draft-ietf-dhc-vpn-option-01.txt   draft-ietf-dhc-vpn-option-02.txt 
Request for Comments: DRAFT Richard Johnson Internet Engineering Task Force Richard Johnson
Kim Kinnear Internet Draft Kim Kinnear
Mark Stapp Expiration: April 2003 Mark Stapp
Jay Kumarasamy File: draft-ietf-dhc-vpn-option-02.txt Jay Kumarasamy
Cisco Systems, Inc. Cisco Systems, Inc.
November 2001
Expires May 2001
DHCP VPN Information option DHCP VPN Information option
<draft-ietf-dhc-vpn-option-01.txt> <draft-ietf-dhc-vpn-option-02.txt>
October 24, 2002
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 36 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
DRAFT DHCP VPN Information option November 2001
Abstract Abstract
This memo defines a new DHCP option for passing VPN information This memo defines a new DHCP option for passing VPN information
between the DHCP client and the DHCP server. It is intended for use between the DHCP client and the DHCP server. It is intended for use
primarily by DHCP proxy clients in situations where VPN information primarily by DHCP proxy clients in situations where VPN information
needs to be passed to the DHCP server for proper address allocation needs to be passed to the DHCP server for proper address allocation
to take place. to take place.
Introduction 1.0 Introduction
There is a growing use of Virtual Private Network (VPN) There is a growing use of Virtual Private Network (VPN)
configurations. The growth comes from many areas; individual client configurations. The growth comes from many areas; individual client
systems needing to appear to be on the home corporate network even systems needing to appear to be on the home corporate network even
when traveling, ISPs providing extranet connectivity for customer when traveling, ISPs providing extranet connectivity for customer
companies, etc. In some of these cases there is a need for the DHCP companies, etc. In some of these cases there is a need for the DHCP
client to communicate to the DHCP server the VPN from which an client to communicate to the DHCP server the VPN from which an
address, and other resources, should be allocated. Currently there address, and other resources, should be allocated. Currently there
is no way to pass this information. is no way to pass this information.
This option would most likely not be used by an actual DHCP end-user This option would most likely not be used by an actual DHCP end-user
client such as a workstation or laptop. It is primarily intended to client such as a workstation or laptop. It is primarily intended to
be used by a DHCP proxy client which would be using DHCP in order to be used by a DHCP proxy client which would be using DHCP in order to
allocate an IP address on behalf of some other protocol or client. allocate an IP address on behalf of some other protocol or client.
This memo defines a new DHCP option, the VPN Information option, This memo defines a new DHCP [2] option, the VPN Information option,
which allows the DHCP client to specify the VPN Information needed in which allows the DHCP client to specify the VPN Information needed in
order to allocate an address. If the receiving DHCP server order to allocate an address. If the receiving DHCP server
understands the VPN Information option, this information may be used understands the VPN Information option, this information may be used
in conjunction with other information in determining the subnet on in conjunction with other information in determining the subnet on
which to select an address as well as other information such as DNS which to select an address as well as other information such as DNS
server, default router, etc. server, default router, etc.
VPN Information Option Definition 1.1 Conventions
The VPN Information option is a DHCP option. The option contains The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [3].
2.0 VPN Information Option Definition
The VPN Information option is a DHCP option [3]. The option contains
generalized VPN information in one of two formats: NVT ASCII VPN generalized VPN information in one of two formats: NVT ASCII VPN
identifier, or RFC2685 VPN-ID. identifier, or RFC2685 VPN-ID [4].
The format of the option is: The format of the option is:
Code Len Type VPN Information octets Code Len Type VPN Information octets
+-----+-----+------+-----+-----+-----+--- +-----+-----+------+-----+-----+-----+---
| TBD | n | t | v1 | v2 | v3 | ... | TBD | n | t | v1 | v2 | v3 | ...
+-----+-----+------+-----+-----+-----+--- +-----+-----+------+-----+-----+-----+---
Type: 0 NVT ASCII VPN identifier Type: 0 NVT ASCII VPN identifier
1 RFC2685 VPN-ID 1 RFC2685 VPN-ID
2-255 Not Allowed 2-255 Not Allowed
DRAFT DHCP VPN Information option November 2001
The option minimum length (n) is 2. The option minimum length (n) is 2.
There are two types of identifiers which can be placed in the VPN There are two types of identifiers which can be placed in the VPN
Information Suboption. The first type of identifier which can be Information Suboption. The first type of identifier which can be
placed in the VPN Information Suboption is an NVT ASCII string. It placed in the VPN Information Suboption is an NVT ASCII string. It
MUST NOT be terminated with a zero byte. MUST NOT be terminated with a zero byte.
The second type of identifier which can be placed in the VPN The second type of identifier which can be placed in the VPN
Information Suboption is an RFC2685 VPN-ID [RFC 2685], which is Information Suboption is an RFC2685 VPN-ID [4], which is typically 14
typically 14 hex digits in length (though it can be any length as far hex digits in length (though it can be any length as far as the VPN
as the VPN Information Suboption is concerned). Information Suboption is concerned).
If the type field is set to zero (0), it indicates that all following If the type field is set to zero (0), it indicates that all following
bytes of the option contain a NVT ASCII string. This string MUST NOT bytes of the option contain a NVT ASCII string. This string MUST NOT
be terminated with a zero byte. be terminated with a zero byte.
If the type field is set to one (1), it indicates that all following If the type field is set to one (1), it indicates that all following
bytes should be interpreted in agreement with [RFC2685] as a VPN bytes should be interpreted in agreement with [4] as a VPN
Identifier, typically 14 hex digits. Identifier, typically 14 hex digits.
All other values of the type field are invalid as of this memo and All other values of the type field are invalid as of this memo and
VPN options containing any other value than zero (0) or one (1) VPN options containing any other value than zero (0) or one (1)
SHOULD be ignored. SHOULD be ignored.
Any VPN information contained in a DHCP Relay suboption SHOULD Any VPN information contained in a DHCP Relay suboption SHOULD
override the information contained in this VPN Information option. override the information contained in this VPN Information option.
Servers configured to support this option MUST return an identical Servers configured to support this option MUST return an identical
skipping to change at page 4, line 4 skipping to change at page 3, line 51
In the event that a VPN Informmation Option and a VPN Information In the event that a VPN Informmation Option and a VPN Information
Relay Suboption are both received in a particular DHCP client packet, Relay Suboption are both received in a particular DHCP client packet,
the information from the VPN Information Suboption MUST be used in the information from the VPN Information Suboption MUST be used in
preference to the information in the VPN Information Option. preference to the information in the VPN Information Option.
Servers that do not understand this option will allocate an address Servers that do not understand this option will allocate an address
using their normal algorithms and will not return this option in the using their normal algorithms and will not return this option in the
DHCPOFFER or DHCPACK. In this case the client will discard the DHCPOFFER or DHCPACK. In this case the client will discard the
DHCPOFFER or DHCPACK. Servers that understand this option but are DHCPOFFER or DHCPACK. Servers that understand this option but are
DRAFT DHCP VPN Information option November 2001
administratively configured to ignore the option MUST ignore the administratively configured to ignore the option MUST ignore the
option, use their normal algorithms to allocate an address, and MUST option, use their normal algorithms to allocate an address, and MUST
NOT return this option in the DHCPOFFER or DHCPACK. In this case the NOT return this option in the DHCPOFFER or DHCPACK. In this case the
client will discard the DHCPOFFER or DHCPACK. In other words, this client will discard the DHCPOFFER or DHCPACK. In other words, this
option MUST not appear in a DHCPOFFER from a server unless it was option MUST not appear in a DHCPOFFER from a server unless it was
used by the server in making the address allocation requested. used by the server in making the address allocation requested.
Security Considerations 3.0 Security Considerations
DHCP currently provides no authentication or security mechanisms. Message authentication in DHCP for intradomain use where the out-of-
Potential exposures to attack are discussed is section 7 of the band exchange of a shared secret is feasible is defined in [5].
protocol specification [RFC2131]. Potential exposures to attack are discussed in section 7 of the DHCP
protocol specification in [2].
The VPN Information option could be used by a client in order to The VPN Information option could be used by a client in order to
obtain an IP address from a VPN other than the one where it should. obtain an IP address from a VPN other than the one where it should.
DHCP relays MAY choose to remove the option before passing on DHCP relays MAY choose to remove the option before passing on
DHCPDISCOVER packets. Another possible defense would be for the DHCP DHCPDISCOVER packets. Another possible defense would be for the DHCP
relay to insert a Relay option containing a VPN Information relay to insert a Relay option containing a VPN Information
Suboption, which would override the DHCP VPN Information option. Suboption, which would override the DHCP VPN Information option.
This option would allow a client to perform a more complete address- This option would allow a client to perform a more complete address-
pool exhaustion attack since the client would no longer be restricted pool exhaustion attack since the client would no longer be restricted
to attacking address-pools on just its local subnet. to attacking address-pools on just its local subnet.
Servers that implement the VPN Information option MUST by default Servers that implement the VPN Information option MUST by default
disable use of the feature; it must specifically be enabled through disable use of the feature; it must specifically be enabled through
configuration. Moreover, a server SHOULD provide the ability to configuration. Moreover, a server SHOULD provide the ability to
selectively enable use of the feature under restricted conditions, selectively enable use of the feature under restricted conditions,
e.g., by enabling use of the option only from explicitly configured e.g., by enabling use of the option only from explicitly configured
client-ids, enabling its use only by clients on a particular subnet, client-ids, enabling its use only by clients on a particular subnet,
or restricting the VPNs from which addresses may be requested. or restricting the VPNs from which addresses may be requested.
IANA Considerations 4.0 IANA Considerations
IANA has assigned a value of TBD for the DHCP option code described IANA has assigned a value of TBD for the DHCP option code described
in this document. No assignment of values for the type field need be in this document. No assignment of values for the type field need be
made at this time. New values may only be defined by IETF Consensus, made at this time. New values may only be defined by IETF Consensus,
as described in [RFC 2434]. Basically, this means that they are as described in [6]. Basically, this means that they are defined by
defined by RFCs approved by the IESG. RFCs approved by the IESG.
Moreover, any changes or additions to the type byte codes MUST be Moreover, any changes or additions to the type byte codes MUST be
made concurrently in the type byte codes of the VPN Information made concurrently in the type byte codes of the VPN Information
Option. The type bytes and data formats of the VPN Information Option. The type bytes and data formats of the VPN Information
Option and VPN Information Suboption MUST always be identical. Option and VPN Information Suboption MUST always be identical.
DRAFT DHCP VPN Information option November 2001 5.0 Acknowledgements
Acknowledgements
This document is the result of work done within Cisco Systems. This document is the result of work done within Cisco Systems.
Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work
on this option definition and the other related work for which this on this option definition and the other related work for which this
is necessary. is necessary.
References References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [1] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997. Requirement Levels", RFC 2119, BCP 14, March 1997.
[RFC2131] Droms, R. "Dynamic Host Configuration Protocol", RFC 2131, [2] Droms, R. "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[RFC2132] Alexander, S. and Droms, R., "DHCP Options and BOOTP Vendor [3] Alexander, S. and Droms, R., "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997. Extensions", RFC 2132, March 1997.
[RFC2685] Fox, B. and Gleeson, B., "Virtual Private Networks [4] Fox, B. and Gleeson, B., "Virtual Private Networks
Identifier", RFC 2685, September 1999 Identifier", RFC 2685, September 1999
[5] Droms, R. "Authentication for DHCP Messages", RFC 3118,
June 2001
[6] Narten, T. and Alvestrand, H.,
"Guidelines for Writing an IANA Considerations Section in RFCs",
RFC 2434, October 1998
Author Information: Author Information:
Richard Johnson Richard Johnson
Jay Kumarasamy Jay Kumarasamy
Cisco Systems Cisco Systems
170 W. Tasman Dr. 170 W. Tasman Dr.
San Jose, CA 95134 San Jose, CA 95134
Phone: (408) 526-4000 Phone: (408) 526-4000
skipping to change at page 6, line 4 skipping to change at line 238
Kim Kinnear Kim Kinnear
Mark Stapp Mark Stapp
Cisco Systems Cisco Systems
250 Apollo Drive 250 Apollo Drive
Chelmsford, MA 01824 Chelmsford, MA 01824
Phone: (978) 244-8000 Phone: (978) 244-8000
EMail: kkinnear@cisco.com EMail: kkinnear@cisco.com
mjs@cisco.com mjs@cisco.com
DRAFT DHCP VPN Information option November 2001
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/