" means other data flows that might exist on
the TCP connection that is coming down. I will add some
words that say that those Bulk Leasequery data flows will
also be stopped.
TIMEOUTS- Sec 6.3 defines a timeout for the TCP connection; is this intended
to supercede any TCP timeout? or is it intended to be the min of the TCP
timeout and the specified one?
The BULK_LQ_DATA_TIMEOUT is completely application
specific and essentially independent of the underlying
connection timeout. I will add words to that effect
in the document.
This section should more carefully explain behavior when a connection is
dropped and the reason - e.g., timeout, abort, close.
The application employing Bulk Leasequery doesn't
care about *why* the connection went away. It
doesn't have to know if it was abort, close, or
timeout. I will say that in this section.
INTERLEAVING- sec 7.7 says that the server MUST interleave replies; there
doesn't seem a valid reason for this requirement. clearly the receiver MUST
tolerate interleaved replies. having the server interleave replies is
relevant only if each request/reply has its own timeout -- which should be
overridden if there is another response in progress anyway. This issue should
be more clearly explained and motivated.
Robert Sparks offered clarification, which I like
a lot and have already agreed to use:
Is the requirement you are really trying to capture "MUST
NOT block sending replies on new queries until all
replies for the existing query are complete."?
There were some other issues noted in this document. These comments appear
below, and although not focused on transport issues, they represent
significant issues that IMO should be addressed as well.
NOTE - regarding some terminology issues, I did not survey current DHCP RFCs
for consistency, but IMO these terms should be corrected even if they are
then inconsistent with existing specs.
Joe
-----------
Major non-transport issues:
- In many places the doc allows inaction to substitute for either positive or
negative confirmation. IMO, this invites implementation errors, and should be
avoided. E.g., status return codes, data source option missing,
query-for-all-configured-IPs, etc.
While I personally tend to agree with you on this one, I
have clear direction from the DHC WG that this is *not*
the approach that the WG wants to take. Here is the
status code text:
A status-code option MAY appear in the options field of a DHCPv4
message. If the status-code option does not appear, it is assumed
that the operation was successful. The status-code option SHOULD NOT
appear in a message which is successful unless there is some text
string that needs to be communicated to the requestor.
This was wrangled over at some length in the DHC WG,
and this was the way that it needed to be to pass
last call. I don't feel that I can change it
at this time.
- the data source option reserved codes need more detailed specification. if
these are intended for future use, then they MUST be ignored by the receiver
(at least). if they are to mean anything at all, at least one bit (typically
all of them) MUST be set to zero by the transmitter for implementations that
do not support any of the component fields.
further, the length of this option MUST be 1
Yes, subsequent to the creation of this section,
Amanda Baber of IANA enlightened me regarding
the different between RESERVED and UNASSIGNED.
These should be UNASSIGNED, and I will add words
that say that a receiver should ignore the
bits that are unassigned.
- The protocol supports bulk transfer that is not data driven. This could
represent a security vulnerability by exposing information that may not be on
the data path (and thus already accessible) to a relay agent. This should be
discussed in the security considerations section.
All data that is exposed has already been
exposed using UDP to regular DHCP port. But please see
my response to Stephen Farrell (which is too long to include
here) to see if it covers the issues about which you
have concerns.
- Integer quantities should be referred to as "unsigned 32-bit integers"
throughout.
Good point (though some are 16 bits). The signed-ness is not
specified and should be. I'll make sure that it is.
- "VPN" is used throughout to refer to "private" addresses (RFC 1918); a VPN
is not just private addressing.
Hmm. Actually, VPN in this document does not refer to RFC 1918
private addressing. If this is important to you, could you
be more specific as to your concern?
- (this is a nit with all IDs, FWIW) SHOULD and SHOULD NOT are used
throughout without context. Any time SHOULD is used instead of MUST (or
SHOULD NOT rather than MUST NOT), it is useful to explain a viable exception.
If no such exception exists, the rationale for selecting SHOULD over MUST
should be included.
This is an interesting approach, which is new to me. I
can see the value in looking for viable exceptions. I
think justifying SHOULD and not MUST is a bit much, and
wouldn't make it through the "keep it short and simple"
filters that the DHC WG seems to place on DHC drafts.
But as I said, I'll look at every SHOULD (NOT) and see if
I can find concise examples of reasons. But I'm
concerned that this will greatly lengthen the draft.
- It would be useful to explain why STATUS-CODE strings MUST NOT be
null-terminated; is that a protocol violation, or are you just saying that
NULLs are valid in these strings? the description should be clear that the
string field describes the string length without any termination characters.
I will clarify this. Nulls are not allowed in the strings.
DHCP options have an unfortunate history where some
large vendors null terminated their strings even though
they were not supposed to, so now we always make a big
deal out of it so it doesn't happen again.
- start-time-of-state is expressed as an offset from base-time; this appears
to be the only time indicated as an offset rather than as an absolute. That
inconsistency invites implementation errors; IMO, this should be absolute too.
There are two kinds of time options here, input options
and output options. The input options are all absolute
times. The output options are all offset times from the
base time (which by design is the only absolute time in
the output packets). There are several input options
defined in this document. The start-time-of-state is the
only output option defined in this draft. It is defined
as a offset to the base time in large part because the
*other* output options that are used in the DHCP packet
are *also* offsets to the base time. These options are
not new, but are options that already exist in other
RFC's. So, while it looks like the state-time-of-state
is the odd man out at first glance, it actually is an
offset time because the *other* options with which it
will appear are also offset times.
- option lengths: throughout, the doc refers to option lengths as being "an
octet"; they are *indicated* in one octet. Some are constant (e.g.,
DCHP-STATE), some allow the contents of the octet to vary. Again, this is an
*unsigned integer* octet.
Yes, the size of an option is stored in
one octet. So, yes, the length is *indicated*
by the value in that one octet.
But the length may be 1 octet, it may be
5 octets, it may vary between 8 and 10 octets.
I don't understand your concern. Are you
saying that the length should not be
stated to be "1 octet" or "5 octets"?
I will fix the integer to be specifically
unsigned (as previously indicated).
- some of the information provided (in DHCP-STATE) goes beyond that of DHCP.
It would be useful to motivate the need for this information in a bulk query,
and why it is not similarly available for nodes using UDP (e.g., as an
extension to DHCPv4, not just to the bulk transfer command). again, absence
of state information should not indicate state. State should always be
expressed explicitly. these states are further meaningless without a state
diagram explaining them. if such a diagram is not possible (as noted at end
of sec 6.2.7), then the states are irrelevant and the option should not be
included.
The state transition diagram can certainly be drawn, but
as it is fully connected, such a picture conveys no
useful information. The transitions are not themselves
useful in any case, as the the Bulk Leasequery is a
snapshot of information at one instant of time. There is
every reason to assume that as the state moves from one
value to another that an external entity would not see
all (or even many) of these transitions. This is a
snapshot of the DHCP state, and could be nothing else in
the environment of Bulk Leasequery.
The reason why the state transition graph is fully
connected is due to the common practice in DHCPv4 of
having two servers running in a failover relationship.
There are then two state machines for the lease state,
and at times one "leads" and the other "follows", and at
other times the other "leads" and its partner "follows".
So, examined individually, the state machines for each
individual failover partner is fully connected because at
any time it may receive an update from its partner that
it decides to accept that will simply "set" the state to
the value supplied by the partner.
All of this is orthogonal to the Bulk Leasequery protocol
-- except that we want the user of the Bulk Leasequery
protocol to be able to make sense out of information
supplied by each of the failover partners. Or any
partners running any increased availability solution.
So, that is the reason why the dhcp-state option exists
at all -- to allow the user of Bulk Leasequery to make
sense out of the results of sending a Bulk Leasequery to
two different (but cooperating) DHCPv4 servers.
The DHC WG felt that this information was worthwhile to
have in this document, and I agree (or we wouldn't have
put it in).
- in sec 6.2.9 the term "not allowed" should be explained - are they reserved
for future use and thus ignored? or are they "not allowed" - in which case
the doc should indicate handling if they appear.
Ah, good catch. The "not allowed" will become UNASSIGNED,
based on my conversation with Amanda Baber of IANA.
I will add words that suggest that they should be
ignored.
The point of this table is, actually, not how to
handle them (that is the up to the vpn-option draft/RFC),
but rather to define a single new value.
- sec 7.4 states that the clock skew of zero is desired; this assumes E2E
delays under 1sec. An explanation of why this is desired should be given, as
well as the consequences of it not.
I have given specific instructions on how to handle non-zero
clock skews. There are no "consequences". You code it
so that it works with non-zero clock skew. Period.
It is desired because it is less confusing to humans.
Other non-transport issues:
- The document includes definitions and references to irrelevant deployment
and implementation issues, notably DSLAMs, concentrators, and access
concentrators. These should not appear formally; they should be used only to
usefully illustrate currently intended uses.
These appear in the text in order to give
the otherwise abstract design goals some concrete
examples. We already removed a lot of the design
goals, are you suggesting that they all be removed?
- The doc refers to "real-time", which could imply requirements not
supported. This should be replaced with "rapid".
I'll fix this.
- "absolute time" *indicates* (rather than contains) the number of seconds...
I'll fix this.
- "third party agent" should be explained, i.e., neither DHCP client nor DHCP
server.
I will fix this.
- "downstream" and "upstream" should be defined as both away from the server
*and towards the client* ("away from the server" has two directions).
Sure, I'll add these words.
- sec 3 should refer to relays, and returning the entire set or individual
bindings; there is no reason to explain the goals in terms of access
concentrators.
I don't know about this. I could certainly change it,
but is this really important to you? There was quite a
bit of negotiation in the WG about these examples. I
don't want to restart that discussion and have it all
over again. Does this really matter that much to you?
- sec 3.2 appears to provide contradictory advice - caching is required, but
should be avoided? it would be useful to resolve this inconsistency.
Use of Bulk Leasequery is designed to help you avoid
caching.
- sec 3.3 refers to 'fast path', but this term doesn't make sense in this
context because fast-path is a forwarding issue. it would be useful to
explain what you mean, and pick a different term
Yes, it is a forwarding issue, and many devices
will not forward unless they know that they are forwarding
to a device that has received a valid DHCPv4 address.
The point (well, one point) of Bulk Leasequery is to
allow these forwarders to gather data so that they
can make the correct decision in the fast path.
------------
Regards -- Kim
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf