Re: Would Provision Domain Names be hard to implement in NM? (RFC 8801)

From: Petr Menšík <pemensik redhat com>
To: Beniamino Galvani <bgalvani redhat com>
Cc: networkmanager-list gnome org
Subject: Re: Would Provision Domain Names be hard to implement in NM? (RFC 8801)
Date: Tue, 31 May 2022 13:07:40 +0200

On 5/31/22 11:18, Beniamino Galvani wrote:

On Mon, May 30, 2022 at 01:14:51PM +0200, Petr Menšík via networkmanager-list wrote:

Hi,

RFC 8801 [1] is standard tracks already. Would it be difficult to
implement it in NM? I think it provides very nice way to make profiles
on ethernet connections for example. Not sure if I can have multiple
configurations switched automatically withou Radius used for port security.

Hi,

I have quickly read RFC 8801 and RFC 7756, and it's not clear to me
how the PvD model would fit in the NM picture.

My nmcli c on older laptop shows several wifi profiles, but just single
ethernet profile. I would like to have also pvd profile, which could
configure some properties of a connection. Obviously not an address, but
could configure DNS domain list, additional services. A nice start it
would be (dbus?) event emitted from NM that PvD name were received on a
connection.

But this RFC allows specification of domains and prefixes used on given
connection. That would be useful for VPN connected to work for example,
but when I still want to reach some local resources. For example printer
or local file storage, when I work from home. Unlike Radius it can work
fine at home networks too. But it can use TLS for obtaining basic
infromation, so those information can be secure at the same time.

From what I understood, the RFCs define the concept of PvDs
(provisioning domains) that contain related network configuration as
DNS servers, DNS domains, default gateways, etc. A PvD can be explicit
(provided to the client via e.g. a RA option), or implicit when a
client automatically creates a different PvD for each interface.

I think implicit matches already different connections in NM. But it
would be nice, if it could at least record received PvD identifiers in
DHCP[46].OPTION entry for a start. Then additional experimental service
could reconfigure extra services based on that.

What is not clear to me is how to use that information. For PvD-aware
nodes, the recommendation is to use the received information
consistently (for example, use the DNS server from one PvD for the
domains of the same PvDs, etc.). Note that NM already does something
like that implicitly when using one of dns={dnsmasq,systemd-resolved}:
it queries a nameserver only on the interface that announced it, and
it routes queries according to the automatically-received domains.

Yes, but it uses list of domains intented for search option in
resolv.conf for list of domains. Which serves different purpose and does
not have to be complete. Especially when multiple connections specify
search, it is questionable whether you want them all searched and in
which order. RFC 8801 can provide list of domains and ranges related to
connection when only RA is used. Does not require DHCP and can be more
secure. RFC 6731 can provide list of domains, I think Kea server can
send it.

The RFC also talks about PvD-aware applications that can choose the
PvD, but I don't think infrastructure for that exists outside NM.

I think PvD matches purpose of NM. I doubt there should be separate
service for handling it.But I admit I would like to have some
customization depending on connected network. For example I would like
to have sshd started on trusted networks. But have complete firewall
protection on less trusted networks.

It requires some kind of autoconfiguration of IP addresses. But I would
like to have possible LLMNR or mDNS configuration configured just on
some kind of networks. Could provision domain allow profiles in NM,
which would be autoconfigured via network? It would be great for laptops
connected via ethernet.

I don't know, there seems no mention of LLMNR or mDNS in the RFC. I
see that it allows the nodes to fetch a JSON that contains more
information, and that probably can be extended to do everything.

I meant I would be able to configure LLMNR and mDNS on PvD profile for
ethernet. For example on corp.redhat.com connection I would enable mDNS
to be able print on local printer. But on hotel.example.com with
ethernet port I would like to disable similar services. I can do that
already on different connections, but how can be a connection
autoselected in case they don't use 802.1x security? I think this RFC
allows to have different profiles on single device, similar to SSIDs on
wifi networks. Of course the json can specify anything. Another question
is whether you would like to trust all information provided by the
network by default. I think that is important on public transport
connections or conferences, where I would like to have option to accept
just minimal trust in its network and refuse any optional features.

While I agree that in theory this feature would be nice, I think the
use cases are not well defined yet and it seems that implementing this
in NM will require a significant effort.

Does any existing DHCP/RA server implement the needed options? Do you
know of any existing real deployment of this feature?

Beniamino

I don't know any implementation which can send or receive it. Not sure,
this is a few months old RFC. But its support would help with few my use
cases. I think the implementation on server side is trivial. More
complicated it would be on client side. I think I would be able to
implement basic support into dnsmasq.

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik redhat com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

References:
- Would Provision Domain Names be hard to implement in NM? (RFC 8801)
  - From: Petr Menšík
- Re: Would Provision Domain Names be hard to implement in NM? (RFC 8801)
  - From: Beniamino Galvani

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]